Valv is an open-source Key Management System (KMS) built for modern cloud environments. It is heavily inspired by Google Cloud KMS and their internal Keystore.
- Automatic key rotation (default 30-day schedule, configurable)
- Encryption of data-encryption-keys (DEKs) using key-encryption-keys (KEKs)
- Compatible with Google Cloud KMS protobuf
- Secure storage of KEKs using FoundationDB
Valv's Keystore is designed to encrypt millions of data-encryption-keys (DEKs) using a much smaller number of key-encryption-keys (KEKs). The KEKs are wrapped using the Root Keystore master key and stored in a highly available FoundationDB cluster.
- Creation and management of cryptographic keys
- Encryption and decryption operations
- Automatic key rotation (default 30-day schedule, configurable)
- Access control and auditing
- Each active end-user has one KEK stored in two versions to allow key rotation
- KEKs are wrapped by the Root Keystore master key before being persisted
- Keystore data is stored and replicated using FoundationDB across all Keystore instances globally
- Active backup for disaster recovery
- By default, keys are automatically rotated every 30 days, but this schedule can be customized
Valv's KMS is designed to be compatible with popular cloud KMS protocols, with a focus on modern cloud environments. While the specific protocol for compatibility has not been finalized, Google Cloud KMS is a strong contender due to its alignment with the Google Cloud Envelope Encryption whitepaper, which inspired Valv's design.
A Google KMS compatibility layer can be found in the examples/google-kms directory, showcasing potential integration with Google Cloud KMS protobuf. However, please note that the final protocol choice is still under consideration.
For detailed API usage, refer to the documentation in the respective compatibility layer directories.
- Rust (latest stable version)
- FoundationDB (for storage)
-
Clone the repository:
git clone https://github.com/molnett/valv.git --recurse-submodules cd valv -
Build the project:
cargo build --release
-
Run the server:
./target/release/valv
By default, the server will listen on 0.0.0.0:50051. You can customize this by setting the VALV_ADDR environment variable: VALV_ADDR=127.0.0.1:8080 ./target/release/valv
Valv includes a comprehensive suite of conformance tests to ensure compatibility with the Google Cloud KMS API. These tests are located in crates/valv/src/tests.rs.
To run the test suite:
-
Ensure you have Rust and FoundationDB installed.
-
Run:
cargo test --allor
make test
The conformance tests cover the following areas:
- CryptoKey operations (creation, retrieval, listing, and updating)
- Encryption and decryption
- CryptoKeyVersion operations (creation, retrieval, listing, and destruction)
- Key rotation and state transitions
- Pagination for listing operations
- Error cases and edge conditions
For more detailed output during test execution, use:
cargo test -- --nocaptureThis will display log messages and assertions as the tests run, providing more insight into the test process and any potential issues.
While Valv aims to provide a comprehensive KMS solution, some features are still under development:
- Full implementation of all Google Cloud KMS API methods
- Advanced access control and IAM integration
- Multi-region replication with FoundationDB
- Hardware Security Module (HSM) integration
- Key import and export functionality
- Advanced FoundationDB optimizations for high-throughput scenarios
We're actively working on these features and welcome contributions from the community.
We welcome contributions to Valv! Please see our Contributing Guide for more details.
Valv is open-source software licensed under the Apache License 2.0. See the LICENSE file for more details.
Valv is maintained by Molnett.com. For any questions or support, please open an issue on this repository or contact us through our website.