GitHub/kmip-server-dsm
1
0
Fork 0
mirror of https://github.com/rnurgaliyev/kmip-server-dsm.git synced 2026-05-16 16:40:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Renat Nurgaliyev
2023-03-13 17:03:36 +01:00
commit 98a2df3a77
10 changed files with 670 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Dockerfile
+25
View File
@@ -0,0 +1,25 @@
FROM alpine:3.17
RUN apk add --no-cache py3-pip openssl \
python3-dev openssl-dev libffi-dev musl-dev gcc
RUN pip install pykmip
RUN mkdir -p /etc/pykmip \
mkdir -p /etc/pykmip/policy \
mkdir -p /var/lib/certs \
mkdir -p /var/lib/state
COPY assets/server.conf /etc/pykmip
COPY assets/policy.json /etc/pykmip/policy
COPY config.sh /etc/pykmip
COPY assets/init.sh /bin/init.sh
RUN chmod 755 /bin/init.sh
EXPOSE 5696
ENTRYPOINT /bin/init.sh
README.md
+295
View File
@@ -0,0 +1,295 @@
# KMIP Server for Synology DSM
This container implements a private KMIP server for Synology DSM to store
Encryption Key Vault. By default, DSM will offer you to store your vault on the
same disks where you have encrypted data, which is a big security risk, or to
store it on another Synology NAS somewhere online, which may not be convenient
for most of setups. This KMIP server is very easy to use and can be started on a
small Raspberry Pi like computer, where you will have your own way of protecting
KMIP server itself, for example store it on LUKS partition and do not automount
it on reboots.
Based on [PyKMIP](https://github.com/OpenKMIP/PyKMIP) project.
## Installation
You will need a Linux computer/board/VM with Git, and Podman or Docker. There
are no other requirements. This container does not pollute your system, and only
touches files in the directory where it was started from.
1. Clone this repository
```
$ git clone https://github.com/rnurgaliyev/kmip-server-dsm
$ cd kmip-server-dsm
```
2. Review configuration file with your favorite text editor (important!)
```
$ vim ./config.sh
```
3. Build the container. I do not provide any binary images since you don't want
to entrust your secrets to unknown binaries. Insted, study the content of this
repository to feel good about it, and build yourself a KMIP server:
```
$ ./build-container.sh
```
4. Run the container
```
$ ./run-container.sh
```
## Where is my data stored?
All keys and certificates will be stored in the `certs` directory, and KMIP
database itself in the `state` directory. Both of these directories are mounted
into KMIP server container. You may stop and remove running container, but your
certificates and data will not be lost. It is in your interest to keep this
repository with these directories in a safe place - for example in encrypted
file system or RAM disk. You can always wipe contents of these directories and
start from scratch, if you have recovery keys for your NAS volumes.
## Synology DSM configuration
Shortly after starting container for the first time, some SSL keys and
certificates will be generated in the `certs` directory. You will need to copy
these files to put them into your NAS:
* client.key
* client.crt
* ca.crt
Connect to your DSM web interface and go to Control Panel -> Security ->
Certificate. Click `Add`, then `Add a new certificate`, enter `KMIP` in the
`Description` field, then `Import certificate`. Choose `client.key` file for
`Private key`, `client.crt` for `Certificate`, and `ca.crt` for
`Intermediate certificate`. Then click `Settings`, and choose newly imported
certificate for `KMIP`.
Switch to the `KMIP` tab, and configure `Remote Key Client`. Hostname is the
address of this KMIP server, port is 5696, and choose `ca.crt` file another time
for `Certificate Authority`.
You should now have fully working remote Encryption Key Vault.
## Troubleshooting
On DSM side:
1. Connect to your NAS via SSH
2. Check logs of kmip service:
```
$ sudo journalctl -u kmip.service -ef
```
On KMIP server side:
1. Jump into the container (replace podman with docker if needed):
```
$ podman exec -ti dsm-kmip-server /bin/sh
```
2. Check pykmip logs:
```
$ cat /var/log/pykmip/server.log
```
## Tips on creating encrypted storage on Raspberry Pi
These are tips on how to create an encrypted file system on Raspberry Pi where
you can store your KMIP server. These steps can be adjusted for any other kind
of computer or VM.
1. Download Ubuntu Server image for Raspebby Pi from the
[Ubuntu website](https://ubuntu.com/download/raspberry-pi).
2. Write the image to an SD card. Before rebooting, plug the SD card into
existing Linux machine. We will play with partitioning table a little bit.
Assuming your SD card is `/dev/sdc`:
```
$ xz -d ubuntu-22.04.2-preinstalled-server-arm64+raspi.img.xz
$ sudo dd if=./ubuntu-22.04.2-preinstalled-server-arm64+raspi.img of=/dev/sdc status=progress
```
3. Assuming your SD card is `/dev/sdc`, start fdisk:
```
$ sudo fdisk /dev/sdc
Welcome to fdisk (util-linux 2.38.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help):
```
4. List partitions and note where the second partition starts, we will need this
address later:
```
Command (m for help): p
Disk /dev/sdc: 58,63 GiB, 62948114432 bytes, 122945536 sectors
Disk model: Micro blackhole based storage
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x12c9124a
Device Boot Start End Sectors Size Id Type
/dev/sdc1 * 2048 526335 524288 256M c W95 FAT32 (LBA)
/dev/sdc2 526336 8074399 7548064 3,6G 83 Linux
Command (m for help):
```
Note that `/dev/sdc2` starts at 526336.
5. Delete the second partition:
```
Command (m for help): d
Partition number (1,2, default 2): 2
Partition 2 has been deleted.
```
6. Create a new partition. Make sure to start new partion exactly on the same
sector where the old one was. Decide how much space do you want to leave for the
encrypted storage, and enter this in the `Last sector` with the minus sign, in
the example below I left 8 gigabytes and the end of the disk:
```
Command (m for help): n
Partition type
p primary (1 primary, 0 extended, 3 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (2-4, default 2): 2
First sector (526336-122945535, default 526336): 526336
Last sector, +/-sectors or +/-size{K,M,G,T,P} (526336-122945535, default 122945535): -8G
Created a new partition 2 of type 'Linux' and of size 50,4 GiB.
Partition #2 contains a ext4 signature.
Do you want to remove the signature? [Y]es/[N]o: No
Command (m for help):
```
Make sure to answer NO when you are asked if you want to wipe existing file
system signature.
7. Now create the last partition, that you will use for your encrypted storage.
Just hit `ENTER` on all questions:
```
Command (m for help): n
Partition type
p primary (2 primary, 0 extended, 2 free)
e extended (container for logical partitions)
Select (default p):
Using default response p.
Partition number (3,4, default 3):
First sector (106168320-122945535, default 106168320):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (106168320-122945535, default 122945535):
Created a new partition 3 of type 'Linux' and of size 8 GiB.
Command (m for help):
```
8. Now you have an SD card with boot, root, and encrypted partition. Check if
everything looks fine and write changes to disk:
```
Command (m for help): p
Disk /dev/sdc: 58,63 GiB, 62948114432 bytes, 122945536 sectors
Disk model: Micro blackhole based storage
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x12c9124a
Device Boot Start End Sectors Size Id Type
/dev/sdc1 * 2048 526335 524288 256M c W95 FAT32 (LBA)
/dev/sdc2 526336 106168319 105641984 50,4G 83 Linux
/dev/sdc3 106168320 122945535 16777216 8G 83 Linux
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
```
9. Last step before booting your Raspberry Pi with this SD card is to expand
root partition:
```
$ sudo resize2fs /dev/sdc2
resize2fs 1.47.0 (5-Feb-2023)
Resizing the filesystem on /dev/sdc2 to 13205248 (4k) blocks.
The filesystem on /dev/sdc2 is now 13205248 (4k) blocks long.
```
10. Boot your Raspberry Pi and make basic initial setup. Check if you can see
the third partition that you created above, and confirm that it is not mounted
anywhere:
```
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 59.1M 1 loop /snap/core20/1826
loop1 7:1 0 109.6M 1 loop /snap/lxd/24326
loop2 7:2 0 43.2M 1 loop /snap/snapd/18363
loop3 7:3 0 59.1M 1 loop /snap/core20/1832
sda 8:0 0 111.8G 0 disk
├─sda1 8:1 0 256M 0 part /boot/firmware
├─sda2 8:2 0 104.1G 0 part /
└─sda3 8:3 0 7.5G 0 part
```
11. You can now create an encrypted file system:
```
$ sudo cryptsetup luksFormat /dev/sda3
WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sda3:
Verify passphrase:
Ignoring bogus optimal-io size for data device (33553920 bytes).
```
12. You can now open /dev/sda3, create filesystem on it and mount it:
```
$ sudo cryptsetup open /dev/sda3 myvault
Enter passphrase for /dev/sda3:
$ sudo mkfs.ext4 /dev/mapper/myvault
mke2fs 1.46.5 (30-Dec-2021)
Creating filesystem with 1949046 4k blocks and 487680 inodes
Filesystem UUID: 9e9183a9-5d51-4782-9990-d99eb48dfc87
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
$ sudo mount /dev/mapper/myvault /mnt
```
13. You now have encrypted storage in `/mnt`. Check it with `df -h`:
```
$ df -h
Filesystem Size Used Avail Use% Mounted on
tmpfs 781M 3.1M 778M 1% /run
/dev/sda2 103G 18G 81G 18% /
tmpfs 3.9G 200K 3.9G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
/dev/sda1 253M 148M 105M 59% /boot/firmware
tmpfs 781M 80K 781M 1% /run/user/1001
/dev/mapper/myvault 7.3G 24K 6.9G 1% /mnt
```
Now you can clone this repository into a protected storage on your Raspberry Pi.
This filesystem will not be autounsealed after reboot, and you will have to
unseal it using password and mount it. After this, you just start the KMIP
server container again with `run-container.sh`.
## Disclaimer
Everything in this repository provided to you "AS IS". I am not affiliated with
Synology or PyKMIP project. I do not take any responsibility for any lost data
or security issues.
assets/init.sh
+60
View File
@@ -0,0 +1,60 @@
#!/bin/sh
set -e
source /etc/pykmip/config.sh
mkdir -p /var/lib/certs
if [ ! -f /var/lib/certs/ca.key ]; then
echo "=== Generating private CA RSA key"
openssl genrsa -out /var/lib/certs/ca.key $CA_KEY_SIZE
fi
if [ ! -f /var/lib/certs/ca.crt ]; then
echo "=== Generating private CA certificate"
openssl req -nodes -x509 -days $CA_LIFETIME \
-key /var/lib/certs/ca.key \
-out /var/lib/certs/ca.crt \
-subj "/C=$SSL_COUNTRY_NAME/ST=$SSL_STATE_OR_PROVINCE/L=$SSL_LOCALITY/O=$SSL_ORGANIZATION/OU=$SSL_ORGANIZATIONAL_UNIT/CN=$SSL_COMMON_NAME_CA"
fi
if [ ! -f /var/lib/certs/server.key ]; then
echo "=== Generating server RSA key"
openssl genrsa -out /var/lib/certs/server.key $SERVER_KEY_SIZE
fi
if [ ! -f /var/lib/certs/server.crt ]; then
echo "=== Generating server certificate"
openssl req -key /var/lib/certs/server.key -new \
-out /var/lib/certs/server.csr \
-subj "/C=$SSL_COUNTRY_NAME/ST=$SSL_STATE_OR_PROVINCE/L=$SSL_LOCALITY/O=$SSL_ORGANIZATION/OU=$SSL_ORGANIZATIONAL_UNIT/CN=$SSL_COMMON_NAME_SERVER" \
-addext "subjectAltName = $SSL_SERVER_NAME" \
-addext "extendedKeyUsage = serverAuth, clientAuth"
openssl x509 -req -CA /var/lib/certs/ca.crt \
-CAkey /var/lib/certs/ca.key \
-in /var/lib/certs/server.csr \
-out /var/lib/certs/server.crt \
-days $SERVER_CERT_LIFETIME -CAcreateserial -copy_extensions copy
fi
if [ ! -f /var/lib/certs/client.key ]; then
echo "=== Generating client RSA key"
openssl genrsa -out /var/lib/certs/client.key $CLIENT_KEY_SIZE
fi
if [ ! -f /var/lib/certs/client.crt ]; then
echo "=== Generating client certificate"
openssl req -key /var/lib/certs/client.key -new \
-out /var/lib/certs/client.csr \
-subj "/C=$SSL_COUNTRY_NAME/ST=$SSL_STATE_OR_PROVINCE/L=$SSL_LOCALITY/O=$SSL_ORGANIZATION/OU=$SSL_ORGANIZATIONAL_UNIT/CN=$SSL_COMMON_NAME_CLIENT" \
-addext "subjectAltName = $SSL_CLIENT_NAME" \
-addext "extendedKeyUsage = serverAuth, clientAuth"
openssl x509 -req -CA /var/lib/certs/ca.crt \
-CAkey /var/lib/certs/ca.key \
-in /var/lib/certs/client.csr \
-out /var/lib/certs/client.crt \
-days $CLIENT_CERT_LIFETIME -CAcreateserial -copy_extensions copy
fi
pykmip-server
assets/policy.json
+168
View File
@@ -0,0 +1,168 @@
{
"synology": {
"preset": {
"CERTIFICATE": {
"LOCATE": "ALLOW_OWNER",
"CHECK": "ALLOW_OWNER",
"GET": "ALLOW_OWNER",
"GET_ATTRIBUTES": "ALLOW_OWNER",
"GET_ATTRIBUTE_LIST": "ALLOW_OWNER",
"ADD_ATTRIBUTE": "ALLOW_OWNER",
"MODIFY_ATTRIBUTE": "ALLOW_OWNER",
"DELETE_ATTRIBUTE": "ALLOW_OWNER",
"OBTAIN_LEASE": "ALLOW_OWNER",
"ACTIVATE": "ALLOW_OWNER",
"REVOKE": "ALLOW_OWNER",
"DESTROY": "ALLOW_OWNER",
"ARCHIVE": "ALLOW_OWNER",
"RECOVER": "ALLOW_OWNER"
},
"SYMMETRIC_KEY": {
"REKEY": "ALLOW_OWNER",
"REKEY_KEY_PAIR": "ALLOW_OWNER",
"DERIVE_KEY": "ALLOW_OWNER",
"LOCATE": "ALLOW_OWNER",
"CHECK": "ALLOW_OWNER",
"GET": "ALLOW_OWNER",
"GET_ATTRIBUTES": "ALLOW_OWNER",
"GET_ATTRIBUTE_LIST": "ALLOW_OWNER",
"ADD_ATTRIBUTE": "ALLOW_OWNER",
"MODIFY_ATTRIBUTE": "ALLOW_OWNER",
"DELETE_ATTRIBUTE": "ALLOW_OWNER",
"OBTAIN_LEASE": "ALLOW_OWNER",
"GET_USAGE_ALLOCATION": "ALLOW_OWNER",
"ACTIVATE": "ALLOW_OWNER",
"REVOKE": "ALLOW_OWNER",
"DESTROY": "ALLOW_OWNER",
"ARCHIVE": "ALLOW_OWNER",
"RECOVER": "ALLOW_OWNER"
},
"PUBLIC_KEY": {
"LOCATE": "ALLOW_OWNER",
"CHECK": "ALLOW_OWNER",
"GET": "ALLOW_OWNER",
"GET_ATTRIBUTES": "ALLOW_OWNER",
"GET_ATTRIBUTE_LIST": "ALLOW_OWNER",
"ADD_ATTRIBUTE": "ALLOW_OWNER",
"MODIFY_ATTRIBUTE": "ALLOW_OWNER",
"DELETE_ATTRIBUTE": "ALLOW_OWNER",
"OBTAIN_LEASE": "ALLOW_OWNER",
"ACTIVATE": "ALLOW_OWNER",
"REVOKE": "ALLOW_OWNER",
"DESTROY": "ALLOW_OWNER",
"ARCHIVE": "ALLOW_OWNER",
"RECOVER": "ALLOW_OWNER"
},
"PRIVATE_KEY": {
"REKEY": "ALLOW_OWNER",
"REKEY_KEY_PAIR": "ALLOW_OWNER",
"DERIVE_KEY": "ALLOW_OWNER",
"LOCATE": "ALLOW_OWNER",
"CHECK": "ALLOW_OWNER",
"GET": "ALLOW_OWNER",
"GET_ATTRIBUTES": "ALLOW_OWNER",
"GET_ATTRIBUTE_LIST": "ALLOW_OWNER",
"ADD_ATTRIBUTE": "ALLOW_OWNER",
"MODIFY_ATTRIBUTE": "ALLOW_OWNER",
"DELETE_ATTRIBUTE": "ALLOW_OWNER",
"OBTAIN_LEASE": "ALLOW_OWNER",
"GET_USAGE_ALLOCATION": "ALLOW_OWNER",
"ACTIVATE": "ALLOW_OWNER",
"REVOKE": "ALLOW_OWNER",
"DESTROY": "ALLOW_OWNER",
"ARCHIVE": "ALLOW_OWNER",
"RECOVER": "ALLOW_OWNER"
},
"SPLIT_KEY": {
"REKEY": "ALLOW_OWNER",
"REKEY_KEY_PAIR": "ALLOW_OWNER",
"DERIVE_KEY": "ALLOW_OWNER",
"LOCATE": "ALLOW_OWNER",
"CHECK": "ALLOW_OWNER",
"GET": "ALLOW_OWNER",
"GET_ATTRIBUTES": "ALLOW_OWNER",
"GET_ATTRIBUTE_LIST": "ALLOW_OWNER",
"ADD_ATTRIBUTE": "ALLOW_OWNER",
"MODIFY_ATTRIBUTE": "ALLOW_OWNER",
"DELETE_ATTRIBUTE": "ALLOW_OWNER",
"OBTAIN_LEASE": "ALLOW_OWNER",
"GET_USAGE_ALLOCATION": "ALLOW_OWNER",
"ACTIVATE": "ALLOW_OWNER",
"REVOKE": "ALLOW_OWNER",
"DESTROY": "ALLOW_OWNER",
"ARCHIVE": "ALLOW_OWNER",
"RECOVER": "ALLOW_OWNER"
},
"TEMPLATE": {
"LOCATE": "ALLOW_OWNER",
"GET": "ALLOW_OWNER",
"GET_ATTRIBUTES": "ALLOW_OWNER",
"GET_ATTRIBUTE_LIST": "ALLOW_OWNER",
"ADD_ATTRIBUTE": "ALLOW_OWNER",
"MODIFY_ATTRIBUTE": "ALLOW_OWNER",
"DELETE_ATTRIBUTE": "ALLOW_OWNER",
"DESTROY": "ALLOW_OWNER"
},
"SECRET_DATA": {
"REKEY": "ALLOW_OWNER",
"REKEY_KEY_PAIR": "ALLOW_OWNER",
"DERIVE_KEY": "ALLOW_OWNER",
"LOCATE": "ALLOW_OWNER",
"CHECK": "ALLOW_OWNER",
"GET": "ALLOW_OWNER",
"GET_ATTRIBUTES": "ALLOW_OWNER",
"GET_ATTRIBUTE_LIST": "ALLOW_OWNER",
"ADD_ATTRIBUTE": "ALLOW_OWNER",
"MODIFY_ATTRIBUTE": "ALLOW_OWNER",
"DELETE_ATTRIBUTE": "ALLOW_OWNER",
"OBTAIN_LEASE": "ALLOW_OWNER",
"GET_USAGE_ALLOCATION": "ALLOW_OWNER",
"ACTIVATE": "ALLOW_OWNER",
"REVOKE": "ALLOW_OWNER",
"DESTROY": "ALLOW_OWNER",
"ARCHIVE": "ALLOW_OWNER",
"RECOVER": "ALLOW_OWNER"
},
"OPAQUE_DATA": {
"REKEY": "ALLOW_OWNER",
"REKEY_KEY_PAIR": "ALLOW_OWNER",
"DERIVE_KEY": "ALLOW_OWNER",
"LOCATE": "ALLOW_OWNER",
"CHECK": "ALLOW_OWNER",
"GET": "ALLOW_OWNER",
"GET_ATTRIBUTES": "ALLOW_OWNER",
"GET_ATTRIBUTE_LIST": "ALLOW_OWNER",
"ADD_ATTRIBUTE": "ALLOW_OWNER",
"MODIFY_ATTRIBUTE": "ALLOW_OWNER",
"DELETE_ATTRIBUTE": "ALLOW_OWNER",
"OBTAIN_LEASE": "ALLOW_OWNER",
"GET_USAGE_ALLOCATION": "ALLOW_OWNER",
"ACTIVATE": "ALLOW_OWNER",
"REVOKE": "ALLOW_OWNER",
"DESTROY": "ALLOW_OWNER",
"ARCHIVE": "ALLOW_OWNER",
"RECOVER": "ALLOW_OWNER"
},
"PGP_KEY": {
"REKEY": "ALLOW_OWNER",
"REKEY_KEY_PAIR": "ALLOW_OWNER",
"DERIVE_KEY": "ALLOW_OWNER",
"LOCATE": "ALLOW_OWNER",
"CHECK": "ALLOW_OWNER",
"GET": "ALLOW_OWNER",
"GET_ATTRIBUTES": "ALLOW_OWNER",
"GET_ATTRIBUTE_LIST": "ALLOW_OWNER",
"ADD_ATTRIBUTE": "ALLOW_OWNER",
"MODIFY_ATTRIBUTE": "ALLOW_OWNER",
"DELETE_ATTRIBUTE": "ALLOW_OWNER",
"OBTAIN_LEASE": "ALLOW_OWNER",
"GET_USAGE_ALLOCATION": "ALLOW_OWNER",
"ACTIVATE": "ALLOW_OWNER",
"REVOKE": "ALLOW_OWNER",
"DESTROY": "ALLOW_OWNER",
"ARCHIVE": "ALLOW_OWNER",
"RECOVER": "ALLOW_OWNER"
}
}
}
}
assets/server.conf
+14
View File
@@ -0,0 +1,14 @@
[server]
hostname=0.0.0.0
port=5696
certificate_path=/var/lib/certs/server.crt
key_path=/var/lib/certs/server.key
ca_path=/var/lib/certs/ca.crt
auth_suite=TLS1.2
policy_path=/etc/pykmip/policy
enable_tls_client_auth=True
tls_cipher_suites=
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
logging_level=INFO
database_path=/var/lib/state/pykmip.db
build-container.sh
Executable
+16
View File
@@ -0,0 +1,16 @@
#!/bin/sh
set -e
if podman -v >/dev/null 2>&1; then
CM=podman
elif docker -v >/dev/null 2>&1; then
CM=docker
else
echo "Container manager not installed. Please install podman or docker."
exit 1
fi
WORKDIR=$(cd -- "$(dirname -- "$0")" && pwd)
$CM build -t dsm-kmip-server:latest $WORKDIR
certs/.gitignore
+2
View File
@@ -0,0 +1,2 @@
*
!.gitignore
config.sh
+61
View File
@@ -0,0 +1,61 @@
# After any change in this configuration file you will need to rebuild the
# container and remove existing certificate(s) and key(s). This will most
# likely break Encryption Key Vault in DSM, and you will have to reinitialize
# it. Be sure to keep your volume recovery keys is safe place, since you will
# need them if you want to reinitialize KMIP server.
################################################################################
# Following configuration options must be reviewed and set correctly before
# starting KMIP server for the first time and storing your Encryption Key Vault
# in it. It will be much harder to change any of these values when you are
# already running KMIP.
################################################################################
# RSA key size and lifetime configuration
CA_KEY_SIZE=2048 # (bits, 2048 or 4096 is recommended)
CA_LIFETIME=3560 # (days)
CLIENT_KEY_SIZE=2048 # (bits, 2048 or 4096 is recommended)
CLIENT_CERT_LIFETIME=1095 # (days)
SERVER_KEY_SIZE=2048 # (bits, 2048 or 4096 is recommended)
SERVER_CERT_LIFETIME=1095 # (days)
# Server and client address configuration. This will be encoded in certificates,
# so it will not be possible to change it without recreating certificates and
# losing KMIP data.
#
# If you have local DNS in your environment, syntax is following:
# SERVER_NAME=DNS:<fully qualified hostname of this KMIP server>
# CLIENT_NAME=DNS:<fully qualified hostname of Synology NAS>
#
# Otherwise, you can configure static IP addresses:
# SERVER_NAME=IP:<IP address of this KMIP server>
# CLIENT_NAME=IP:<IP address of Synology NAS>
#
SSL_SERVER_NAME="IP:192.168.255.5"
SSL_CLIENT_NAME="IP:192.168.255.10"
################################################################################
# Following configuration options do not really matter but it is nice to set
# them
################################################################################
# Common names for CA, server and client certificates
SSL_COMMON_NAME_CA="Private KMIP CA"
SSL_COMMON_NAME_SERVER="Private KMIP Server"
SSL_COMMON_NAME_CLIENT="Private KMIP Client"
# Country name for CA, server and client certificates. Set to two letter
# country code, for example US or DE
SSL_COUNTRY_NAME="DE"
# State or province name for CA, server and client certificates
SSL_STATE_OR_PROVINCE="Berlin"
# Locality (city/town) name for CA, server and client certificates
SSL_LOCALITY="Berlin"
# Organization name for CA, server and client certificates
SSL_ORGANIZATION="Private SAN"
# Organizational unit name for CA, server and client certificates
SSL_ORGANIZATIONAL_UNIT="PKI"
run-container.sh
Executable
+27
View File
@@ -0,0 +1,27 @@
#!/bin/sh
set -e
if podman -v >/dev/null 2>&1; then
CM=podman
elif docker -v >/dev/null 2>&1; then
CM=docker
else
echo "Container manager not installed. Please install podman or docker."
exit 1
fi
WORKDIR=$(cd -- "$(dirname -- "$0")" && pwd)
if $CM ps -a | grep dsm-kmip-server >/dev/null 2>&1; then
echo "=== Cleaning up old container"
$CM stop dsm-kmip-server >/dev/null
$CM rm dsm-kmip-server >/dev/null
fi
echo "=== Starting new container"
$CM run -d --name dsm-kmip-server -p 5696:5696 \
--restart=unless-stopped \
--mount type=bind,source=$WORKDIR/state,target=/var/lib/state \
--mount type=bind,source=$WORKDIR/certs,target=/var/lib/certs \
dsm-kmip-server:latest
state/.gitignore
+2
View File
@@ -0,0 +1,2 @@
*
!.gitignore