mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
44 Commits 1 Branch 2 Tags
656f22e19b19b9362940b6eecd7d18bcada367a2
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Kyle Isom 656f22e19b Add vault_sni config for container TLS hostname override 
The web UI connects to the vault API via gRPC using the Docker
compose service name (e.g., "metacrypt:9443"), but the vault's TLS
certificate has SANs for "crypt.metacircular.net" and "localhost".
The new vault_sni config field overrides the TLS ServerName so
certificate verification succeeds despite the hostname mismatch.

Also updates metacrypt-rift.toml with vault_sni and temporarily
binds the web UI port to 0.0.0.0 for direct access until mc-proxy
is deployed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 19:28:50 -07:00
.claude
Add ACME (RFC 8555) server and Go client library
2026-03-15 08:09:12 -07:00
.junie
Add policy CRUD, cert management, and web UI updates
2026-03-15 19:41:11 -07:00
clients/go
Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6, #22)
2026-03-16 18:27:44 -07:00
cmd
Migrate db, auth to mcdsl; remove mcias client dependency
2026-03-25 18:42:43 -07:00
deploy
Add vault_sni config for container TLS hostname override
2026-03-25 19:28:50 -07:00
docs
Update engine specs, audit doc, and server tests for SSH CA, transit, and user engines
2026-03-16 20:16:23 -07:00
engines
Fix ECDH zeroization, add audit logging, and remediate high findings
2026-03-17 14:04:39 -07:00
gen/metacrypt
Merge branch 'worktree-agent-a98b5183'
2026-03-16 20:01:04 -07:00
internal
Add vault_sni config for container TLS hostname override
2026-03-25 19:28:50 -07:00
proto/metacrypt
Merge branch 'worktree-agent-a98b5183'
2026-03-16 20:01:04 -07:00
web
Add web UI for SSH CA, Transit, and User engines; full security audit and remediation
2026-03-16 22:02:06 -07:00
.gitignore
Checkpoint: auth, engine, seal, server, grpc updates
2026-03-15 10:15:47 -07:00
.golangci.yaml
Add golangci yaml.
2026-03-15 10:15:47 -07:00
AGENTS.md
Checkpoint: auth, engine, seal, server, grpc updates
2026-03-15 10:15:47 -07:00
ARCHITECTURE.md
Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6, #22)
2026-03-16 18:27:44 -07:00
AUDIT.md
Fix ECDH zeroization, add audit logging, and remediate high findings
2026-03-17 14:04:39 -07:00
buf.yaml
Add buf lint/breaking targets and fix proto naming violations
2026-03-15 10:27:52 -07:00
CLAUDE.md
Add architecture docs, fix gRPC/REST API parity, project conventions
2026-03-14 23:29:51 -07:00
Dockerfile
Checkpoint: grpc auth fix, issuer list/detail, v2 protos, architecture docs
2026-03-15 11:39:13 -07:00
Dockerfile.api
Migrate db, auth to mcdsl; remove mcias client dependency
2026-03-25 18:42:43 -07:00
Dockerfile.web
Migrate db, auth to mcdsl; remove mcias client dependency
2026-03-25 18:42:43 -07:00
go.mod
Use published mcdsl v0.1.0, remove replace directive
2026-03-25 18:54:13 -07:00
go.sum
Use published mcdsl v0.1.0, remove replace directive
2026-03-25 18:54:13 -07:00
Makefile
Add certificate issuance, CSR signing, and cert listing to web UI
2026-03-15 13:21:13 -07:00
PKI-ENGINE-PLAN.md
Implement CA/PKI engine with two-tier X.509 certificate issuance
2026-03-14 21:57:52 -07:00
POLICY.md
Add policy CRUD, cert management, and web UI updates
2026-03-15 19:41:11 -07:00
PROJECT.md
Implement Phase 1: core framework, operational tooling, and runbook
2026-03-14 20:43:11 -07:00
README.md
Add README with quick-start and links to detailed docs
2026-03-15 10:33:47 -07:00
REMEDIATION.md
Fix ECDH zeroization, add audit logging, and remediate high findings
2026-03-17 14:04:39 -07:00
RUNBOOK.md
Implement CA/PKI engine with two-tier X.509 certificate issuance
2026-03-14 21:57:52 -07:00

README.md

Metacrypt

Metacrypt is a cryptographic service for the Metacircular platform. It provides an encrypted secrets barrier and pluggable cryptographic engines (CA/PKI, SSH CA, transit encryption, user-to-user encryption) over a gRPC and HTTPS API. Authentication is delegated to MCIAS.

It operates using a seal/unseal model similar to HashiCorp Vault: the service starts sealed on every boot and must be unlocked with a password before cryptographic operations are available.

Quick Start

Prerequisites

  • Go 1.23+
  • A running MCIAS instance
  • TLS certificate and key for the server

Build

make metacrypt metacrypt-web

Configure

cp deploy/examples/metacrypt.toml /srv/metacrypt/metacrypt.toml
# Edit to set listen_addr, tls_cert, tls_key, database.path, mcias.server_url

Initialize

./metacrypt init --config /srv/metacrypt/metacrypt.toml

This prompts for a seal password and generates the master encryption key. Store the seal password securely — it cannot be recovered if lost.

Run

./metacrypt server --config /srv/metacrypt/metacrypt.toml

The service starts sealed. Unseal it:

curl -sk -X POST https://localhost:8443/v1/unseal \
    -H 'Content-Type: application/json' \
    -d '{"password":"<seal-password>"}'

Or use the web UI: navigate to https://<host>:8443/.

Docker

make docker
docker compose -f deploy/docker/docker-compose.yml up -d

See RUNBOOK.md for volume setup instructions.

Further Reading

Document Contents
ARCHITECTURE.md Cryptographic design, key hierarchy, engine architecture, API reference, security model
RUNBOOK.md Installation, daily operations, backup/restore, monitoring, troubleshooting
PKI-ENGINE-PLAN.md CA engine implementation plan

Development

make build      # Build all packages
make test       # Run tests
make vet        # Static analysis
make lint       # golangci-lint
make proto      # Regenerate protobuf/gRPC stubs
make proto-lint # Lint and check proto breaking changes
Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 3.1 MiB
Languages
Go 91%
HTML 7.4%
CSS 1.1%
Shell 0.3%
Makefile 0.2%