https://github.com/Dentrax/cocert Skip to content Sign up * Why GitHub? Features - + Mobile - + Actions - + Codespaces - + Packages - + Security - + Code review - + Project management - + Integrations - + GitHub Sponsors - + Customer stories- * Team * Enterprise * Explore + Explore GitHub - Learn and contribute + Topics - + Collections - + Trending - + Learning Lab - + Open source guides - Connect with others + The ReadME Project - + Events - + Community forum - + GitHub Education - + GitHub Stars program - * Marketplace * Pricing Plans - + Compare plans - + Contact Sales - + Education - [ ] [search-key] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this user All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} Dentrax / cocert * Notifications * Star 91 * Fork 4 Split and distribute your private keys securely amongst untrusted network 91 stars 4 forks Star Notifications * Code * Issues 0 * Pull requests 0 * Actions * Projects 0 * Wiki * Security * Insights More * Code * Issues * Pull requests * Actions * Projects * Wiki * Security * Insights main Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags 1 branch 1 tag Code Clone HTTPS GitHub CLI [https://github.com/D] Use Git or checkout with SVN using the web URL. [gh repo clone Dentra] Work fast with our official CLI. Learn more. * Open with GitHub Desktop * Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio Code Your codespace will open once ready. There was a problem preparing your codespace, please try again. Latest commit @Dentrax Dentrax Initial commit ... c1c2126 May 11, 2021 Initial commit Signed-off-by: Dentrax c1c2126 Git stats * 1 commit Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .github/workflows Initial commit May 11, 2021 .res Initial commit May 11, 2021 cmd Initial commit May 11, 2021 pkg Initial commit May 11, 2021 test Initial commit May 11, 2021 .gitignore Initial commit May 11, 2021 .golangci.yml Initial commit May 11, 2021 .ko.yaml Initial commit May 11, 2021 LEARNING.md Initial commit May 11, 2021 README.md Initial commit May 11, 2021 go.mod Initial commit May 11, 2021 go.sum Initial commit May 11, 2021 main.go Initial commit May 11, 2021 View code cocert High Level Architecture Use-Case Example Installation Verify Prerequities Check Usage Use-Case Demonstration Encrypt & Decrypt Keys Special Thanks License README.md [logo] cocert An experimental tool for splitting and distributing your private keys safely* MIT GitHub release Go Report Build Status cocert, generates ECDSA - P521 key and uses a technique known as Shamir's Secret Sharing algorithm to split the master key into x shares, any y of which are required to reconstruct the master private key. Private keys are stored in PEM-encoded PKCS8 format, which are encrypted by The Update Framework (TUF). Each private key is splitted using Shamir Split. To Combine private key files into single one, it is necessary to enter decrypt password if it has been encrypted by TUF. *cocert does not support any Distributed Key Generation (DGK) algorithm, yet. This repository is signed via cosign, by using cocert itself GIF Asciinema High Level Architecture Screenshot Use-Case Example * What happens if your private key is exposed by either public 3rd-party cloud service provider or internal security breach? Your private key would have compromised and supply chain attacks would inevitable. What would happen if we not trust just one key, however, distribute our key to multiple secure environments? We would avoid supply chain attacks, that said, even if one of our private keys is compromised, we still need two more keys to combine and get the final private key. Screenshot Installation * Go $ go install github.com/Dentrax/cocert@latest * Docker $ docker pull ghcr.io/dentrax/cocert Verify Prerequities 1. cosign 2. crane Check # 1. Download the public key $ curl https://raw.githubusercontent.com/Dentrax/cocert/main/.github/workflows/certs/cocert.pub -o cocert.pub # 2. Verify $ cosign verify -key cocert.pub ghcr.io/dentrax/cocert | jq # 3. Make sure verified commit matches the digest of the latest image $ crane digest ghcr.io/dentrax/cocert Usage Usage: cocert [command] Available Commands: combine Combine the cert integrity on the supplied PEM files decrypt Decrypt the target private keys using TUF encrypt Encrypt the target private keys using TUF generate Generates TUF encrypted keys using ECDSA and splits into PKCS8-PKIX key-pairs help Help about any command sign Sign the given payload and create a certificate from Fulcio split Split your existing private key into parts verify Verify the given payload on the supplied signature Flags: -h, --help help for cocert Use-Case Demonstration 1. Generate $ cocert generate --parts 3 --threshold 2 Generating TUF encrypted Shamir PEMs... Create new password for private key: (master) Confirm password: (master) Extracting PEMs to files... Do you want to encrypt each key using TUF? (y/n) [n]: y Create new password for cocert0.key key: (foo) Create new password for cocert1.key key: (bar) Create new password for cocert2.key key: (baz) 2.1. Sign with Private Key $ cocert sign -f cocert0.key -f cocert1.key -p "Foo Bar Baz" (Press Enter to continue without decrypt...) Enter your password for cocert0.key: (foo) Enter your password for cocert1.key: (bar) Enter your master key: (master) Signed: MIGIAkIBCisWXRLBRcv/...+3pccRjm+nUNA== 2.2. Sign with Fulcio (Keyless) $ cocert sign -f cocert0.key -f cocert1.key -p "Foo Bar Baz" -o my.cert (Press Enter to continue without decrypt...) Enter your password for cocert0.key: (foo) Enter your password for cocert1.key: (bar) Enter your master key: (master) Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=CODE&code_challenge_method=S256&nonce=NONCE&redirect_uri=http%3A%2F%2Flocalhost%3A5556%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=STATE Signed: MIGIAkIBCisWXRLBRcv/...+3pccRjm+nUNA== 3.1. Verify with Public Key $ cocert verify -f cocert.pub -p "Foo Bar Baz" -k "MIGIAkIBCisWXRLBRcv/...+3pccRjm+nUNA==" 3.2. Verify with Certificate $ cocert verify -c my.cert -p "Foo Bar Baz" -k "MIGIAkIBCisWXRLBRcv/...+3pccRjm+nUNA==" Bonus: Splitting # 1. Generate the your custom private key $ cosign generate-key-pair Enter password for private key: (qux) Private key written to cosign.key Public key written to cosign.pub # 2. Split the key $ cocert split -f private.key --parts 3 --threshold 2 Create new password for cocert0.key key: (foo) Create new password for cocert1.key key: (bar) Create new password for cocert2.key key: (baz) # 3. Test with combine $ cocert combine -f cocert0.key -f cocert1.key -o cosign.key Enter your password for cocert0.key: (foo) Enter your password for cocert1.key: (bar) Decrypting TUF encrypted PEMs... Enter your master key: (qux) Combined Encrypt & Decrypt Keys * Encrypt $ cocert encrypt -f cocert0.key -o "cocert0.key.encrypted" Enter your password for : (foo2) Confirm password: (foo2) * Decrypt $ cocert decrypt -f cocert0.key.encrypted -o "cocert0.key.decrypted" # [[ $(md5 -q cocert0.key) -eq $(md5 -q cocert0.key.decrypted) ]] Enter your password for : (foo2) $ cocert decrypt -f cocert0.key.decrypted -o "cocert0.key.unencrypted" # You can pass empty password for 'cocert0.key.unencrypted' key Enter your password for : (foo) * Combine $ cocert combine -f cocert0.key.unencrypted -f cocert1.key Loading PEMs from files... (Press Enter to continue without decrypt...) Enter your password for cocert0.key.unencrypted: (PASS) Enter your password for cocert1.key: (bar) Decrypting TUF encrypted PEMs... Enter your master key: (master) Combined Special Thanks Package Author License cosign sigstore Apache License 2.0 go-tuf The Update Framework BSD Vault HashiCorp Mozilla Public License 2.0 prompter Songmu MIT * Thanks to everyone who contributed these libraries and others that made this project possible. License cocert was created by Furkan 'Dentrax' Turkal The base project code is licensed under MIT unless otherwise specified. Please see the LICENSE file for more information. Best Regards About Split and distribute your private keys securely amongst untrusted network Topics split secret-management shamir shamir-secret-sharing public-private-key tuf supply-chain-attacks Resources Readme Releases 1 v0.1.0 Latest May 11, 2021 Packages 0 No packages published Languages * Go 95.7% * Shell 4.3% * (c) 2021 GitHub, Inc. * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.