Skip to content

AbasSec/CryptGuard

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CryptGuard 🛡️

A production-grade AES-GCM Envelope Encryption Data Plane gated by a Shamir's Secret Sharing (SSS) Key Management System (KMS).

🚀 Overview

CryptGuard solves the "single point of failure" problem in standard encryption systems by distributing trust. The Master Key that protects the entire data plane never exists on disk. It is mathematically split across multiple administrators and is only reconstructed in volatile memory when the required threshold of shares is provided.

Key Capabilities

  • Shamir-Gated KMS: The 256-bit Master Key is split into N shares requiring K threshold to unlock.
  • Envelope Encryption Architecture:
    • Master Key -> encrypts -> Key Encryption Keys (KEK)
    • KEK -> encrypts -> Data Encryption Keys (DEK)
    • DEK -> encrypts -> Data
  • Authenticated Encryption (AEAD): All layers use AES-256-GCM. Any bit-flipping or tampering immediately fails decryption via GCM authentication tags.
  • Cryptographic Audit Log: Every action (Initialize, Unlock, Lock, Encrypt, Decrypt) is deterministically logged.
  • Zero-Knowledge Storage: Encrypted files are stored on disk as raw ciphertext blobs. The database only holds the metadata (IVs, DEKs, KEK references).

🏗 Architecture

[ Admin Shares (x/y) ] --> ( SSS Reconstruction ) --> [ Volatile Master Key ]
                                                              |
                                                              v
[ User Payload ] --> ( AES-GCM DEK ) --> [ Storage ]     [ KEKs DB ]
                          |                                   |
                          +----------( Encrypted By )---------+

🛠 Setup & Installation

Prerequisites

  • Docker & Docker Compose

Deployment

  1. Clone the repository and enter the directory.
  2. Spin up the platform:
    docker-compose up -d
  3. Access the KMS Management Console: http://localhost:5000

🛡️ Security Posture

  • Memory Safety: The Master Key is destroyed from memory immediately upon pressing "Lock KMS".
  • Mathematical Trust: SSS operations are performed over a strict 256-bit prime field (GF(2^256 - 189)).
  • Nonce Misuse Resistance: Every encryption operation (DEK, KEK, or File) generates a fresh 96-bit cryptographically secure random nonce (os.urandom(12)).

About

Production-grade AES-GCM Envelope Encryption Data Plane gated by a Shamir Secret Sharing (SSS) KMS.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors