Skip to content
KeyRack

Developer Guide

Using the library, authoring shims, and extending providers.

Using keyrack-core directly

Section titled “Using keyrack-core directly”
[dependencies]
keyrack-core = "0.1"

Software provider

Section titled “Software provider”
use keyrack_core::provider::software::SoftwareProvider;
use keyrack_core::provider::CryptoProvider;


let provider = SoftwareProvider::new();
let key = provider.generate_key(&KeySpec::Aes256).await?;
let ct = provider.encrypt(&key, plaintext, aad).await?;

Swap in Pkcs11Provider or KmipProvider for HSM-backed production.

Key hierarchy resolution

Section titled “Key hierarchy resolution”
use keyrack_core::rule::RuleRegistry;
use keyrack_core::resolver::{resolve_chain, ResolverConfig};


let registry = RuleRegistry::from_yaml(&yaml)?;
let chain = resolve_chain(&registry, &attrs, &config)?;
// chain: [leaf_lid, ..., root_lid]

Writing custom providers

Section titled “Writing custom providers”

Implement the CryptoProvider trait to add new backends. Existing providers:

  • keyrack-pkcs11 — PKCS#11 HSM
  • keyrack-kmip — KMIP client
  • keyrack-vault — HashiCorp Vault Transit

WASM target

Section titled “WASM target”

The keyrack-wasm crate compiles to WebAssembly for browser use. No published npm package yet — see TypeScript use case.

REST and gRPC APIs

Section titled “REST and gRPC APIs”

Same operations available over both interfaces. Protobuf definitions in proto/keyrack/v1/.

Repository layout

Section titled “Repository layout”
CrateRole
keyrack-coreTypes, traits, providers, audit
keyrack-servicegRPC + REST service binary
keyrack-cedar-pdpStandalone Cedar PDP
keyrack-cliLint, provision, migrate, admin

Full reference

Section titled “Full reference”

The complete developer guide lives in the keyrack-oss repository.

See also: Operator guide · Security model