acorn-io
Provide a way to encrypt secret data for a cluster.
This adds the basics for encryption of secret data on a per-cluster basis. There are convenience calls to bulk encrypt a message for multiple clusters given their public keys. The implementation leverages libsodium sealed boxes where the nonce is a computed blake2b hash value of the sender and recipient's public keys.
On startup of Acorn, the cluster will generate a public/private key pair and store it in a K8s secret in the acorn-system namespace. The key pair is available as a base64 encoded string in the acorn info command.
Users can encrypt a message for the target cluster by running:
acorn secret encrypt MSG
or
acorn secret encrypt --public-key <cluster A pubkey> --public-key <cluster B pubkey> MSG
The output can be placed in an Acornfile, passed as an argument to an Acorn image or provided by an existing secret at Runtime.
The format of an encrypted secret is:
ACORNENC:base64encode({"publicKey":"base64encode(ciphertext)", "publicKey":"base64encode(ciphertext)"})
This allows for the same message to be encrypted and passed to multiple clusters. Each cluster will look up the ciphertext in the map by it's own public keys. An error will be returned if there isn't a key that can decrypt the value.
