Convert Figma logo to code with AI

square logokeywhiz

A system for distributing and managing secrets

2,621
217
2,621
46
View on GitHub

Top Related Projects

hashicorp's avatar

vault

31,032

A tool for secrets management, encryption as a service, and privileged access management

bitnami-labs's avatar

sealed-secrets

7,621

A Kubernetes controller and tool for one-way encrypted Secrets

getsops's avatar

sops

16,722

Simple and flexible tool for managing secrets

Quick Overview

Keywhiz is a system for managing and distributing secrets, such as API keys, certificates, and database credentials. It provides a secure and centralized way to store sensitive information, allowing authorized clients to retrieve secrets as needed. Keywhiz is designed to work in distributed environments and integrates with various authentication systems.

Pros

  • Centralized secret management: Simplifies the process of storing and distributing secrets across multiple applications and services
  • Fine-grained access control: Allows for detailed permissions and access policies for different users and applications
  • Auditing and versioning: Provides a comprehensive audit trail and version history for all secrets
  • Integration with existing systems: Supports various authentication methods and can be integrated with existing infrastructure

Cons

  • Complexity: May require significant setup and configuration, especially for smaller organizations or projects
  • Single point of failure: If not properly configured with high availability, it could become a bottleneck or vulnerability
  • Learning curve: Requires understanding of the system's concepts and architecture for effective implementation
  • Limited language support: While it provides a REST API, native client libraries are only available for a few programming languages

Getting Started

To get started with Keywhiz, follow these steps:

  1. Clone the repository:

    git clone https://github.com/square/keywhiz.git

  2. Build the project:

    cd keywhiz
./mvnw install

  3. Generate a development configuration:

    java -jar server/target/keywhiz-server-*-SNAPSHOT-shaded.jar migrate development.yaml

  4. Start the server:

    java -jar server/target/keywhiz-server-*-SNAPSHOT-shaded.jar server development.yaml

  5. Access the Keywhiz UI at https://localhost:4444 (note: you'll need to set up SSL certificates for proper functionality)

For more detailed instructions and production deployment guidelines, refer to the project's documentation on GitHub.

Competitor Comparisons

hashicorp logo

vault

31,032

A tool for secrets management, encryption as a service, and privileged access management

Pros of Vault

  • More extensive feature set, including dynamic secrets and identity-based access control
  • Broader ecosystem with numerous integrations and plugins
  • Active development and frequent updates

Cons of Vault

  • More complex setup and configuration
  • Steeper learning curve for new users
  • Higher resource consumption for small-scale deployments

Code Comparison

Keywhiz (Java):

KeywhizClient client = KeywhizClient.builder()
    .withBaseUrl("https://keywhiz-server:4444")
    .build();

Secret secret = client.getSingleSecret("database/password");
String password = secret.getSecret();

Vault (Go):

client, err := vault.NewClient(vault.DefaultConfig())
secret, err := client.Logical().Read("secret/database/password")
password := secret.Data["password"].(string)

Both Keywhiz and Vault provide secure secret management, but they differ in scope and implementation. Keywhiz focuses on simplicity and ease of use for basic secret storage, while Vault offers a more comprehensive suite of features for complex secret management scenarios. The code examples demonstrate the basic usage for retrieving secrets, with Vault requiring slightly more setup but offering more flexibility in secret organization and access.

bitnami-labs logo

sealed-secrets

7,621

A Kubernetes controller and tool for one-way encrypted Secrets

Pros of Sealed Secrets

  • Designed specifically for Kubernetes, integrating seamlessly with existing workflows
  • Encrypts secrets client-side, allowing safe storage in version control
  • Lightweight and easy to set up, requiring minimal infrastructure changes

Cons of Sealed Secrets

  • Limited to Kubernetes environments, less versatile for non-K8s use cases
  • Lacks advanced features like secret rotation and access auditing
  • Requires manual secret sealing process, which can be cumbersome for large-scale deployments

Code Comparison

Sealed Secrets (encrypting a secret):

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: mysecret
spec:
  encryptedData:
    password: AgBy8hCi3...

Keywhiz (retrieving a secret):

KeywhizClient client = KeywhizClient.builder()
    .withBaseUrl("https://keywhiz-server.com:4444")
    .build();
Secret secret = client.getSingleSecret("database-password");

Both Sealed Secrets and Keywhiz aim to solve the problem of securely managing sensitive information, but they take different approaches. Sealed Secrets is tightly integrated with Kubernetes and focuses on encrypting secrets for safe storage in version control. Keywhiz, on the other hand, provides a more comprehensive secret management solution with features like access control and secret rotation, but requires more setup and infrastructure. The choice between the two depends on the specific needs of the project and the existing environment.

getsops logo

sops

16,722

Simple and flexible tool for managing secrets

Pros of sops

  • Simpler setup and usage, with no need for a separate server
  • Supports multiple cloud providers and key management systems
  • Can encrypt entire files, including YAML and JSON structures

Cons of sops

  • Lacks fine-grained access control features
  • No built-in audit logging capabilities
  • May require more manual key management

Code Comparison

sops:

myapp:
    db:
        user: ENC[AES256_GCM,data:...] 
        password: ENC[AES256_GCM,data:...]

Keywhiz:

SecretContent secret = client.getSecretContent("database/credentials");
String password = new String(secret.content());

Key Differences

  • sops encrypts secrets directly in configuration files, while Keywhiz stores secrets separately and provides an API for retrieval
  • Keywhiz offers more advanced features like versioning and access controls, but requires a dedicated server
  • sops is more lightweight and easier to integrate into existing workflows, especially for smaller projects
  • Keywhiz provides better auditability and is more suitable for large-scale enterprise environments

Both tools aim to solve the problem of secret management, but they take different approaches. The choice between them depends on specific project requirements, team size, and infrastructure complexity.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Deprecated

As of 9/18/23 this project is now deprecated and no longer maintained; we recommend using HashiCorp Vault as a more robust and actively supported alternative.

Keywhiz

license maven build

Keywhiz is a system for distributing and managing secrets. For more information, see the website.

Our Protecting infrastructure secrets with Keywhiz blog post is worth reading, as it provides some useful context.

Develop

Keywhiz requires Java 11 and MySQL 5.7 or higher.

See CONTRIBUTING for details on submitting patches.

Build Keywhiz:

mvn install

Run Keywhiz:

java -jar server/target/keywhiz-server-*-shaded.jar [COMMAND] [OPTIONS]

Useful commands to get started are migrate, add-user and server. Use with --help for a list of all available commands. Use with [COMMAND] --help to get help on a particular command.

For example, to run Keywhiz with a mysql database in development mode:

SERVER_JAR="server/target/keywhiz-server-*-shaded.jar"
KEYWHIZ_CONFIG="server/target/classes/keywhiz-development.yaml"

# Initialize dev database
java -jar $SERVER_JAR migrate $KEYWHIZ_CONFIG

# Add an administrative user
java -jar $SERVER_JAR add-user $KEYWHIZ_CONFIG

# Run server
java -jar $SERVER_JAR server $KEYWHIZ_CONFIG

To connect to a running Keywhiz instance, you will need to use the CLI.

An example helper shell script that wraps the keywhiz-cli and sets some default parameters:

#!/bin/sh

# Set the path to a compiled, shaded keywhiz-cli JAR file
KEYWHIZ_CLI_JAR="/path/to/keywhiz-cli-shaded.jar"
KEYWHIZ_SERVER_URL="https://$(hostname):4444"

# Use these flags if you want to specify a non-standard CA trust store.
# Alternatively, in development and testing specify the --devTrustStore 
# flag to use the default truststore (DO NOT use this in production, as
# the truststore is checked into Keywhiz' code).
TRUSTSTORE="-Djavax.net.ssl.trustStore=/path/to/ca-bundle.jceks"
TRUSTTYPE="-Djavax.net.ssl.trustStoreType=JCEKS"

java "$TRUSTSTORE" "$TRUSTTYPE" -jar "$KEYWHIZ_CLI_JAR" -U "$KEYWHIZ_SERVER_URL" "$@"

Keywhiz uses jOOQ to talk to its database.

If you made changes to the database model and want to regenerate sources:

mvn install -pl model/ -Pgenerate-jooq-sources

We recommend IntelliJ IDEA for development.

IntelliJ IDEA

To enable auto-completion, code navigation, etc., open the keywhiz repository in IDEA, right click pom.xml in the repository root, and select "Add as Maven Project".

Clients & API

Square also maintains a Keywhiz client implementation called Keysync.

Docker

We ship a Dockerfile for building a Docker container for Keywhiz. Please see the Dockerfile for extra instructions.

License

Keywhiz is under the Apache 2.0 license. See the LICENSE file for details.