Ryan Heywood
fa84a2ae5f
Rationale: Keyfork Shard runs on Airgap systems. The biggest impact of using StandardPolicy and checking whether keys are "alive" is the drift between different Airgap systems where the keys may not be valid at the same time. Because of this, it is impossible to shard a secret to all keys at once using a StandardPolicy. However, we consider these keys to be a trusted input, whether created by a previous system or generated directly by Keyfork. Because of this, we can use a NullPolicy to blanketly permit all keys, the same way we blanketly permit all keys when reconstituting the sharded secret, and disable the check for whether keys are alive (though, we are still denying revoked keys). |
||
|---|---|---|
| .. | ||
| src | ||
| Cargo.toml | ||
| README.md | ||
README.md
Keyfork Shard
Securing secrets using Shamir's Secret Sharing, an "M-of-N" secret recovery
mechanism used to split a secret into n encrypted parts, with m parts
required to restore the secret.
Shardfile Formats
Currently, OpenPGP is the only supported format. Any mix of smartcards and OpenPGP key files are supported.
Metadata
Keyfork Shard stores some additional metadata inside the Shardfile to make recombining secrets easier. This metadata currently includes the metadata version (1) and the threshold required to recreate the secret (meaning you don't need to remember the threshold!).
Command Line Usage
The command to run to split and combine a secret is format-dependent, but will
often follow the format keyfork-shard-split-<format> and
keyfork-shard-combine-<format>. For this example, OpenPGP will be used, but
the flow will be similar for any format. Keyfork Shard expects the input to be
a hex-encoded secret.
# Read our secret into a shell variable.
read secret
# Shard our secret.
echo $secret | keyfork-shard-split-openpgp 3 5 keyring.pgp > shards.pgp
# Forget our secret.
unset secret
# Recreate our secret. Without specifying a keyring, we are prompted to use
# smartcards.
keyfork-shard-combine-openpgp shards.pgp