...
This commit is contained in:
@@ -16,28 +16,34 @@ Note: Database-at-rest encryption flags in the test harness are unrelated to AGE
|
|||||||
|
|
||||||
## Quick start
|
## Quick start
|
||||||
|
|
||||||
Assuming the server is running on localhost on some PORT:
|
Assuming the server is running on localhost on some $PORT:
|
||||||
|
```bash
|
||||||
|
~/code/git.ourworld.tf/herocode/herodb/herodb/build.sh
|
||||||
|
~/code/git.ourworld.tf/herocode/herodb/target/release/herodb --dir /tmp/data --debug --$PORT 6381 --encryption-key 1234 --encrypt
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
export PORT=6381
|
||||||
# Generate an ephemeral keypair and encrypt/decrypt a message (stateless mode)
|
# Generate an ephemeral keypair and encrypt/decrypt a message (stateless mode)
|
||||||
redis-cli -p PORT AGE GENENC
|
redis-cli -p $PORT AGE GENENC
|
||||||
# → returns an array: [recipient, identity]
|
# → returns an array: [recipient, identity]
|
||||||
|
|
||||||
redis-cli -p PORT AGE ENCRYPT <recipient> "hello world"
|
redis-cli -p $PORT AGE ENCRYPT <recipient> "hello world"
|
||||||
# → returns ciphertext (base64 in a bulk string)
|
# → returns ciphertext (base64 in a bulk string)
|
||||||
|
|
||||||
redis-cli -p PORT AGE DECRYPT <identity> <ciphertext_b64>
|
redis-cli -p $PORT AGE DECRYPT <identity> <ciphertext_b64>
|
||||||
# → returns "hello world"
|
# → returns "hello world"
|
||||||
```
|
```
|
||||||
|
|
||||||
For key‑managed mode, generate a named key once and reference it by name afterwards:
|
For key‑managed mode, generate a named key once and reference it by name afterwards:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
redis-cli -p PORT AGE KEYGEN app1
|
redis-cli -p $PORT AGE KEYGEN app1
|
||||||
# → persists encryption keypair under name "app1"
|
# → persists encryption keypair under name "app1"
|
||||||
|
|
||||||
redis-cli -p PORT AGE ENCRYPTNAME app1 "hello"
|
redis-cli -p $PORT AGE ENCRYPTNAME app1 "hello"
|
||||||
redis-cli -p PORT AGE DECRYPTNAME app1 <ciphertext_b64>
|
redis-cli -p $PORT AGE DECRYPTNAME app1 <ciphertext_b64>
|
||||||
```
|
```
|
||||||
|
|
||||||
## Stateless AGE (ephemeral)
|
## Stateless AGE (ephemeral)
|
||||||
@@ -54,18 +60,18 @@ Commands and examples
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Generate an ephemeral encryption keypair
|
# Generate an ephemeral encryption keypair
|
||||||
redis-cli -p PORT AGE GENENC
|
redis-cli -p $PORT AGE GENENC
|
||||||
# Example output (abridged):
|
# Example output (abridged):
|
||||||
# 1) "age1qz..." # recipient (public key) = can be used by others e.g. to verify what I sign
|
# 1) "age1qz..." # recipient (public key) = can be used by others e.g. to verify what I sign
|
||||||
# 2) "AGE-SECRET-KEY-1..." # identity (secret) = is like my private, cannot lose this one
|
# 2) "AGE-SECRET-KEY-1..." # identity (secret) = is like my private, cannot lose this one
|
||||||
|
|
||||||
# Encrypt with the recipient public key
|
# Encrypt with the recipient public key
|
||||||
redis-cli -p PORT AGE ENCRYPT "age1qz..." "hello world"
|
redis-cli -p $PORT AGE ENCRYPT "age1qz..." "hello world"
|
||||||
|
|
||||||
# → returns bulk string payload: base64 ciphertext (encrypted content)
|
# → returns bulk string payload: base64 ciphertext (encrypted content)
|
||||||
|
|
||||||
# Decrypt with the identity (secret) in other words your private key
|
# Decrypt with the identity (secret) in other words your private key
|
||||||
redis-cli -p PORT AGE DECRYPT "AGE-SECRET-KEY-1..." "<ciphertext_b64>"
|
redis-cli -p $PORT AGE DECRYPT "AGE-SECRET-KEY-1..." "<ciphertext_b64>"
|
||||||
# → "hello world"
|
# → "hello world"
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -76,17 +82,17 @@ redis-cli -p PORT AGE DECRYPT "AGE-SECRET-KEY-1..." "<ciphertext_b64>"
|
|||||||
```bash
|
```bash
|
||||||
|
|
||||||
# Generate an ephemeral signing keypair
|
# Generate an ephemeral signing keypair
|
||||||
redis-cli -p PORT AGE GENSIGN
|
redis-cli -p $PORT AGE GENSIGN
|
||||||
# Example output:
|
# Example output:
|
||||||
# 1) "<verify_pub_b64>"
|
# 1) "<verify_pub_b64>"
|
||||||
# 2) "<sign_secret_b64>"
|
# 2) "<sign_secret_b64>"
|
||||||
|
|
||||||
# Sign a message with the secret
|
# Sign a message with the secret
|
||||||
redis-cli -p PORT AGE SIGN "<sign_secret_b64>" "msg"
|
redis-cli -p $PORT AGE SIGN "<sign_secret_b64>" "msg"
|
||||||
# → returns "<signature_b64>"
|
# → returns "<signature_b64>"
|
||||||
|
|
||||||
# Verify with the public key
|
# Verify with the public key
|
||||||
redis-cli -p PORT AGE VERIFY "<verify_pub_b64>" "msg" "<signature_b64>"
|
redis-cli -p $PORT AGE VERIFY "<verify_pub_b64>" "msg" "<signature_b64>"
|
||||||
# → 1 (valid) or 0 (invalid)
|
# → 1 (valid) or 0 (invalid)
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -110,15 +116,17 @@ Commands and examples
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Create/persist a named encryption keypair
|
# Create/persist a named encryption keypair
|
||||||
redis-cli -p PORT AGE KEYGEN app1
|
redis-cli -p $PORT AGE KEYGEN app1
|
||||||
# → returns [recipient, identity] but also stores them under name "app1"
|
# → returns [recipient, identity] but also stores them under name "app1"
|
||||||
|
|
||||||
|
> TODO: should not return identity (security, but there can be separate function to export it e.g. AGE EXPORTKEY app1)
|
||||||
|
|
||||||
# Encrypt using the stored public key
|
# Encrypt using the stored public key
|
||||||
redis-cli -p PORT AGE ENCRYPTNAME app1 "hello"
|
redis-cli -p $PORT AGE ENCRYPTNAME app1 "hello"
|
||||||
# → returns bulk string payload: base64 ciphertext
|
# → returns bulk string payload: base64 ciphertext
|
||||||
|
|
||||||
# Decrypt using the stored secret
|
# Decrypt using the stored secret
|
||||||
redis-cli -p PORT AGE DECRYPTNAME app1 "<ciphertext_b64>"
|
redis-cli -p $PORT AGE DECRYPTNAME app1 "<ciphertext_b64>"
|
||||||
# → "hello"
|
# → "hello"
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -126,22 +134,24 @@ redis-cli -p PORT AGE DECRYPTNAME app1 "<ciphertext_b64>"
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Create/persist a named signing keypair
|
# Create/persist a named signing keypair
|
||||||
redis-cli -p PORT AGE SIGNKEYGEN app1
|
redis-cli -p $PORT AGE SIGNKEYGEN app1
|
||||||
# → returns [verify_pub_b64, sign_secret_b64] and stores under name "app1"
|
# → returns [verify_pub_b64, sign_secret_b64] and stores under name "app1"
|
||||||
|
|
||||||
|
> TODO: should not return sign_secret_b64 (for security, but there can be separate function to export it e.g. AGE EXPORTSIGNKEY app1)
|
||||||
|
|
||||||
# Sign using the stored secret
|
# Sign using the stored secret
|
||||||
redis-cli -p PORT AGE SIGNNAME app1 "msg"
|
redis-cli -p $PORT AGE SIGNNAME app1 "msg"
|
||||||
# → returns "<signature_b64>"
|
# → returns "<signature_b64>"
|
||||||
|
|
||||||
# Verify using the stored public key
|
# Verify using the stored public key
|
||||||
redis-cli -p PORT AGE VERIFYNAME app1 "msg" "<signature_b64>"
|
redis-cli -p $PORT AGE VERIFYNAME app1 "msg" "<signature_b64>"
|
||||||
# → 1 (valid) or 0 (invalid)
|
# → 1 (valid) or 0 (invalid)
|
||||||
```
|
```
|
||||||
|
|
||||||
3) List stored AGE keys
|
3) List stored AGE keys
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
redis-cli -p PORT AGE LIST
|
redis-cli -p $PORT AGE LIST
|
||||||
# Example output includes labels such as "encpub" and your key names (e.g., "app1")
|
# Example output includes labels such as "encpub" and your key names (e.g., "app1")
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user