summaryrefslogtreecommitdiffstats
path: root/custodia.conf
blob: 1a987df380648d2712f4e0eccaa8cae8be23f13f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
[global]
server_version = "Secret/0.0.7"
debug = True

#[auth:simple]
#handler = custodia.httpd.authenticators.SimpleCredsAuth
#uid = 48
#gid = 48

[auth:header]
handler = custodia.httpd.authenticators.SimpleHeaderAuth
name = REMOTE_USER

[authz:paths]
handler = custodia.httpd.authorizers.SimplePathAuthz
paths = /.

[authz:namespaces]
handler = custodia.httpd.authorizers.UserNameSpace
path = /secrets/
store = simple

[store:simple]
handler = custodia.store.sqlite.SqliteStore
dburi = secrets.db
table = secrets

[/]
handler = custodia.root.Root
store = simple


# Multi-tenant example
[store:tenant1]
handler = custodia.store.sqlite.SqliteStore
dburi = secrets.db
table = tenant1

[authz:tenant1]
handler = custodia.httpd.authorizers.UserNameSpace
path = /tenant1/secrets/
store = tenant1

[/tenant1/secrets]
handler = custodia.root.Secrets
store = tenant1


# Encstore example
[store:encrypted]
handler = custodia.store.enclite.EncryptedStore
dburi = examples/enclite.db
table = enclite
master_key = examples/enclite.sample.key
master_enctype = A128CBC-HS256

[auth:sak]
handler = custodia.httpd.authenticators.SimpleAuthKeys
store = encrypted
# sample key: test=foo-host-key

[authz:encrypted]
handler = custodia.httpd.authorizers.UserNameSpace
path = /enc/secrets/
store = encrypted

[store:kemkeys]
handler = custodia.store.enclite.EncryptedStore
dburi = examples/enclite.db
table = enclite
master_key = examples/enclite.sample.key
master_enctype = A128CBC-HS256

[authz:kkstore]
handler = custodia.message.kem.KEMKeysStore
path = /enc/secrets/
store = kemkeys

[/enc/secrets]
handler = custodia.root.Secrets
allowed_keytypes = simple kem
store = encrypted