sortedcord/bootstrap-auth-server
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3c55888ca1619b2ed48ffd829784424b07f979bd
bootstrap-auth-server/README.md
Aditya Gupta 33538537a6
All checks were successful
Deployment Pipeline / deploy (push) Successful in 4m38s
Details
docs: Updated Readme
2026-06-25 16:14:16 +05:30

120 lines
6.4 KiB
Markdown
Raw Blame History

# Bootstrap Authentication - Asymmetric Crypto (RSA) Auth & E2E Secrets
## Introduction
This project is a centralized authentication and secrets provisioning server. It is designed to allow arbitrary client machines to securely request access and retrieve sensitive environment variables or secrets during their initialization phase. It relies on strict cryptographic verification using Ed25519 asymmetric keys to ensure that only explicitly authorized clients receive secrets.
By utilizing modern encryption protocols, this system provides a highly secure mechanism to bootstrap new servers, workstations, or deployment targets without ever transmitting plain text secrets over the network or storing them insecurely.
## Architecture and Cryptography
The system uses a completely zero trust model for secret delivery. The server holds a master key that encrypts all secrets at rest within a local SQLite database using the AES 256 GCM authenticated encryption algorithm.
When a new client machine requests access to the secrets, it generates a local Ed25519 key pair and submits its public key to the server. To prevent unauthorized access, an administrator or an already approved device must cryptographically sign this new public key to authorize the new device.
Once the device is approved, the new client must prove it actually possesses the private key it claimed to own by signing a random challenge nonce generated by the server. Only after this verification succeeds does the server retrieve the encrypted secrets from the database. The server decrypts them in memory, and then immediately encrypts them again. This second encryption is performed using the age encryption protocol, specifically targeting the approved client public key.
This strict protocol guarantees that even if the network transport is entirely compromised, the payload remains mathematically inaccessible to anyone except the exact client device that generated the initial request.
## Deployment and Configuration
The server requires minimal setup. It compiles to a single binary and utilizes SQLite for its persistent storage, eliminating the need for complex database infrastructure.
The application is configured using standard environment variables:
* `SERVER_MASTER_KEY` : A highly secure string used to derive the AES encryption key. This is required for encrypting and decrypting the database secrets.
* `DATABASE_URL` : The connection string for the SQLite database. Defaults to a local file named data.db.
* SERVER_PORT : The network port the Axum server will listen on. Defaults to 3000.
## Initial Secrets Provisioning
When the server starts, it automatically looks for a file named secrets.json in the current working directory. If this file is found, the server parses the key and value pairs, encrypts the values securely using the master key, and stores them persistently in the database.
After successful ingestion, the server renames the file to secrets.json.bak. This automatic cleanup prevents accidental plain text exposure and ensures the secrets are not ingested multiple times.
## Application Programming Interface Endpoints
The server exposes three primary endpoints for the device registration lifecycle.
### POST `/api/register`
Clients send their system hostname, operating system details, and their Ed25519 public key in standard Secure Shell format to the registration endpoint. The server registers the device in a pending state and generates a short user code along with a secure challenge nonce.
**Request Payload:**
A JSON object containing:
* `hostname` (string)
* `os` (string)
* `public_key` (string)
**Response Payload:**
A JSON object containing:
* `user_code` (string)
* `challenge_nonce` (string)
* `expires_in` (integer representing seconds)
### POST `/api/approve`
An administrator submits the user code along with a cryptographic signature. This signature must be the pending device public key signed by the administrator private key. The server verifies this signature against known approved devices to authorize the new client.
**Request Payload:**
A JSON object containing:
* `user_code` (string)
* `approver_public_key_fingerprint` (string)
* `signature` (base64 encoded string)
**Response Payload:**
A JSON string confirming approval.
### POST `/api/challenge/poll`
The pending client polls the server with their user code and a signature of the challenge nonce. This proves the client actually possesses the private key corresponding to their submitted public key. If the device has been approved, the server returns the secrets encrypted via the age protocol for that specific client. If the device is still pending, the server responds with an appropriate status code indicating the client should continue waiting.
**Request Payload:**
A JSON object containing:
* `user_code` (string)
* `signature` (base64 encoded string of the challenge nonce signature)
**Response Payload:**
A JSON object containing:
* `encrypted_secrets` (base64 encoded string containing the age encrypted payload)
## Authentication Sequence
The complete cryptographic handshake and provisioning flow is illustrated below:
```mermaid
sequenceDiagram
autonumber
participant C as New Client
participant S as Authentication Server
participant DB as SQLite Database
participant A as Administrator Device
Note over C: Generates Ed25519 Key Pair
C->>S: POST /api/register (Public Key, System Info)
S->>DB: Insert pending device record
S-->>C: Returns User Code and Challenge Nonce
Note over C, A: Out of band communication
C->>A: Displays User Code and Public Key Fingerprint
Note over A: Signs New Client Public Key
A->>S: POST /api/approve (User Code, Cryptographic Signature)
S->>DB: Validates Administrator Key
S->>S: Verifies Signature mathematically
S->>DB: Updates pending device to approved status
S-->>A: Acknowledges approval
loop Polling mechanism
Note over C: Signs Challenge Nonce
C->>S: POST /api/challenge/poll (User Code, Nonce Signature)
S->>S: Verifies Client Signature mathematically
S->>DB: Checks approval status
end
S->>DB: Retrieves AES encrypted secrets
S->>S: Decrypts secrets in memory using Master Key
S->>S: Encrypts secrets using age protocol for Client Public Key
S->>DB: Purges pending request record
S-->>C: Returns age encrypted payload
Note over C: Decrypts payload using local Private Key
```
Reference in New Issue View Git Blame Copy Permalink