Add GPG/OpenPGP secrets engine #1

Merged
benvin merged 1 commits from benvin/gpg-engine into main 2026-07-15 21:30:26 +10:00
Owner

Provide a transit-style Vault/OpenBao secrets engine whose key material is OpenPGP, so services can sign/verify/encrypt/decrypt with GPG keys that never leave the barrier — and so tools like pass can encrypt to an exported public key while delegating decryption back to Vault.

  • Add versioned key management (keys/<name> CRUD+list, config, rotate, import) with private material seal-wrapped under key/ and per-key locking.
  • Add sign/verify (detached OpenPGP) and encrypt/decrypt paths; decrypt auto-detects armored vs raw-binary ciphertext (what pass/gpg write).
  • Add export/<public-key|private-key>/<name>; public always exportable, private only when the key is marked exportable.
  • Use ProtonMail go-crypto for OpenPGP; support rsa-2048/3072/4096 and ed25519.
  • Clone the sibling plugin's build/packaging/CI: dual-target RPMs (vault + openbao plugin dirs), Woodpecker PR/release pipelines, and a Vault+OpenBao e2e harness. Unit tests include real gpg and pass interop.
Provide a transit-style Vault/OpenBao secrets engine whose key material is OpenPGP, so services can sign/verify/encrypt/decrypt with GPG keys that never leave the barrier — and so tools like `pass` can encrypt to an exported public key while delegating decryption back to Vault. - Add versioned key management (`keys/<name>` CRUD+list, `config`, `rotate`, `import`) with private material seal-wrapped under `key/` and per-key locking. - Add `sign`/`verify` (detached OpenPGP) and `encrypt`/`decrypt` paths; `decrypt` auto-detects armored vs raw-binary ciphertext (what pass/gpg write). - Add `export/<public-key|private-key>/<name>`; public always exportable, private only when the key is marked exportable. - Use ProtonMail go-crypto for OpenPGP; support rsa-2048/3072/4096 and ed25519. - Clone the sibling plugin's build/packaging/CI: dual-target RPMs (vault + openbao plugin dirs), Woodpecker PR/release pipelines, and a Vault+OpenBao e2e harness. Unit tests include real `gpg` and `pass` interop.
unkinben added 1 commit 2026-07-15 21:25:42 +10:00
Add GPG/OpenPGP secrets engine
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
71cc398197
Provide a transit-style Vault/OpenBao secrets engine whose key material is
OpenPGP, so services can sign/verify/encrypt/decrypt with GPG keys that never
leave the barrier — and so tools like pass can encrypt to an exported public
key while delegating decryption back to Vault.

- Add versioned key management (keys/<name> CRUD+list, config, rotate, import)
  with private material seal-wrapped under key/ and per-key locking.
- Add sign/verify (detached OpenPGP) and encrypt/decrypt paths; decrypt
  auto-detects armored vs raw-binary ciphertext (what pass/gpg write).
- Add export/<public-key|private-key>/<name>; public always exportable,
  private only when the key is marked exportable.
- Use ProtonMail go-crypto for OpenPGP; support rsa-2048/3072/4096 and ed25519.
- Clone the sibling plugin's build/packaging/CI: dual-target RPMs
  (vault + openbao plugin dirs), Woodpecker PR/release pipelines, and a
  Vault+OpenBao e2e harness. Unit tests include real gpg and pass interop.
unkinben force-pushed benvin/gpg-engine from e7dda4bcda to 71cc398197 2026-07-15 21:25:42 +10:00 Compare
benvin merged commit eb35aa7a43 into main 2026-07-15 21:30:26 +10:00
benvin deleted branch benvin/gpg-engine 2026-07-15 21:30:26 +10:00
Sign in to join this conversation.
No Reviewers
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/vault-plugin-secrets-gpg#1