sup3rS3cretMes5age!

A simple, secure self-destructing message service, using HashiCorp Vault product as a backend.

self-destruct

Read more about the reasoning behind this project in the relevant blog post.

Now using Let's Encrypt for simple and free SSL certs!

Deployment

Testing it locally

You can just run docker-compose up --build: it will build the Docker image and then run it alongside a standalone Vault server.

By default, the docker-compose.yml is configured to run the webapp on port 8082 in cleartext HTTP (so you can access it on http://localhost:8082).

Optionally, you can modify the docker-compose.yml and tweak the options (enable HTTPS, disable HTTP or enable redirection to HTTPS, etc.). See Configuration options.

Production Deployment

We recommend deploying the project via Docker and a container orchestration tool:

Build the Docker image using the provided Dockerfile
Host it in a Docker registry (Docker Hub, AWS ECR, etc.)
Deploy the image (alongside with a standalone Vault server) using a container orchestration tool (Kubernetes, Docker Swarm, AWS ECS, etc.)

You can read the configuration examples below.

Security notice!

Whatever deployment method you choose, you should always run this behind SSL/TLS, otherwise secrets will be sent unencrypted!

Depending on your infrastructure/deployment, you can have TLS termination either inside the container (see Configuration examples - TLS), or before e.g. at a load balancer/reverse proxy in front of the service. It is interesting to have TLS termination before the container so you don't have to manage the certificate/key there, but make sure the network between your TLS termination point and your container is secure.

Configuration options

VAULT_ADDR: address of the Vault server used for storing the temporary secrets.
VAULT_TOKEN: Vault token used to authenticate to the Vault server.
SUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS: HTTP binding address (e.g. :80).
SUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS: HTTPS binding address (e.g. :443).
SUPERSECRETMESSAGE_HTTPS_REDIRECT_ENABLED: whether to enable HTTPS redirection or not (e.g. true).
SUPERSECRETMESSAGE_TLS_AUTO_DOMAIN: domain to use for "Auto" TLS, i.e. automatic generation of certificate with Let's Encrypt. See Configuration examples - TLS - Auto TLS.
SUPERSECRETMESSAGE_TLS_CERT_FILEPATH: certificate filepath to use for "manual" TLS.
SUPERSECRETMESSAGE_TLS_CERT_KEY_FILEPATH: certificate key filepath to use for "manual" TLS.
SUPERSECRETMESSAGE_VAULT_PREFIX: vault prefix for secrets (default cubbyhole/)

Configuration example

Here is an example of a functionnal docker-compose.yml file

version: '3.2'

services:
  vault:
    image: vault:latest
    container_name: vault
    environment:
      VAULT_DEV_ROOT_TOKEN_ID: root
    cap_add:
      - IPC_LOCK
    expose:
      - 8200

  supersecret:
    build: ./
    image: algolia/supersecretmessage:latest
    container_name: supersecret
    environment:
      VAULT_ADDR: http://vault:8200
      VAULT_TOKEN: root
      SUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS: ":80"
      SUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS: ":443"
      SUPERSECRETMESSAGE_HTTPS_REDIRECT_ENABLED: "true"
      SUPERSECRETMESSAGE_TLS_AUTO_DOMAIN: secrets.example.com
    ports:
      - "80:80"
      - "443:443"
    depends_on:
      - vault

Configuration types

Plain HTTP

VAULT_ADDR=http://vault:8200
VAULT_TOKEN=root

SUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS=:80

TLS

Auto TLS

VAULT_ADDR=http://vault:8200
VAULT_TOKEN=root

SUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS=:443
SUPERSECRETMESSAGE_TLS_AUTO_DOMAIN=secrets.example.com

Auto TLS with HTTP > HTTPS redirection

VAULT_ADDR=http://vault:8200
VAULT_TOKEN=root

SUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS=:80
SUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS=:443
SUPERSECRETMESSAGE_HTTPS_REDIRECT_ENABLED=true
SUPERSECRETMESSAGE_TLS_AUTO_DOMAIN=secrets.example.com

Manual TLS

VAULT_ADDR=http://vault:8200
VAULT_TOKEN=root

SUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS=:443
SUPERSECRETMESSAGE_TLS_CERT_FILEPATH=/mnt/ssl/cert_secrets.example.com.pem
SUPERSECRETMESSAGE_TLS_CERT_KEY_FILEPATH=/mnt/ssl/key_secrets.example.com.pem

Screenshot

Contributing

Pull requests are very welcome! They will be reviewed by our team at Algolia.

Thanks!

This project is heavaily depandent on Echo Go Web Frameworkand on Hashicorp Vault.

Project Name	Stars	Repos Using This	Packages Using This	Most Recent Commit	Total Releases	Latest Release	Open Issues	License	Language
Nomad	13,608	103	291	a day ago	753	September 14, 2022	1,479	mpl-2.0	Go
Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.
Consul Template	4,644	15	58	9 days ago	118	August 18, 2022	148	mpl-2.0	Go
Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data.
Emitter	3,482			3 months ago	2	May 05, 2018	13	agpl-3.0	Go
High performance, distributed and low latency publish-subscribe platform.
Kubernetes External Secrets	2,588			a year ago			10	mit	JavaScript
Integrate external secret management systems with Kubernetes
Gomplate	2,179		32	5 days ago	81	September 13, 2022	29	mit	Go
A flexible commandline tool for template rendering. Supports lots of local and remote datasources.
Envconsul	1,946			5 days ago	41	July 19, 2022	30	mpl-2.0	Go
Launch a subprocess with environment variables using data from @HashiCorp Consul and Vault.
Teller	1,622			17 days ago			19	apache-2.0	Go
Cloud native secrets management for developers - never leave your command line for secrets.
Vault Ui	1,299			5 years ago	3	October 04, 2017	50	other	JavaScript
Vault-UI — A beautiful UI to manage your Vault, written in React
Hvac	1,096	192	115	11 days ago	61	September 23, 2021	145	apache-2.0	Python
:lock: Python 3.X client for HashiCorp Vault
Vault Guides	936			2 months ago	4	April 06, 2021	57	mpl-2.0	Shell
Example usage of HashiCorp Vault secrets management

Sup3rs3cretmes5age