From its own website:
Keywhiz is a system for managing and distributing secrets. It can fit well with a service oriented architecture (SOA). [...]
Keywhiz makes managing secrets easier and more secure. Keywhiz servers in a cluster centrally store secrets encrypted in a database. Clients use mutually authenticated TLS (mTLS) to retrieve secrets they have access to. Authenticated users administer Keywhiz via CLI or web app UI. To enable workflows, Keywhiz has automation APIs over mTLS and support for simple secret generation plugins.
Keywhiz should be considered alpha at this point. Upcoming changes may break API backward compatibility. See our roadmap.
$ docker pull zuazo/keywhiz
$ docker run -d -p 4444:4444 zuazo/keywhiz
You can now open https://127.0.0.1:4444/ to navigate the Keywhiz server. The development data provides a
See the examples/ directory for more examples.
This image starts Keywhiz with the development data by default. All the
CMD calls will have the Keywhiz JAR file as entrypoint (
java -jar [...]/keywhiz-server-shaded.jar).
If you don't want to use development data, you should generate at least the following data:
The following image generates the following data in the entrypoint script:
You can use them directly from your YAML configuration file or generate your own.
See how to generate all this data in the Keywhiz development key material generation documentation.
Instead of installing the image from Docker Hub, you can build the image from sources if you prefer:
$ git clone https://github.com/zuazo/keywhiz-docker keywhiz $ cd keywhiz $ docker build -t zuazo/keywhiz .
4444: Keywhiz application HTTPS port.
COOKIEKEY_PATH: Randomly generated cookie key path (
KEYSTORE_PASS: Password used to generate the derivation key (randomly generated).
JAVA_ARGS: Some java arguments.
You can change them using
docker run -e [...] or in your Dockerfile, using the
KEYWHIZ_VERSION: Keywhiz version to install (
KEYWHIZ_PREFIX: Keywhiz parent directory (
JAR: Keywhiz JAR file path (
ENTRYPOINT: Entrypoint, used to run the Keywhiz binary (
java -jar server/target/keywhiz-server-shaded.jar). You can use it to call the Keywhiz application with some arguments:
RUN $ENTRYPOINT check,
RUN $ENTRYPOINT migrate,
RUN $ENTRYPOINT db-seed, ...
The docker working directory is set to the main Keywhiz directory (
|Author:||Xabier de Zuazo ([email protected])|
|Copyright:||Copyright (c) 2015|
|License:||Apache License, Version 2.0|
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.