A secure, encrypted vault system consisting of a Rust gRPC service for encrypted storage and Go components for HTTP REST API and client library access.
RustLock is a multi-component secrets management system designed for secure storage and retrieval of sensitive data. The system uses AES-256-GCM encryption and provides multiple access layers for different use cases.
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────────────┐
│ HTTP Client │ │ Go Application │ │ Trusted Service │
│ (Web/CLI) │ │ │ │ │
└─────────┬───────┘ └─────────┬────────┘ └──────────┬──────────────┘
│ │ │
│ HTTP REST │ gRPC │ gRPC
│ │ │
┌─────────▼───────┐ ┌─────────▼────────┐ ┌──────────▼──────────────┐
│ Go HTTP API │ │ Go Client Lib │ │ Go Client Library │
│ Server │────┤ │ │ (Direct Access) │
│ (Metadata) │ │ │ │ │
└─────────┬───────┘ └─────────┬────────┘ └──────────┬──────────────┘
│ │ │
│ gRPC │ gRPC │ gRPC
│ │ │
└──────────────────────┼────────────────────────┘
│
┌────────────▼──────────────┐
│ Rust gRPC Service │
│ (Encrypted Storage) │
│ │
│ • AES-256-GCM Encryption │
│ • UUID-based indexing │
│ • Persistent storage │
│ • Version management │
└───────────────────────────┘
The core component providing encrypted storage with:
- AES-256-GCM Encryption: Military-grade encryption for all stored secrets
- UUID-based Indexing: Unique identifiers for each secret with dual-index system
- Persistent Storage: JSON-based storage with encryption at rest
- Version Management: Automatic versioning of stored secrets
- gRPC Interface: High-performance service communication
Key Features:
- Automatic persistence to
vault_secrets.json - Dual indexing (UUID → Secret, Key → UUID)
- Comprehensive error handling
- Thread-safe operations
A lightweight HTTP server providing REST API access:
- Security-First Design: Returns only metadata, never secret values
- UUID-based Access: Clean API design with UUID validation
- Built-in Libraries Only: Uses only Go standard library
- Comprehensive Endpoints: Full CRUD operations
API Endpoints:
POST /secrets- Store new secretsGET /secrets- List all secrets with metadataGET /secrets/{uuid}- Get secret metadata by UUIDDELETE /secrets/delete/{uuid}- Delete secret by UUID
A powerful client library for trusted applications:
- Direct gRPC Access: Bypasses HTTP layer for efficiency
- Decrypted Values: Returns actual secret values for trusted services
- Rich API: Support for strings, bytes, versioning, and metadata
- Connection Management: Automatic connection pooling and cleanup
Perfect for:
- Microservices needing secrets
- Database connection strings
- API keys and tokens
- Configuration management
cd service
cargo runThe service will start on [::1]:50051
cd server
make setup
make runThe API will be available at http://localhost:8080
package main
import (
"context"
"fmt"
"log"
"your-project/client"
)
func main() {
client, err := rustlockclient.NewClient()
if err != nil {
log.Fatal(err)
}
defer client.Close()
ctx := context.Background()
// Store a secret
response, err := client.StoreSecretString(ctx, "api-key", "secret-value", map[string]string{
"service": "payment-gateway",
})
if err != nil {
log.Fatal(err)
}
// Retrieve the secret (decrypted!)
secretValue, err := client.GetSecretString(ctx, "api-key", "")
if err != nil {
log.Fatal(err)
}
fmt.Printf("Secret: %s\n", secretValue)
}- Algorithm: AES-256-GCM
- Key Management: Automatic key generation and management
- At-Rest Encryption: All data encrypted in persistent storage
- In-Transit: gRPC provides transport security
-
HTTP REST API:
- Returns metadata only (no secret values)
- Suitable for web applications, CLIs
- Lower security requirements
-
Go Client Library:
- Returns decrypted secret values
- Direct gRPC communication
- For trusted internal services only
- Network Security: Use TLS in production environments
- Access Control: Implement authentication/authorization
- Audit Logging: Log all secret access attempts
- Key Rotation: Regularly rotate encryption keys
- Memory Management: Properly clear sensitive data from memory
- Rust: 1.70 or higher
- Go: 1.24.3 or higher
- Protocol Buffers:
protoccompiler
- Clone the repository
git clone https://github.com/your-org/rustlock.git
cd rustlock- Build Rust service
cd service
cargo build --release- Setup Go components
cd server
make setup- Install client library
cd client
go build .RUST_LOG: Set logging level (e.g.,info,debug)VAULT_ADDR: gRPC service address (default:[::1]:50051)HTTP_PORT: HTTP API port (default:8080)
vault_secrets.json: Persistent storage (auto-created)Cargo.toml: Rust dependenciesgo.mod: Go module configuration
service VaultService {
rpc StoreSecret(StoreSecretRequest) returns (StoreSecretResponse);
rpc GetSecret(GetSecretRequest) returns (GetSecretResponse);
rpc DeleteSecret(DeleteSecretRequest) returns (DeleteSecretResponse);
rpc ListSecrets(ListSecretsRequest) returns (ListSecretsResponse);
}POST /secrets- Store secretGET /secrets- List secretsGET /secrets/{uuid}- Get secret infoDELETE /secrets/delete/{uuid}- Delete secret
// Main client methods
func (c *Client) StoreSecretString(ctx context.Context, key, value string, metadata map[string]string) (*StoreResponse, error)
func (c *Client) GetSecretString(ctx context.Context, key, version string) (string, error)
func (c *Client) ListSecrets(ctx context.Context, prefix string) ([]*SecretInfo, error)
func (c *Client) DeleteSecret(ctx context.Context, key string) error# Store database credentials via HTTP API
curl -X POST http://localhost:8080/secrets \
-H "Content-Type: application/json" \
-d '{"key": "db-password", "value": "secret123", "metadata": {"env": "prod"}}'
# List secrets
curl http://localhost:8080/secrets// In your Go microservice
client, _ := rustlockclient.NewClient()
dbPassword, _ := client.GetSecretString(ctx, "db-password", "")
db, _ := sql.Open("postgres", "user:admin password:"+dbPassword+" host:localhost")// Store API keys with rotation metadata
client.StoreSecretString(ctx, "stripe-key", "sk_live_...", map[string]string{
"service": "payment",
"rotation_due": "2024-12-31",
})
// Retrieve in payment service
apiKey, _ := client.GetSecretString(ctx, "stripe-key", "")- Storage: ~1ms per secret (encrypted)
- Retrieval: ~0.5ms per secret (decrypted)
- Throughput: 1000+ ops/sec on standard hardware
- Memory: <50MB for 10,000 secrets
- Concurrent Access: Thread-safe operations
- Memory Efficiency: Secrets loaded on-demand
- Disk Usage: Minimal storage overhead
- Network: Efficient gRPC serialization
# Rust tests
cd service
cargo test
# Go tests
cd server
make test
cd client
go test# Build optimized Rust binary
cd service
cargo build --release
# Build Go binaries
cd server
make build
cd client
go build .- Fork the repository
- Create a feature branch
- Make your changes
- Add tests
- Submit a pull request
-
Connection Refused
- Ensure Rust service is running
- Check port availability
- Verify firewall settings
-
Permission Denied
- Check file permissions on
vault_secrets.json - Ensure write access to storage directory
- Check file permissions on
-
Encryption Errors
- Verify data integrity
- Check available disk space
- Restart services if needed
Enable debug logging:
# Rust service
RUST_LOG=debug cargo run
# Go components
export DEBUG=true
make runThis project is licensed under the MIT License - see the LICENSE file for details.
We welcome contributions! Please see our Contributing Guide for details.
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Security: security@yourcompany.com
See CHANGELOG.md for version history and updates.
RustLock - Secure, fast, and reliable secrets management for modern applications.