The Key Protection Module (KPM) provides a secure infrastructure for managing cryptographic keys.
KPM consists of two primary layers:
- Key Orchestration Layer (KOL): Written in Go, this layer provides gRPC services for key management and high-level orchestration.
- Key Custody Core (KCC): Written in Rust, this layer handles sensitive cryptographic operations and key storage in protected memory. It uses BoringSSL (via
bssl-crypto) for underlying cryptography.
The Go layer communicates with the Rust layer via FFI (Foreign Function Interface) using CGO.
key_protection_service/: Implements the KPS gRPC service and its corresponding KCC FFI bindings.workload_service/: Implements the Workload gRPC service and its corresponding KCC FFI bindings.km_common/: Shared Rust library containing protobuf definitions, cryptographic wrappers, and protected memory management.third_party/bssl-crypto/: A Rust wrapper for BoringSSL, providing safe cryptographic primitives.boringssl/: Submodule containing the BoringSSL source code.
- Go 1.24+
- Rust 2024 edition
cbindgen(for generating FFI headers)bindgen-cli(ensure$HOME/.cargo/binis in yourPATH)cmake(for building BoringSSL)buf(for Go protobuf generation)
The build process involves generating protobuf code, FFI headers, building the Rust libraries, and then building/testing the Go services.
-
Generate Protobuf Code:
- Go:
./gen_keymanager.sh
- Rust: Handled automatically during
cargo buildviaprost-build.
- Go:
-
Generate FFI Headers:
./generate_ffi_headers.sh
-
Build Rust Workspace:
cargo build --release --workspace
-
Build Go Binaries:
# Make sure that the Rust library paths are correctly configured for CGO. go build ./...
To build the complete Key Protection Module (including both Rust and Go layers) as a Docker container, run:
docker build -t key-protection-module .- Go: Follow standard Go idioms and
go fmt. - Rust: Follow standard Rust idioms and
cargo fmt.
-
Go Tests:
go test ./...go test -tags=integration ./... -
Rust Tests:
cargo test
To make a new contribution, please follow these steps:
- Fork the repository on GitHub.
- Clone your forked repository with submodules:
git clone --recurse-submodules <your-forked-repository-url>
- Create a new branch for your changes:
git checkout -b your-feature-branch
- Make your changes and ensure tests pass.
- Commit your changes with a descriptive message.
- Push your branch and open a Pull Request.
Please ensure all source files include the appropriate copyright and license headers. See docs/contributing.md for more details.