mukan-network/mukan-sdk
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 5
mukan-sdk/docs/architecture/adr-006-secret-store-replacement.md
Mukan Erkin Törük 20afb5db80
Some checks failed
Build SimApp / build (amd64) (push) Waiting to run
Details
Build SimApp / build (arm64) (push) Waiting to run
Details
CodeQL / Analyze (push) Waiting to run
Details
Build & Push / build (push) Waiting to run
Details
Run Gosec / Gosec (push) Waiting to run
Details
Lint / golangci-lint (push) Waiting to run
Details
Checks dependencies and mocks generation / Check go mod tidy (push) Waiting to run
Details
Checks dependencies and mocks generation / Check up to date mocks (push) Waiting to run
Details
System Tests / setup (push) Waiting to run
Details
System Tests / test-system (push) Blocked by required conditions
Details
System Tests / test-system-legacy (push) Blocked by required conditions
Details
Tests / Code Coverage / split-test-files (push) Waiting to run
Details
Tests / Code Coverage / tests (00) (push) Blocked by required conditions
Details
Tests / Code Coverage / tests (01) (push) Blocked by required conditions
Details
Tests / Code Coverage / tests (02) (push) Blocked by required conditions
Details
Tests / Code Coverage / tests (03) (push) Blocked by required conditions
Details
Tests / Code Coverage / test-integration (push) Waiting to run
Details
Tests / Code Coverage / test-e2e (push) Waiting to run
Details
Tests / Code Coverage / repo-analysis (push) Blocked by required conditions
Details
Tests / Code Coverage / test-sim-nondeterminism (push) Waiting to run
Details
Tests / Code Coverage / test-clientv2 (push) Waiting to run
Details
Tests / Code Coverage / test-core (push) Waiting to run
Details
Tests / Code Coverage / test-depinject (push) Waiting to run
Details
Tests / Code Coverage / test-errors (push) Waiting to run
Details
Tests / Code Coverage / test-math (push) Waiting to run
Details
Tests / Code Coverage / test-schema (push) Waiting to run
Details
Tests / Code Coverage / test-collections (push) Waiting to run
Details
Tests / Code Coverage / test-cosmovisor (push) Waiting to run
Details
Tests / Code Coverage / test-confix (push) Waiting to run
Details
Tests / Code Coverage / test-store (push) Waiting to run
Details
Tests / Code Coverage / test-log (push) Waiting to run
Details
Tests / Code Coverage / test-x-tx (push) Waiting to run
Details
Tests / Code Coverage / test-x-nft (push) Waiting to run
Details
Tests / Code Coverage / test-x-circuit (push) Waiting to run
Details
Tests / Code Coverage / test-x-feegrant (push) Waiting to run
Details
Tests / Code Coverage / test-x-evidence (push) Waiting to run
Details
Tests / Code Coverage / test-x-upgrade (push) Waiting to run
Details
Tests / Code Coverage / test-tools-benchmark (push) Waiting to run
Details
Build & Push SDK Proto Builder / build (push) Has been cancelled
Details
initial: sovereign Mukan Network fork
2026-05-11 03:18:24 +03:00

54 lines
2.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ADR 006: Secret Store Replacement
## Changelog
* July 29th, 2019: Initial draft
* September 11th, 2019: Work has started
* November 4th: Cosmos SDK changes merged in
* November 18th: Gaia changes merged in
## Context
Currently, a Cosmos SDK application's CLI directory stores key material and metadata in a plain text database in the users home directory. Key material is encrypted by a passphrase, protected by bcrypt hashing algorithm. Metadata (e.g. addresses, public keys, key storage details) is available in plain text.
This is not desirable for a number of reasons. Perhaps the biggest reason is insufficient security protection of key material and metadata. Leaking the plain text allows an attacker to surveil what keys a given computer controls via a number of techniques, like compromised dependencies without any privilege execution. This could be followed by a more targeted attack on a particular user/computer.
All modern desktop computers OS (Ubuntu, Debian, MacOS, Windows) provide a built-in secret store that is designed to allow applications to store information that is isolated from all other applications and requires passphrase entry to access the data.
We are seeking solution that provides a common abstraction layer to the many different backends and reasonable fallback for minimal platforms that dont provide a native secret store.
## Decision
We recommend replacing the current Keybase backend based on LevelDB with [Keyring](https://github.com/99designs/keyring) by 99 designs. This application is designed to provide a common abstraction and uniform interface between many secret stores and is used by AWS Vault application by 99-designs application.
This appears to fulfill the requirement of protecting both key material and metadata from rouge software on a users machine.
## Status
Accepted
## Consequences
### Positive
Increased safety for users.
### Negative
Users must manually migrate.
Testing against all supported backends is difficult.
Running tests locally on a Mac require numerous repetitive password entries.
### Neutral
{neutral consequences}
## References
* #4754 Switch secret store to the keyring secret store (original PR by @poldsam) [__CLOSED__]
* #5029 Add support for github.com/99designs/keyring-backed keybases [__MERGED__]
* #5097 Add keys migrate command [__MERGED__]
* #5180 Drop on-disk keybase in favor of keyring [_PENDING_REVIEW_]
* cosmos/gaia#164 Drop on-disk keybase in favor of keyring (gaia's changes) [_PENDING_REVIEW_]
Reference in a new issue View git blame Copy permalink