signstar_crypto/secret_file/
admin.rs

1//! Reading and writing of administrative secrets.
2
3use std::num::NonZeroUsize;
4
5use serde::{Deserialize, Serialize};
6
7/// The default number of shares for [Shamir's Secret Sharing] (SSS).
8///
9/// [Shamir's Secret Sharing]: https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing
10const SSS_DEFAULT_NUMBER_OF_SHARES: NonZeroUsize =
11    NonZeroUsize::new(6).expect("6 is larger than 0");
12
13/// The default number of shares required for decrypting secrets encrypted using [Shamir's Secret
14/// Sharing] (SSS).
15///
16/// [Shamir's Secret Sharing]: https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing
17const SSS_DEFAULT_THRESHOLD: NonZeroUsize = NonZeroUsize::new(3).expect("3 is larger than 0");
18
19/// The handling of administrative secrets.
20///
21/// Administrative secrets may be handled in different ways (e.g. persistent or non-persistent).
22#[derive(Clone, Copy, Debug, Deserialize, Eq, Ord, PartialEq, PartialOrd, Serialize)]
23#[serde(rename_all = "kebab-case")]
24pub enum AdministrativeSecretHandling {
25    /// The administrative secrets are handled in a plaintext file in a non-volatile directory.
26    ///
27    /// ## Warning
28    ///
29    /// This variant should only be used in non-production test setups, as it implies the
30    /// persistence of unencrypted administrative secrets on a file system.
31    Plaintext,
32
33    /// The administrative secrets are handled in a file encrypted using [systemd-creds(1)] in a
34    /// non-volatile directory.
35    ///
36    /// ## Warning
37    ///
38    /// This variant should only be used in non-production test setups, as it implies the
39    /// persistence of (host-specific) encrypted administrative secrets on a file system, that
40    /// could be extracted if the host is compromised.
41    ///
42    /// [systemd-creds(1)]: https://man.archlinux.org/man/systemd-creds.1
43    SystemdCreds,
44
45    /// The administrative secrets are handled using [Shamir's Secret Sharing] (SSS).
46    ///
47    /// This variant is the default for production use, as the administrative secrets are only ever
48    /// exposed on a volatile filesystem for the time of their use.
49    /// The secrets are only made available to the system as shares of a shared secret, split using
50    /// SSS.
51    /// This way no holder of a share is aware of the administrative secrets and the system only
52    /// for as long as it needs to use the administrative secrets.
53    ///
54    /// [Shamir's Secret Sharing]: https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing
55    ShamirsSecretSharing {
56        /// The number of shares used to encrypt the shared secret.
57        number_of_shares: NonZeroUsize,
58
59        /// The number of shares (see `number_of_shares`) required to decrypt the shared secret.
60        threshold: NonZeroUsize,
61    },
62}
63
64impl Default for AdministrativeSecretHandling {
65    fn default() -> Self {
66        Self::ShamirsSecretSharing {
67            number_of_shares: SSS_DEFAULT_NUMBER_OF_SHARES,
68            threshold: SSS_DEFAULT_THRESHOLD,
69        }
70    }
71}