id | title | custom_edit_url |
---|---|---|
secure_storage |
Secure Storage |
Secure storage provides a secure, persistent data store for sensitive data in the blockchain. Examples of sensitive data here include information required for safety and identity, such as cryptographic keys and consensus safety rules, as well as run-time configuration data.
For a design overview of secure storage, including the APIs, error types and policies, refer to the secure storage specification: [TODO(joshlind): publish the secure storage spec!]
This crate defines the secure storage API, made up of two separate Rust traits (interfaces):
KVStorage
: The KVStorage trait offers a key-value storage abstraction (e.g., to get and set key-value pairs).CryptoStorage
: The CryptoStorage trait offers a cryptographic-key based storage abstraction for Ed25519 keys (e.g., key creation, rotation and signing).
This crate provides four different secure storage implementations, each of which implements
both KVStorage
and CryptoStorage
:
Github
: The Github secure storage implementation provides a storage backend using a Github repository.Vault
: The Vault secure storage implementation uses the Vault Storage Engine (an engine offered by HashiCorp: https://www.vaultproject.io/). The Vault secure storage implementation is the one primarily used in production environments by nodes in the blockchain.InMemory
: The InMemory secure storage implementation provides a simple in-memory storage engine. This engine should only be used for testing, as it does not offer any persistence, or security (i.e., data is simply held in DRAM and may be lost on a crash, or restart).OnDisk
: Similar to InMemory, the OnDisk secure storage implementation provides another useful testing implementation: an on-disk storage engine, where the storage backend is implemented using a single file written to local disk. In a similar fashion to the in-memory storage, on-disk should not be used in production environments as it provides no security guarantees (e.g., encryption before writing to disk). Moreover, OnDisk storage does not currently support concurrent data accesses.
In addition, this crate also offers a Namespaced
wrapper around secure storage
implementations. Using the Namespaced wrapper, different entities can share the
same secure storage instance, under different namespaces, providing an abstraction that
each entity has its own secure storage backend.
secure/storage/
├── github # Contains the secure storage implementation based on Github.
├── src # Contains the definitions for secure storage (e.g., API and error types),
as well as lightweight implementations for testing (e.g in-memory and on-disk).
|── src/tests # Contains the testsuite for all secure storage implementations.
├── vault # Contains the secure storage implementation based on Vault, including the client
add fuzzing helper functions.