Keylime
Bootstrap & Maintain Trust on the Edge / Cloud and IoT.
- Project Website
- https://keylime.dev/
- Platform
- License
- apache-2.0
- Category
- Usecase
- Provisioning Security & Compliance
- Technology
- Python Shell Dockerfile Makefile Mako Jinja Standard ML
- Offers premium version?
- NO
- Proprietary?
- NO
- About
-
Keylime
Keylime is an open-source scalable trust system harnessing TPM Technology.
Keylime provides an end-to-end solution for bootstrapping hardware rooted cryptographic trust for remote machines, the provisioning of encrypted payloads, and run-time system integrity monitoring. It also provides a flexible framework for the remote attestation of any given
PCR(Platform Configuration Register). Users can create their own customized actions that will trigger when a machine fails its attested measurements.Keylime's mission is to make TPM Technology easily accessible to developers and users alike, without the need for a deep understanding of the lower levels of a TPM's operations. Amongst many scenarios, it well suited to tenants who need to remotely attest machines not under their own full control (such as a consumer of hybrid cloud or a remote Edge / IoT device in an insecure physical tamper prone location.)
Keylime can be driven with a CLI application and a set of RESTful APIs.
Keylime consists of three main components; The Verifier, Registrar and the Agent.
-
The Verifier continuously verifies the integrity state of the machine that the agent is running on.
-
The Registrar is a database of all agents registered with Keylime and hosts the public keys of the TPM vendors.
-
The Agent is deployed to the remote machine that is to be measured or provisioned with secrets stored within an encrypted payload released once trust is established.
Rust based Keylime Agent
The verifier, registrar, and agent are all developed in Python and situated in this repository
keylime. The agent was ported to the Rust programming language. The code can be found in the rust-keylime repository.The decision was made to port the agent to Rust, as rust is a low-level performant systems language designed with security as a central tenet, by means of the rust compiler's ownership model.
Starting with the 0.1.0 release of the Rust based Keylime agent, this agent is now the official agent.
IMPORTANT: The Python version is deprecated and will be removed with the next major version (7.0.0)!
TPM Support
Keylime supports TPM version 2.0.
Keylime can be used with a hardware TPM, or a software TPM emulator for development, testing, or demonstration purposes. However, DO NOT USE Keylime in production with a TPM emulator! A software TPM emulator does not provide a hardware root of trust and dramatically lowers the security benefits of using Keylime.
A hardware TPM should always be used when real secrets and trust is required.
Table of Contents
- Installation
- Usage
- Configuring Keylime
- Running Keylime
- Provisioning
- Request a Feature
- Security Vulnerability Management Policy
- Meeting Information
- Contributing: First Timers Support
- Testing
- Additional Reading
- Disclaimer
To install Keylime refer to the instructions found in the documentation.
Usage Configuring Keylime
Keylime puts its configuration in
/etc/keylime/*.confor/usr/etc/keylime/*.conf. It will also take an alternate location for the config in the environment varkeylime_{VERIFIER,REGISTRAR,TENANT,CA,LOGGING}_CONFIG.Those files are documented with comments and should be self-explanatory in most cases.
Running Keylime
Keylime has three major component services that run: the registrar, verifier, and the agent:
-
The registrar is a simple HTTPS service that accepts TPM public keys. It then presents an interface to obtain these public keys for checking quotes.
-
The verifier is the most important component in Keylime. It does initial and periodic checks of system integrity and supports bootstrapping a cryptographic key securely with the agent. The verifier uses mutual TLS for its control interface.
By default, the verifier will create appropriate TLS certificates for itself in
/var/lib/keylime/cv_ca/. The registrar and tenant will use this as well. If you use the generated TLS certificates then all the processes need to run as root to allow reading of private key files in/var/lib/keylime/. -
The agent is the target of bootstrapping and integrity measurements. It puts its stuff into
/var/lib/keylime/.
Provisioning
To kick everything off you need to tell Keylime to provision a machine. This can be done with the Keylime tenant.
Provisioning with keylime_tenant
The
keylime_tenantutility can be used to provision your agent.As an example, the following command tells Keylime to provision a new agent at 127.0.0.1 with UUID d432fbb3-d2f1-4a97-9ef7-75bd81c00000 and talk to a verifier at 127.0.0.1. Finally, it will encrypt a file called
filetosendand send it to the agent allowing it to decrypt it only if the configured TPM policy is satisfied:keylime_tenant -c add -t 127.0.0.1 -v 127.0.0.1 -u D432fbb3-d2f1-4a97-9ef7-75bd81c00000 -f filetosendTo stop Keylime from requesting attestations:
keylime_tenant -c delete -t 127.0.0.1 -u d432fbb3-d2f1-4a97-9ef7-75bd81c00000For additional advanced options for the tenant utility run:
keylime_tenant -hDocumentation on how to create runtime and measured boot policies can be found in the Keylime User Guide.
Systemd service support
The directory
services/includessystemdservice files for the verifier, agent and registrar.You can install the services with the following command:
sudo ./services/installer.shOnce installed, you can run and inspect the services
keylime_verifierandkeylime_registrarviasystemctl. The Rust agent repository also contains a systemd service file for the agent.Request a feature
Keylime feature requests are tracked as enhancements in the enhancements repository
The enhancement process has been implemented to provide a way to review and assess the impact(s) of significant changes to Keylime.
Security Vulnerability Management Policy
If you have found a security vulnerability in Keylime and would like to report, first of all: thank you.
Please contact us directly at security@keylime.groups.io for any bug that might impact the security of this project. Do not use a Github issue to report any potential security bugs.
Project Meetings
We meet on the fourth Wednesday each month @ 15:30 GMT to 16:30. Anyone is welcome to join the meeting.
The meeting is normally announced on CNCF chat (Slack)
Meeting agenda are hosted and archived in the meetings repo as GitHub issues.
Contributing: First Timers Support
We welcome new contributors to Keylime of any form, including those of you who maybe new to working in an open source project.
So if you are new to open source development, don't worry, there are a myriad of ways you can get involved in our open source project. As a start, try exploring issues with
good first issuelabel. We understand that the process of creating a Pull Request (PR) can be a barrier for new contributors. These issues are reserved for new contributors like you. If you need any help or advice in making the PR, feel free to jump into our chat room and ask for help there.Your contribution is our gift to make our project even more robust. Check out CONTRIBUTING.md to find out more about how to contribute to our project.
Keylime uses Semantic Versioning. It is recommended you also read the RELEASE.md file to learn more about it and familiarise yourself with simple of examples of using it.
Testing
Please, see TESTING.md for details.
Additional Reading
- Executive summary Keylime slides: docs/old/keylime-elevator-slides.pptx
- Detailed Keylime Architecture slides: docs/old/keylime-detailed-architecture-v7.pptx
- See ACSAC 2016 paper in doc directory: docs/old/tci-acm.pdf
- and the ACSAC presentation on Keylime: docs/old/llsrc-keylime-acsac-v6.pptx
- See the HotCloud 2018 paper: docs/old/hotcloud18.pdf
- Details about Keylime REST API: docs/old/keylime RESTful API.docx
- Demo files - Some pre-packaged demos to show off what Keylime can do.
- IMA stub service - Allows you to test IMA and Keylime on a machine without a TPM. Service keeps emulated TPM synchronized with IMA.
We discovered a typo in Figure 5 of the published ACSAC paper. The final interaction between the Tenant and Cloud Verifier showed an HMAC of the node's ID using the key K_e. This should be using K_b. The paper in this repository and the ACSAC presentation have been updated to correct this typo.
The software that runs on the system with the TPM is now called the Keylime agent rather than the node. We have made this change in the documentation and code. The ACSAC paper will remain as it was published using node.
Disclaimer
DISTRIBUTION STATEMENT A. Approved for public release: distribution unlimited.
This material is based upon work supported by the Assistant Secretary of Defense for Research and Engineering under Air Force Contract No. FA8721-05-C-0002 and/or FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Assistant Secretary of Defense for Research and Engineering.
Keylime's license was changed from BSD Clause-2 to Apache 2.0. The original BSD Clause-2 licensed code can be found on the MIT GitHub organization.
-
-
Reference Airship manifests, CICD, and reference architecture.49
-
A Kubernetes Resource Interface for the Edge1.02K
-
Ansible is a radically simple IT automation platform that makes your applications and systems easier to deploy and maintain. Automate everything from code deployment to network configuration to cloud management, in a language that approaches plain English, using SSH, with no agents to install on remote systems. https://docs.ansible.com.59.4K
-
Apollo is a reliable open-source configuration management system28.5K
-
AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment.
-
Cloud Foundry BOSH is an open source tool chain for release engineering, deployment and lifecycle management of large scale distributed services.2.01K
-
Cadence is a distributed, scalable, durable, and highly available fault-oblivious stateful code platform.7.46K
-
CDK8s lets you define Kubernetes apps and components using familiar programming languages and object-oriented APIs.3.91K
-
Chef Infra, a powerful automation platform that transforms infrastructure into code automating how infrastructure is configured, deployed and managed across any environment, at any scale7.37K
-
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources5.04K
-
Unified Interface for Constructing and Managing Workflows on different workflow engines, such as Argo Workflows, Tekton Pipelines, and Apache Airflow.856
-
DevStream: the open-source DevOps toolchain manager (DTM).835
-
Docs, API bindings, clients and integrations supporting RackN Digital Rebar data center provisioning and workflow system.137
-
an application that automates the lifecycle of servers2.45K
-
Universal Operator Lifecycle Manager (OLM) for Kubernetes operators, and operators for traditional Linux apps, with declarative integration between operators for automated microservice integration.2.19K
-
kiosk 🏢 Multi-Tenancy Extension For Kubernetes - Secure Cluster Sharing & Self-Service Namespace Provisioning1.04K
-
Run your deep learning workloads on Kubernetes more easily and efficiently.452
-
Kubernetes Native Edge Computing Framework (project under CNCF)6.17K
-
Kubernetes Platform Provisioning for Application Delivery and Infrastruction Management1.25K
-
a lightweight kubernetes multi-tenancy gateway609
-
Platform Engineering Engine: Deliver intentions to Kubernetes and Clouds664
-
A toolkit for building secure, portable and lean operating systems for containers8K
-
Self-service, remote installation of Windows, CentOS, ESXi and Ubuntu on real servers turns your data center into a bare-metal cloud.295
-
ManageIQ Open-Source Management Platform1.31K
-
CNCF is an open source software foundation that hosts and nurtures projects like Kubernetes and Prometheus.
-
Mist is an open source, multicloud management platform1.81K
-
Repository tracking all OpenStack repositories as submodules. Mirror of code maintained at opendev.org.5.02K
-
An open platform that extending your native Kubernetes to edge.1.59K
-
Pulumi - Universal Infrastructure as Code. Your Cloud, Your Language, Your Way 🚀18.4K
-
Server automation framework and application7.16K
-
Enable Self-Service Operations: Give specific users access to your existing tools, services, and scripts5.14K
-
Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:13.6K
-
Shifu is the next generation cloud native IoT development framework that could 10X your IoT software development1.11K
-
An edge-native container management system for edge computing987
-
Terraform enables you to safely and predictably create, change, and improve infrastructure. It is an open source tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.39.6K
-
A workflow engine for provisioning bare metal.833
-
vSphere is the industry-leading server virtualization software and the heart of a modern SDDC, helping you run, manage, connect, and secure your applications in a common operating environment across clouds.
-
Alibaba Cloud Container Registry (ACR) is a cloud-native artifacts management platform that helps your team build, manage, and ship containerized applications, also provides vulnerability analysis, global synchronization, content trust, and more functionalities out of the box.
-
Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images.
-
Azure Container Registry allows you to store images for all types of container deployments including DC/OS, Docker Swarm, Kubernetes, and Azure services such as App Service, Batch, Service Fabric, and others.
-
The toolkit to pack, ship, store, and deliver container content8.01K
-
Container Registry is a single place for your team to manage Docker images, perform vulnerability analysis, and decide who can access what with fine-grained access control.
-
An open source trusted cloud native registry project that stores, signs, and scans content.21.3K
-
Detect vulnerabilities before images are ever deployed to containers. Store and distribute Docker images in your managed private registry.
-
Shipping updates continuously and automatically has become a critical element of any successful operation. JFrog is revolutionizing the software world with the practice of Continuous Update, with a speed and continuity that forever changes the way organizations manage and release software.
-
P2P Docker registry capable of distributing TBs of data in seconds5.7K
-
Authorization service and frontend for Docker registry (v2)2.99K
-
Build, Store, and Distribute your Applications and Containers2.29K
-
Zot is an OCI-native container registry for distributing container images and OCI artifacts.569
-
Application security, API Security, Identity and Access Management, 2FA, Security for container environments
-
Alcide provides dev-to-production security for workloads running in Kubernetes & Istio
-
A service that analyzes docker images and scans for vulnerabilities1.56K
-
Apolicy fuses security and compliance into your cloud native development pipeline. Using policy-as-code, we automate risk, policy and remediation from source to production
-
Aqua Security is a software company providing cloud-native security technology.
-
Creators of Kubescape: the first end-to-end open-source Kubernetes Security platform, made for DevOps.
-
Fine-grained, policy-based, real-time authorization for APIs and microservices. Aserto is the maintainer of the Topaz and Open Policy Containers OSS projects.24
-
Black Duck provides a comprehensive software composition analysis (SCA) solution for managing security, quality, and license compliance risk that comes from the use of open source and third-party code in applications and containers.
-
Bloombase is the intelligent storage firewall company
-
High-performance attack protection for Linux production environments – whether containerized, virtualized, or bare-metal, on-prem or cloud
-
Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage by writing context-aware access control policies for your application resources.2.1K
-
Automatically provision and manage TLS certificates in Kubernetes10.9K
-
Chaitin Tech is a world leading and technology driven cyber security solution provider.
-
Check Point Software Technologies Ltd. is a leading provider of cyber security solutions to corporate enterprises and governments globally. Check Point protects over 100,000 organizations of all sizes.
-
Checkov scans cloud infrastructure configurations to find misconfigurations before they are deployed. Checkov manages and analyzes infrastructure as code (IaC) scan results across platforms such as Terraform, CloudFormation, Kubernetes, Helm, ARM Templates and Serverless framework.6.15K
-
Vulnerability Static Analysis for Containers9.82K
-
Pioneering the world of self-healing, self-aware, self-sustaining, self-resilient, self-secure and intelligent remediation, MatosSphere brings a complete cloud security and governance solution for your cloud infrastructure.12
-
Confidential Containers is an open source community working to enable cloud native confidential computing by leveraging Trusted Execution Environments to protect containers and data.74
-
ContainerSSH launches a new container for each SSH connection in Kubernetes, Podman or Docker. The user is transparently dropped in the container and the container is removed when the user disconnects. Authentication and container configuration are dynamic using webhooks, no system users required.2.47K
-
Curiefense is a unified, open source platform protecting cloud native applications.689
-
Datica brings the cloud to healthcare and helps highly regulated industries.
-
Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io6.37K
-
OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors8.62K
-
Dosec Security Platform provides security protection capabilities for containers, kubernetes, microservices, serverless, and DevOps.
-
External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.3.32K
-
Kubernetes security, policy and compliance experts
-
Fast, portable and reliable dependency analysis for any codebase. Supports license & vulnerability scanning for large monoliths. Language-agnostic; integrates with 20+ build systems.1.18K
-
FossID is a software composition analysis tool that scans code for open source licenses and vulnerabilities.
-
Fugue empowers cloud engineering and security teams to move faster with confidence in their cloud security. Use Fugue to secure the entire development lifecycle—from infrastructure as code through CI/CD and runtime—using a unified policy engine powered by the Open Policy Agent (OPA), the open source standard for policy as code.
-
Get your resource requests "Just Right"2.12K
-
Hexa Policy Orchestrator enables you to manage all of your access policies consistently across software providers.79
-
in-toto is a framework to protect supply chain integrity.786
-
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.1.77K
-
Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark6.34K
-
Hunt for security weaknesses in Kubernetes clusters4.5K
-
Runtime protection for Kubernetes & other cloud Workloads. Kubearmor provides a observability and policy enforcement system to restrict any unwanted, malicious behaviour of cloud-native workloads at runtime.946
-
Kubescape is an open source security and compliance platform that scans clusters, Kubernetes manifest files (YAML files, and Helm charts), code repositories, container registries and images. It detects misconfigurations according to frameworks such as the NSA-CISA, MITRE ATT&CK® and CIS, as well as software vulnerabilities, and calculates risk scores.9.3K
-
Manage admission policies in your Kubernetes cluster with ease157
-
Metarget is a framework providing automatic constructions of vulnerable cloud native infrastructures.930
-
Cloud native infrastructure security for your entire fleet
-
Moresec Shangfu Cloud Native Protection Platform is a security protection model based on the concept of cloud native. In view of the characteristics of cloud native application life-cycle, it involves in many stages of security protection, including R&D construction, security testing, image control, container deployment, container operation, etc. Shangfu also integrates security with development which means providing feedback of the application security condition through correlating operation asset, and promoting the iteration and upgrade of application. Whereupon, a closed loop of efficient cloud native application security risk is created, covering the whole stages of DevSecOps.
-
NeuVector Full Lifecycle Container Security Platform delivers the only cloud-native security with uncompromising end-to-end protection from DevOps vulnerability protection to automated run-time security, and featuring a true Layer 7 container firewall.906
-
The solution enables DevSecOps teams to ensure the security, compliance, and operational readiness of their Kubernetes workloads and clusters. By automating the creation, deployment, and lifecycle management of policy-based Intelligent Guardrails, customers can gain insights, alerts, and reports, and enable effective collaboration across development and operations teams.
-
Notary is a project that allows anyone to have trust over arbitrary collections of data3.12K
-
An open source, general-purpose policy engine.8.7K
-
A docker-inspired CLI for building, tagging, pushing, pulling, and signing OPA policies to and from OCI-compliant registries.184
-
OpenFGA is a high performance and flexible authorization/permission system built for developers and inspired by Google Zanzibar1.7K
-
Orca Security provides instant-on, workload-level security for AWS, Microsoft Azure, and Google Cloud Platform.
-
Noise Cancellation for Application Security. Built for cloud-native applications using container and Kubernetes-based architectures.
-
Open source, Security-as-Code platform for developers and security teams to identify and eliminate risks in your clouds.
-
Paralus is a free, open source tool that enables controlled, audited access to Kubernetes infrastructure and Zero trust Kubernetes with zero friction.856
-
Passage makes it easy for developers to implement passwordless customer identity in any application.
-
A cli tool to help discover deprecated apiVersions in Kubernetes1.81K
-
Validation of best practices in your Kubernetes clusters3.01K
-
Kubernetes-native security solution, single pane of glass for containers and Kubernetes security.
-
A complete cloud native application protection platform that secures infrastructure and applications across cloud environments.
-
Qingteng Honeycomb · Container Security Platform can display risk scenarios visually for enterprises through continuous monitoring and analysis of the container security status, and protects the container environment during the entire life cycle (build, ship, and run) of the container.
-
Easily find roles and cluster roles attached to any user, service account, or group name in your Kubernetes cluster794
-
A Kubernetes operator that simplifies the management of Role Bindings and Service Accounts.1.35K
-
Rudder is a configuration and security automation platform. Manage your Cloud, hybrid or on-premises infrastructure in a simple, scalable and dynamic way.472
-
Scribe Security is a Tel Aviv, Israel-based provider of a SaaS platform for securing software across various supply chains.
-
Common go library shared across sigstore services and clients409
-
Snyk is a cloud native application security provider that enables millions of developers to build software securely.
-
Sonobuoy is a diagnostic tool that makes it easier to understand the state of a Kubernetes cluster by running a set of Kubernetes conformance tests and other plugins in an accessible and non-destructive manner.2.8K
-
Spyderbat provides Linux runtime security, protecting dynamic environments by proactively tracking all user activities by their causal connections to detect and resolve external attacks, misconfigurations, and insider threats.
-
StackHawk helps developers find and fix application security vulnerabilities before they hit production with CI/CD automation.
-
StackRox is a Kubernetes-native security platform for cloud-native applications, containers, serverless, and Kubernetes.
-
Sysdig Secure embeds security and compliance into the build, run and respond stages of the Kubernetes lifecycle.
-
Tensor Security is a cloud-native security company focused on providing AI-based and full-stack cloud-native security solutions.
-
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.4.32K
-
eBPF-based Security Observability and Runtime Enforcement2.95K
-
Python reference implementation of The Update Framework (TUF)1.56K
-
Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more.4.51K
-
Active, zero-trust based security for containers and Kubernetes
-
Cloud-native authorization for modern applications and APIs, combining the best of Open Policy Agent and Google Zanzibar888
-
Trend Micro, a global technology leader, helps make the world safe for exchanging digital information with its innovative security platform.
-
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more19.6K
-
Trivy-Operator operate trivy security tool on the Kubernetes cluster and incorporate it outputs into Kubernetes CRDs (Custom Resource Definitions) and from there, making security reports accessible through the Kubernetes API805
-
Mend is a platform designed to automate open source security and compliance processes.
-
Zettaset is software-defined encryption that protects against data theft and can be deployed across all physical and virtual environments.
-
Open source platform for X.509 certificate based service authentication and fine grained access control in dynamic infrastructures816
-
🔥Authing - IDaaS/IAM solution that can Auth to web and mobile applications.987
-
CyberArk Conjur automatically secures secrets used by privileged users and machine identities690
-
A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.7.88K
-
OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Works with Hardware Security Modules. Compatible with MITREid.14.6K
-
Pinniped is the easy, secure way to log in to your Kubernetes clusters.482
-
Pomerium is an identity and context-aware access proxy.3.72K
-
A system for distributing and managing secrets2.62K
-
sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services3.04K
-
The easiest, most secure way to access infrastructure.15.5K
-
Cloud native secrets management for developers - never leave your command line for secrets.1.91K
-
A tool for secrets management, encryption as a service, and privileged access management29K
Subscribe to Open Source Businees Newsletter
Twice a month we will interview people behind open source businesses. We will talk about how they are building a business on top of open source projects.
We'll never share your email with anyone else.