Kamus
An open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enable users to easily encrypt secrets than can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS and AES). To learn more about Kamus, check out the blog post and slides.
Getting Started
The simple way to run Kamus is by using the Helm chart:
helm repo add soluto https://charts.soluto.io
helm upgrade --install kamus soluto/kamus
Refer to the installation guide for more details. After installing Kamus, you can start using it to encrypt secrets. Kamus encrypt secrets for a specific application, represent by a Kubernetes Service Account. Create a service account for your application, and mount it on the pods running your application. Now, when you know the name of the service account, and the namespace it exists in, install Kamus CLI:
npm install -g @soluto-asurion/kamus-cli
Use Kamus CLI to encrypt the secret:
kamus-cli encrypt --secret super-secret --service-account kamus-example-sa --namespace default --kamus-url <Kamus URL>
If you're running Kamus locally the Kamus URL will be like http://localhost:<port>
. So you need to add --allow-insecure-url
flag to enable http protocol.
Pass the value returned by the CLI to your pod, and use Kamus Decrypt API to decrypt the value. The simplest way to achieve that is by using the init container. An alternative is to use Kamus decrypt API directly in the application code. To make it clearer, take a look on a working example app. You can deploy this app to any Kubernetes cluster that has Kamus installed, to understand how it works.
Have a question? Something is not clear? Reach out to us on Kamus Slack!
Architecture
Kamus has 3 components:
- Encrypt API
- Decrypt API
- Key Management System (KMS)
The encrypt and decrypt APIs handle encryption and decryption requests. The KMS is a wrapper for various cryptographic solutions. Currently supported:
- AES - uses one key for all secrets
- AWS KMS, Azure KeyVault, Google Cloud KMS - creates one key per service account.
We look forward to add support for other cloud encryption backends.
Consult the installation guide for more details on how to deploy Kamus using the relevant KMS.
Utilities
Kamus is shipped with 2 utilities that make it easier to use:
- Kamus CLI - a small CLI that eases the interaction with the Encrypt API. Refer to the docs for more details.
- Kamus init container - a init container that interacts with the Decrypt API. Refer to the docs for more details.
- CRD Controller - allowing to create native Kubernetes secrets using Kamus. Refer to the docs for more details.
Users
Using Kamus? Open a PR and add your company name here!
Security
We take security seriously at Soluto. To learn more about the security aspects of Kamus refer to the Threat Modeling docs containing all the various threats and mitigations we discussed. Before installing Kamus in production refer to the installation guide to learn the best practices of deploying Kamus securely. In case you find a security issue or have something you would like to discuss refer to our security.md policy.
Contributing
Found a bug? Have a missing feature? Please open an issue and let us know. We would like to help you use Kamus! Please notice: Do not report security issues on GitHub. We will immediately delete such issues.