Overview
About¶
Keyper by Jarrid is a suite of crypto key management APIs to simplify key creation, management, deployment, encryption/decryption in a standardized and secure way. Operations are file-based and can be easily automated, tracked, audited, and managed via file-based processes such as GitOps. Fully integrated with cloud KMS services such as AWS KMS or GCP KMS, leverage managed crypto key generation and reduce infrastructure maintenance burden.
The library has three main modules:
- Resource: Create key and service account configs as JSON files. Configuration helps you manage key implementations in a simple, trackable, and readable way.
- Deploy: Take the existing key configs (in JSON files), plan and deploy via Terraform accordingly. Take advantage of Terraform's existing functionalities such as state management, dependency resolution, and drift tracking without losing the flexibility to modularize deployment as granular as needed.
- Data: Run various encrypt and decrypt data flows with pre-defined keys. Adjust the level of security depending on use cases without additional implementation.
Demo¶
In only three steps, you can create a key, deploy the key on cloud KMS, and encrypt/decrypt data. Everything is wrapped and managed in Keyper.
Create Resources and Deploy
Encrypt/Decrypt
Getting Started¶
Tutorial¶
For full Keyper tutorial, you can find it here: https://github.com/jarrid-xyz/keyper-tutorial
Keyper Github Action¶
We've created the Keyper Github Action to automate Keyper deployment using GitOps flow. This makes Keyper resource management fully configuration-driven. Both technical and non-technical teams can either edit the configuration files directly or use the Keyper CLI to manage resources and the Keyper Github Action will handle the rest of the CI/CD process.
➡️ Go to Keyper Github Action Tutorial.
The easiest way to set it up is to copy our example workflow into your own repository and modify the configurations accordingly:
name: Keyper Action (Deploy Plan/Apply)
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
keyper-action:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Keyper Action (Deploy Plan)
id: keyper-plan
uses: jarrid-xyz/keyper@v0.0.4
with:
args: deploy plan
- name: Run Keyper Action (Deploy Apply)
id: keyper-apply
uses: jarrid-xyz/keyper@v0.0.4
with:
args: deploy apply
if: github.ref == 'refs/heads/main' # Only run if merge to main
Keyper Docker CLI¶
Pull Docker Image¶
Pull Keyper's pre-packaged docker images: ghcr.io/jarrid-xyz/keyper:v0.0.4
Create App Configuration and Credentials¶
-
Follow Keyper Configuration to create
app.<env>.yamlto configure Terraform provider and backend accordingly. -
Follow Create GCP KMS Admin Service Account to create
.cdktf-sa-key.json. This service account credential is needed to create actual resources via Terraform.
Run Keyper Command¶
Validate that docker image is working properly.
docker run -it --rm --name keyper-cli \
-v ./configs:/home/keyper/configs \
-v ./cdktf.out:/home/keyper/cdktf.out \
-v ./.cdktf-sa-key.json:/home/keyper/gcp.json \
-v ./app.local.yaml:/home/keyper/app.local.yaml \
ghcr.io/jarrid-xyz/keyper:v0.0.4 -h
Create Deployment, Role and Key¶
Create the resource configurations locally.
docker run -it --rm --name keyper-cli \
-v ./configs:/home/keyper/configs \
-v ./cdktf.out:/home/keyper/cdktf.out \
-v ./.cdktf-sa-key.json:/home/keyper/gcp.json \
-v ./app.local.yaml:/home/keyper/app.local.yaml \
ghcr.io/jarrid-xyz/keyper:v0.0.4 resource create -t deployment
docker run -it --rm --name keyper-cli \
-v ./configs:/home/keyper/configs \
-v ./cdktf.out:/home/keyper/cdktf.out \
-v ./.cdktf-sa-key.json:/home/keyper/gcp.json \
-v ./app.local.yaml:/home/keyper/app.local.yaml \
ghcr.io/jarrid-xyz/keyper:v0.0.4 resource create -t role -n app-role
docker run -it --rm --name keyper-cli \
-v ./configs:/home/keyper/configs \
-v ./cdktf.out:/home/keyper/cdktf.out \
-v ./.cdktf-sa-key.json:/home/keyper/gcp.json \
-v ./app.local.yaml:/home/keyper/app.local.yaml \
ghcr.io/jarrid-xyz/keyper:v0.0.4 resource create -t key
Deploy via Terraform¶
Provision resource on the cloud based on the resource configurations.
docker run -it --rm --name keyper-cli \
-v ./configs:/home/keyper/configs \
-v ./cdktf.out:/home/keyper/cdktf.out \
-v ./.cdktf-sa-key.json:/home/keyper/gcp.json \
-v ./app.local.yaml:/home/keyper/app.local.yaml \
ghcr.io/jarrid-xyz/keyper:v0.0.4 deploy apply
Encrypt/Decrypt Data with Key¶
docker run -it --rm --name keyper-cli \
-v ./configs:/home/keyper/configs \
-v ./cdktf.out:/home/keyper/cdktf.out \
-v ./.cdktf-sa-key.json:/home/keyper/gcp.json \
-v ./app.local.yaml:/home/keyper/app.local.yaml \
ghcr.io/jarrid-xyz/keyper:v0.0.4 data encrypt -k <key-id> --plaintext <secret>
docker run -it --rm --name keyper-cli \
-v ./configs:/home/keyper/configs \
-v ./cdktf.out:/home/keyper/cdktf.out \
-v ./.cdktf-sa-key.json:/home/keyper/gcp.json \
-v ./app.local.yaml:/home/keyper/app.local.yaml \
ghcr.io/jarrid-xyz/keyper:v0.0.4 data decrypt -k <key-id> --ciphertext <secret>
You just successfully use KMS key to encrypt/decrypt data. 
Releases¶
Keyper publish release every Monday. Stay updated with our latest developments by checking out our release notes. If you have a specific feature in mind that you'd like to see implemented, feel free to submit a feature request. You can also track the progress of ongoing feature requests and see what's coming next.
Need Help?¶
We are a small but ambitious team actively looking to expand our capabilities. We'd love to learn about your use cases and feedback. If you need help with implementation or have questions about crypto key or data and software security in general, don't hesitate to reach out.