VMware has ended active development of this project, this repository will no longer be updated.

virtual-security-module

Overview

VSM (Virtual Security Module) helps organizations to keep secrets (e.g. credentials) secure and manage their lifecycle.

Following is a list of high-level capabilities:

• Secure Storage of Secrets - Each secret is encrypted using a generated encryption key which is not persisted anywhere. Instead, the encryption key is broken into pieces and each piece is kept in a different location potentially owned by a different person. An attacker has to penetrate into enough locations in order to reconstruct an encryption key. Furthermore, the attacker would have to break into enough locations simultaneously due to continuous share rotation.
• Multi-tenancy & Authorization - Different secrets can reside in different namespaces, where each namespace might be owned and/or accessible by different organizations or users. Namespaces are hierarchical for easy management and quick revocation. Authorization is controlled through policies.
• Secret Lifecycle Management - A secret is either handed off to the system to be kept securely, or is generated by the system (and kept securely) based on a client request. A secret can be read and used, updated if needed, auto-rotate in some cases and eventually destroyed – either automatically due to expiration or revoked based on a client request.
• Auditing - Access and configuration modifications are audited. The auditing engine is pluggable through an audit adapter. The Level of audit is controlled through policies.
• Auto-rotating secrets - A secret can be created dynamically based on a client request. An example is a short-lived AWS access token, that is automatically being refreshed periodically. This relieves the client from generating and refreshing such a secret while maximizing security through short-lived tokens and centralized auditing. Multiple types of secrets, like certificates and cloud access keys, are supported.
• AuthN - Pluggable authentication is supported through an abstraction of an identity provider and support for multiple authentication protocols.
• Client-side library - a library to help protect the authentication credentials required to connect to the VSM server itself is provided.
• High-Availability & Scale-Out - the server can be configured as a cluster for high-availability and scale-out.
• RESTful API and documentation - the server's API is RESTful and its documentation is generated and browsable through integration with Swagger.
• Command-line client tool - for easy interaction with the server

Getting Started

Prerequisites

• To run: none
• To build: Golang 1.7+ (https://golang.org/doc/install)
• To generate RESTful API docs: go-swagger (https://github.com/go-swagger/go-swagger)

Clone Repo

Under your Go workspace ($GOPATH) create a src/github.com/vmware directory: Then cd into src/github.com/vmware and clone your forked repo.:

git clone https://github.com/$yourusername/virtual-security-module

First Build

cd into virtual-security-module. Before your first build fetch dependencies by running:

make install-deps

Build

make

Test

make test

From here, just follow the HOWTO.

Documentation

The HOWTO describes how to accomplish some common tasks.

Community

Slack: Join VSM's community here: VMware {code}, Channel: #vsm.

Contributing

The virtual-security-module project team welcomes contributions from the community. Before you start working with virtual-security-module, please read our Developer Certificate of Origin. All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch. For more detailed information, refer to CONTRIBUTING.md.

License

Virtual Security Module is licensed under the BSD-2 license.