mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
60 Commits 1 Branch 2 Tags
28d6f9fa1fbc4957039e89df60802452ff09a86c
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Kyle Isom 28d6f9fa1f Fix ListIssuers auth: move from public to auth-required methods 
ListIssuers was miscategorized as a public gRPC method, but the CA
engine handler requires CallerInfo with user role. When called without
auth (public path), the interceptor skipped token validation, so
CallerInfo was nil and the handler returned ErrUnauthorized — which
the web UI silently swallowed, showing "No issuers configured."

Security: gRPC interceptor map correction (ListIssuers requires auth)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 02:24:11 -07:00
.claude
Add ACME (RFC 8555) server and Go client library
2026-03-15 08:09:12 -07:00
.junie
Add policy CRUD, cert management, and web UI updates
2026-03-15 19:41:11 -07:00
clients/go
Migrate module path from kyle/ to mc/ org
2026-03-27 02:05:59 -07:00
cmd
Migrate module path from kyle/ to mc/ org
2026-03-27 02:05:59 -07:00
deploy
Add comprehensive ACME test suite (60 tests, 2100 lines)
2026-03-25 21:01:23 -07:00
docs
Migrate module path from kyle/ to mc/ org
2026-03-27 02:05:59 -07:00
engines
Fix ECDH zeroization, add audit logging, and remediate high findings
2026-03-17 14:04:39 -07:00
gen/metacrypt
Migrate module path from kyle/ to mc/ org
2026-03-27 02:05:59 -07:00
internal
Fix ListIssuers auth: move from public to auth-required methods
2026-03-27 02:24:11 -07:00
proto/metacrypt
Migrate module path from kyle/ to mc/ org
2026-03-27 02:05:59 -07:00
web
Add web UI for SSH CA, Transit, and User engines; full security audit and remediation
2026-03-16 22:02:06 -07:00
.gitignore
Checkpoint: auth, engine, seal, server, grpc updates
2026-03-15 10:15:47 -07:00
.golangci.yaml
Add golangci yaml.
2026-03-15 10:15:47 -07:00
AGENTS.md
Migrate module path from kyle/ to mc/ org
2026-03-27 02:05:59 -07:00
ARCHITECTURE.md
Migrate module path from kyle/ to mc/ org
2026-03-27 02:05:59 -07:00
AUDIT.md
Fix ECDH zeroization, add audit logging, and remediate high findings
2026-03-17 14:04:39 -07:00
buf.yaml
Add buf lint/breaking targets and fix proto naming violations
2026-03-15 10:27:52 -07:00
CLAUDE.md
Migrate module path from kyle/ to mc/ org
2026-03-27 02:05:59 -07:00
Dockerfile
Checkpoint: grpc auth fix, issuer list/detail, v2 protos, architecture docs
2026-03-15 11:39:13 -07:00
Dockerfile.api
Add git to alpine builder for private module fetching
2026-03-26 14:58:36 -07:00
Dockerfile.web
Add git to alpine builder for private module fetching
2026-03-26 14:58:36 -07:00
go.mod
Migrate module path from kyle/ to mc/ org
2026-03-27 02:05:59 -07:00
go.sum
Migrate module path from kyle/ to mc/ org
2026-03-27 02:05:59 -07:00
Makefile
Migrate module path from kyle/ to mc/ org
2026-03-27 02:05:59 -07:00
PKI-ENGINE-PLAN.md
Migrate module path from kyle/ to mc/ org
2026-03-27 02:05:59 -07:00
POLICY.md
Add policy CRUD, cert management, and web UI updates
2026-03-15 19:41:11 -07:00
PROJECT.md
Migrate module path from kyle/ to mc/ org
2026-03-27 02:05:59 -07:00
README.md
Add README with quick-start and links to detailed docs
2026-03-15 10:33:47 -07:00
REMEDIATION.md
Fix ECDH zeroization, add audit logging, and remediate high findings
2026-03-17 14:04:39 -07:00
RUNBOOK.md
Implement CA/PKI engine with two-tier X.509 certificate issuance
2026-03-14 21:57:52 -07:00

README.md

Metacrypt

Metacrypt is a cryptographic service for the Metacircular platform. It provides an encrypted secrets barrier and pluggable cryptographic engines (CA/PKI, SSH CA, transit encryption, user-to-user encryption) over a gRPC and HTTPS API. Authentication is delegated to MCIAS.

It operates using a seal/unseal model similar to HashiCorp Vault: the service starts sealed on every boot and must be unlocked with a password before cryptographic operations are available.

Quick Start

Prerequisites

  • Go 1.23+
  • A running MCIAS instance
  • TLS certificate and key for the server

Build

make metacrypt metacrypt-web

Configure

cp deploy/examples/metacrypt.toml /srv/metacrypt/metacrypt.toml
# Edit to set listen_addr, tls_cert, tls_key, database.path, mcias.server_url

Initialize

./metacrypt init --config /srv/metacrypt/metacrypt.toml

This prompts for a seal password and generates the master encryption key. Store the seal password securely — it cannot be recovered if lost.

Run

./metacrypt server --config /srv/metacrypt/metacrypt.toml

The service starts sealed. Unseal it:

curl -sk -X POST https://localhost:8443/v1/unseal \
    -H 'Content-Type: application/json' \
    -d '{"password":"<seal-password>"}'

Or use the web UI: navigate to https://<host>:8443/.

Docker

make docker
docker compose -f deploy/docker/docker-compose.yml up -d

See RUNBOOK.md for volume setup instructions.

Further Reading

Document Contents
ARCHITECTURE.md Cryptographic design, key hierarchy, engine architecture, API reference, security model
RUNBOOK.md Installation, daily operations, backup/restore, monitoring, troubleshooting
PKI-ENGINE-PLAN.md CA engine implementation plan

Development

make build      # Build all packages
make test       # Run tests
make vet        # Static analysis
make lint       # golangci-lint
make proto      # Regenerate protobuf/gRPC stubs
make proto-lint # Lint and check proto breaking changes
Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 3.1 MiB
Languages
Go 91%
HTML 7.4%
CSS 1.1%
Shell 0.3%
Makefile 0.2%