Skip to content

tommmlij/unsealer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
test.dockerfile
test.dockerfile
 
 

Repository files navigation

🔐 Unsealer

A minimal runtime secrets unsealing service for containerized applications.

This project provides a lightweight Axum-based HTTP server designed to securely inject secrets (such as API keys or configuration) into containerized services at runtime, without the need for heavy infrastructure like Vault.

🚀 How It Works

  1. The unsealer exposes a single endpoint: POST /init
  2. You send a NaCl-encrypted payload as base64url via the config field in a JSON body.
  3. The server decrypts the payload using its private key and your public key.
  4. It spawns the target service, either:
    • passing the decoded JSON as a base64-encoded argument, or
    • setting individual keys as environment variables (format=env)

📦 Environment Variables

Variable Description
PORT Port to bind the HTTP server (default: 3000)
SERVER_PRIVATE_KEY Base64-encoded NaCl private key of the unsealer
UNSEAL_PUBLIC_KEY Base64-encoded NaCl public key of the trusted client
COMMAND Command to run (e.g. ./service) after successful unseal

🧾 Request Format

Endpoint: POST /init?format=json|env
Content-Type: application/json

{
  "config": "<base64url(NONCE + CIPHERTEXT)>"
}
  • The config must be encrypted using NaCl Box, with:
    • The client's private key
    • The unsealer's public key

🧪 Example: Sending a Request

curl -X POST http://localhost:3000/init?format=json \
  -H "Content-Type: application/json" \
  -d '{"config": "<base64url-encoded-data>"}'

🔐 Key Management

Keys are 32-byte NaCl keypairs encoded in base64.

To generate compatible keys using PyNaCl:

from nacl.public import PrivateKey
import base64

sk = PrivateKey.generate()
pk = sk.public_key

print("Private Key:", base64.b64encode(sk.encode()).decode())
print("Public Key: ", base64.b64encode(pk.encode()).decode())

🧰 Building

cargo build --release

This produces a single static unsealer binary you can embed in any container image.

🐳 Docker Usage

FROM node:lts
COPY unsealer /usr/local/bin/unsealer
CMD ["unsealer"]

🛡️ Security Notes

  • All secrets must be encrypted on the client side before transmission.
  • Payloads should be short-lived or one-time-use to prevent replay attacks (future enhancement).
  • Consider HTTPS or reverse proxy termination in production.

📄 License

MIT

About

Lightweight docker image to unlock and start services by injecting encrypted secrets at runtime.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages