Add ability to encrypt CA private key at rest (#386)

Fixes #8. `nebula-cert ca` now supports encrypting the CA's private key with a passphrase. Pass `-encrypt` in order to be prompted for a passphrase. Encryption is performed using AES-256-GCM and Argon2id for KDF. KDF parameters default to RFC recommendations, but can be overridden via CLI flags `-argon-memory`, `-argon-parallelism`, and `-argon-iterations`.
2025-11-22 00:15:37 +01:00 · 2023-04-03 13:59:38 -04:00
parent ee8e1348e9
commit a56a97e5c3
16 changed files with 1037 additions and 69 deletions
--- a/cmd/nebula-cert/passwords_test.go
+++ b/cmd/nebula-cert/passwords_test.go
@@ -0,0 +1,10 @@
+package main
+
+type StubPasswordReader struct {
+	password []byte
+	err      error
+}
+
+func (pr *StubPasswordReader) ReadPassword() ([]byte, error) {
+	return pr.password, pr.err
+}