A system for distributing and managing secrets
Keywhiz is a system for distributing and managing secrets. For more information, see the website.
Our Protecting infrastructure secrets with Keywhiz blog post is worth reading, as it provides some useful context.
Keywhiz requires Java 11 and MySQL 5.7 or higher.
See CONTRIBUTING for details on submitting patches.
java -jar server/target/keywhiz-server-*-shaded.jar [COMMAND] [OPTIONS]
Useful commands to get started are
server. Use with
--helpfor a list of all available commands. Use with
[COMMAND] --helpto get help on a particular command.
For example, to run Keywhiz with a mysql database in development mode:
Initialize dev database
java -jar $SERVER_JAR migrate $KEYWHIZ_CONFIG
Add an administrative user
java -jar $SERVER_JAR add-user $KEYWHIZ_CONFIG
java -jar $SERVER_JAR server $KEYWHIZ_CONFIG
To connect to a running Keywhiz instance, you will need to use the CLI.
An example helper shell script that wraps the keywhiz-cli and sets some default parameters:
Set the path to a compiled, shaded keywhiz-cli JAR file
Use these flags if you want to specify a non-standard CA trust store.
Alternatively, in development and testing specify the --devTrustStore
flag to use the default truststore (DO NOT use this in production, as
the truststore is checked into Keywhiz' code).
java "$TRUSTSTORE" "$TRUSTTYPE" -jar "$KEYWHIZ_CLI_JAR" -U "$KEYWHIZ_SERVER_URL" "[email protected]"
Keywhiz uses jOOQ to talk to its database.
If you made changes to the database model and want to regenerate sources:
mvn install -pl model/ -Pgenerate-jooq-sources
We recommend IntelliJ IDEA for development.
Square also maintains a Keywhiz client implementation called Keysync.
We ship a Dockerfile for building a Docker container for Keywhiz. Please see the Dockerfile for extra instructions.
Keywhiz is under the Apache 2.0 license. See the LICENSE file for details.