1. API层面会兼容Vault服务的API吗？
2. 是否有类似于Vault kuberentes helm\kubernetes sidecar的项目，方便用户在实际环境中安全的集成和使用RustyVault?

@InfoHunter ，

对于架构设计的几个想法：

1. Surface 可以改为 Interface 层，接口层是比较通用的说法，容易被多数人理解
2. 提供 REST API 接口，需要有个 Daemon 存在于应用中，这个 Module 中需要画出来，当然将来也可以提供各种 PRC 调用的接口
3. 对于 Mega 项目，需要有一个 crate 的封装进行调用，不提供 endpoint 给开发者使用
4. 对于 Configuration Parese 是 HTTP Daemon 和 CLI 的基本功能，不必在 Interface 层表示
5. 建议为 RustyValut 提供一个 CLI 的接口，方便被其它项目集成

这里涉及到一个需要明确的问题：

RustyValut 是一个应用还是一个库？ 如果是一个应用，那么内部功能需要封装成 crate 给上层管理层级调用

The mlock system call family can prevent memory pages from being swapped out to disk or other long term storage. In case an adversary has the opportunity to get access to the long term storage, he or she can investigate the pages and may dig out the sensitive data in it. Using mlock can make the sensitive data in short-term memory only and this makes it more difficult for the adversary to get access to the memory pages and even so, the adversary usually has no adequate time to get the investigation done.

Currently, only local file storage is supported, and you need to support etcd storage

整体

• 2023.10月份发布 MVP 版本（PoC）
  • 单一对称加密算法和数字签名算法的支持
  • AuthN & AuthZ 基础能力
  • 用户密钥分组基础能力
  • Rest API 基础能力
  • 使用 DISK 存储密钥
  • 密钥轮转
• 2023.11月份发布 0.9 版本（基础功能）
  • 底层密码库默认使用 rust-crypto
  • PKI 功能
  • CLI 功能
  • 配置热加载
• 2023.12月份发布 1.0 版本
  • 底层密码库切换到 Tongsuo
  • 支持 ETCD 存储密钥
  • 模块热加载
  • HA 基础能力

细分

RustyVault Core

• Module Manager：2023.09
• Crypto Engine
  • rust-crypto：2023.09
  • Tongsuo：2023.10
• Storage Engine
  • Disk：2023.09
  • ETCD：2023.10

RustyVault Modules

• 核心模块（PKI、User Management、Crypto、AuthN & AuthZ）：2023.10
• 其他模块（HA、……）：2023.12

RustyVault Surface

• Rest API：2023.11
• CLI：2023.11

Modern compiler doesn't guarantee all code is executed as expected. For instance, zeroizing a piece of memory could be omitted due to optimization purpose by compilers. This will cause problems in security oriented applications like RustyVault. The sensitive data in RustyVault, for instance the encryption key for barrier usage, should be zeroized after they are dropped.

A crate called zeroize can do this job well: https://docs.rs/zeroize/1.4.0/zeroize/index.html

The ACL feature is not yet supported and needs to be supported

报错信息如下：

error[E0599]: no method named `tag_length` found for struct `RefMut<'_, CipherCtx>` in the current scope
   --> src/storage/barrier_aes_gcm.rs:249:35
    |
249 |         let tag_size = cipher_ctx.tag_length();
    |                                   ^^^^^^^^^^ help: there is a method with a similar name: `set_tag_length`

error[E0599]: no method named `tag_length` found for struct `RefMut<'_, CipherCtx>` in the current scope
   --> src/storage/barrier_aes_gcm.rs:290:35
    |
290 |         let tag_size = cipher_ctx.tag_length();
    |                                   ^^^^^^^^^^ help: there is a method with a similar name: `set_tag_length`

For more information about this error, try `rustc --explain E0599`.
error: could not compile `rusty_vault` due to 2 previous errors

环境版本：

rustc 1.69.0 (84c898d65 2023-04-16)

Cargo.lock中，openssl的版本是：

155 [[package]]
156 name = "openssl"
157 version = "0.10.59"
158 source = "registry+https://github.com/rust-lang/crates.io-index"
159 checksum = "7a257ad03cd8fb16ad4172fedf8094451e1af1c4b70097636ef2eac9a5f0cc33"

测试过1.72版本的rust，也是同样的报错。

The PKI module needs to support the generation of intermediate CA certificate

Currently, the CA of the PKI module only supports import, and needs to support the generation of root CA certificate

Currently, only root_token is supported, and new tokens need to be issued by password login

如题，通过增加 rust-toolchain 文件指定工具链版本，以及通过 rustfmt.toml 提供代码风格检查。这样可以帮助其他开发者快速上手项目。

rust-toolchain 示例：

nightly-2022-12-15

rustfmt.toml 示例：

edition = "2021"

condense_wildcard_suffixes = true
group_imports = "StdExternalCrate"
imports_granularity = "Crate"
license_template_path = "etc/license.template"
newline_style = "Unix"
reorder_imports = true
report_fixme = "Unnumbered"
trailing_comma = "Vertical"
use_field_init_shorthand = true
use_small_heuristics = "Max"
merge_derives = false
comment_width = 120

In order to make RustyVault better, we decided to build a separate documentation site for RustyVault alone to display and maintain the documentation. The documentation site will be maintained in a separate /docs directory and can be run independently.

TODO

• build site
• CI pipeline
• Page Preview
• i18n
• logo design