Skip to content
This repository was archived by the owner on Oct 9, 2025. It is now read-only.

lightdiscord/talos-kms-vault

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
cmd/kms-server
cmd/kms-server
 
 
pkg/server
pkg/server
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

talos-kms-vault

Proxy between a Talos node and a Hashicorp Vault instance to enable KMS disk encryption. This project is a proof of concept.

Warning

This repository is a proof of concept, for a production ready repository see https://github.com/SoulKyu/talos-kms-vault

Usage

The Vault client uses the environment variables to configure itself, VAULT_ADDR and VAULT_TOKEN should be used. The token needs to use a policy that allows the update capability to :transit-path/encrypt/+ and :transit-path/decrypt/+.

TODOs

  • Talos Node's ID seems to be a UUID, if that's always the case implement a validation on the Seal/Unseal methods.
  • Dynamic vault authentication (don't use a static token and try to use the right method for the current context)
  • Maybe transform this into a Vault plugin.

References

About

Proxy between a Talos node and a Hashicorp Vault instance to enable KMS disk encryption

Topics

kms hashicorp-vault talos

Resources

Readme

License

MPL-2.0 license
Activity

Stars

7 stars

Watchers

1 watching

Forks

2 forks
Report repository

Languages