keyquorum/example-config.toml at main · SiteRelEnby/keyquorum · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# keyquorum configuration
#
# Copy this to /etc/keyquorum/config.toml (or pass -c /path/to/config.toml)

[daemon]
# Unix domain socket path (always created)
socket_path = "/run/keyquorum/keyquorum.sock"

# Optional: also listen on TCP localhost
# Useful for SSM port forwarding or similar setups.
# Comment out to disable TCP entirely.
# tcp_port = 35000

# Lockdown mode: maximum security posture. Rejects stdout action,
# forces on_failure=wipe, implies strict_hardening.
# May gain new restrictions between versions.
# Can also be set via --lockdown CLI flag.
# lockdown = true

# Strict hardening: abort if memory protections (mlock, madvise) fail
# on secret buffers. When true, shares are rejected if the OS cannot
# guarantee memory safety for the buffer. Lockdown implies this.
# Disable with --no-strict-hardening CLI flag or set to false here.
# Default: true
# strict_hardening = true

[session]
# Minimum shares needed to reconstruct the secret (K)
threshold = 3

# Total shares that were generated (N) — informational only
total_shares = 5

# Timeout in seconds. If quorum is not reached within this window,
# all collected shares are securely wiped and the session resets.
# Default: 1800 (30 minutes)
timeout_secs = 1800

# Verification method for reconstructed secrets.
# "embedded-blake3" (default): secret has an appended 32-byte blake3 checksum,
#   generated by keyquorum-split. Candidate secrets are verified in microseconds
#   without executing the action.
# "none": no verification — action execution is the only check.
#   WARNING: without verification, retry mode cannot be used (would execute
#   the configured action with each incorrect candidate secret).
# verification = "embedded-blake3"

# What to do when reconstruction fails after reaching quorum.
# "wipe" (default): immediately wipe all shares and reset.
# "retry": keep shares, accept more, retry with combinatorial matching.
#          Useful when a participant may have submitted a corrupted share.
#          Requires verification = "embedded-blake3" (the default).
# on_failure = "retry"
# max_retries = 3

# Maximum share combinations to try during reconstruction (default: 100).
# Caps the C(n,k) iteration to prevent runaway CPU usage with many shares.
# max_combinations = 100

# Require PEM envelope with metadata headers on submitted shares.
# When true, shares without a KEYQUORUM-SHARE-V1 envelope and metadata
# headers (Share, Scheme, Integrity) will be rejected. This enables
# cross-validation of threshold/total against daemon config.
# NOTE: Not forced by lockdown mode — headerless shares can be more secure
# (less information leakage about the scheme parameters).
# Default: false
# require_metadata = false

# Action to perform when quorum is reached.
# Choose one of: luks, stdout, command

[action]
type = "luks"
device = "/dev/sda2"
name = "cryptdata"

# --- OR: write reconstructed secret to daemon's stdout ---
# [action]
# type = "stdout"

# --- OR: pipe secret to stdin of an arbitrary command ---
# [action]
# type = "command"
# program = "/usr/local/bin/unseal-vault"
# args = ["--cluster", "prod"]

[logging]
# Whether to log who submitted shares (user, timestamp, index).
# Some deployments deliberately want NO participation records.
# Default: false
log_participation = false

# Log level: trace, debug, info, warn, error
# Can also be set via RUST_LOG environment variable.
level = "info"