Add support to store backup keys in vault

Cargo.toml

@@ -10,6 +10,7 @@ version = "0.1.0"
 [features]
 ceph = ["ceph-rust"]
 gluster = ["gfapi-sys"]
+vault = ["hashicorp_vault"]
 
 [dependencies]
 ceph-rust = {git = "https://github.com/cholcombe973/ceph-rust", optional = true}
@@ -24,6 +25,7 @@ rustc-serialize = "^0.3"
 tempdir = "^0.3"
 time = "0.1.35"
 url = "^1.2"
+hashicorp_vault = {version = "^0.6", optional = true}
 
 [dependencies.rust-acd]
 git = "https://github.com/fpgaminer/rust-acd.git"

README.md

@@ -3,13 +3,28 @@ Preserve is an encrypted backup system written in Rust.  All backup data is encr
 
 ## Usage
 
-1. Generate a keyfile
+1. Generate a keyfile without vault.
 
    ```
-   preserve keygen --keyfile > keyfile
+   preserve keygen --keyfile keyfile
    ```
 
-    Make sure to store this keyfile in a safe place.  Anyone who has access to this keyfile can read your backups and/or corrupt them.
+    Make sure to store this keyfile in a safe place.  Anyone who has access to this keyfile can read your backups and/or corrupt them. If you build
+    preserve with the `vault` feature you can store the key in hashicorp-vault. Preserve will then pull down the key as needed so it doesn't need to
+    be stored locally.
+
+    The vault key storage uses the `.config/vault.json` file to configure it. Fields for this file are:
+  ```
+  {
+   "host": "http://localhost:8200",
+   "token": "<token>",
+  }
+  ```
+
+    Generating a keyfile with vault:
+    ```
+    preserve keygen
+    ```
 2. Configure your backend.
 
   Ceph is supported as a backend. Use `--backend ceph`. The ceph backend uses the
@@ -69,6 +84,7 @@ them use cargo build with the `--features` flag and specify either one or both
 of the backends.
 `cargo build --features "ceph gluster"`. Make sure you have `librados-dev` and
 `glusterfs-common` installed or these backends will fail to link properly.
+The vault key storage 
 
 ## Test
 ```

src/cmds/keygen/mod.rs

@@ -1,11 +1,39 @@
-use keystore::KeyStore;
-use std::fs::OpenOptions;
-use std::io::{self, BufWriter, Write};
+use std::fs::{File, OpenOptions};
+use std::io::{self, BufWriter, Read, Write};
+
 use clap::ArgMatches;
+use error::*;
+use keystore::KeyStore;
+#[cfg(feature="vault")]
+use rustc_serialize::json;
+#[cfg(feature="vault")]
+use vault::Client;
+
+#[cfg(feature="vault")]
+#[derive(RustcDecodable)]
+struct VaultConfig {
+    /// The url location of a vault writable host
+    host: String,
+    /// The token that can be used to write to vault
+    token: String,
+}
 
+#[cfg(feature="vault")]
+fn save_keys_to_vault(buffer: &Vec<u8>) -> Result<()> {
+    let vault_config: VaultConfig = {
+        let mut f = try!(File::open(".config/vault.json"));
+        let mut s = String::new();
+        try!(f.read_to_string(&mut s));
+        try!(json::decode(&s))
+    };
+    let client = try!(Client::new(&vault_config.host, &vault_config.token));
+    try!(client.set_secret("backup_key", &String::from_utf8_lossy(&buffer)));
+    Ok(())
+}
 
 pub fn execute(args: &ArgMatches) {
     // Open output file/stdout for writing
+    #[cfg(not(feature="vault"))]
     let file: Box<Write> = match args.value_of("keyfile") {
         Some(path) => {
             // Won't overwrite existing file
@@ -25,14 +53,22 @@ pub fn execute(args: &ArgMatches) {
         }
         None => Box::new(io::stdout()),
     };
+    #[cfg(not(feature="vault"))]
     let mut writer = BufWriter::new(file);
+    #[cfg(feature="vault")]
+    let mut buffer: Vec<u8> = Vec::new();
+    #[cfg(feature="vault")]
+    let mut writer = BufWriter::new(&mut buffer);
 
     // Create a new keystore
     let keystore = KeyStore::new();
 
     // Save the keystore to the destination (file/stdout)
     match keystore.save(&mut writer) {
-        Ok(_) => (),
+        Ok(_) => {
+            #[cfg(feature="vault")]
+            save_keys_to_vault(&writer.get_ref());
+        }
         Err(err) => {
             error!("Could not write to keyfile: {}", err);
             return;

src/error.rs

@@ -35,6 +35,8 @@ pub enum Error {
     ArchiveNotFound,
     InvalidArchiveName,
     BackendOnDifferentDevices,
+    #[cfg(feature = "vault")]
+    VaultError(::vault::Error),
 }
 
 impl fmt::Display for Error {
@@ -66,6 +68,8 @@ impl StdError for Error {
             RadosError(ref e) => e.description(),
             #[cfg(feature = "gluster")]
             GlusterError(ref e) => e.description(),
+            #[cfg(feature = "vault")]
+            VaultError(ref e) => e.description(),
             BlockNotFound => "The specified block was not found",
             ArchiveNotFound => "The specified archive was not found",
             InvalidArchiveName => {
@@ -95,6 +99,8 @@ impl StdError for Error {
             Acd(ref error) => Some(error),
             #[cfg(feature = "gluster")]
             GlusterError(ref error) => Some(error),
+            #[cfg(feature = "vault")]
+            VaultError(ref error) => Some(error),
             #[cfg(feature = "ceph")]
             RadosError(ref error) => Some(error),
             ArchiveNameConflict => None,
@@ -138,3 +144,10 @@ impl From<::gfapi_sys::gluster::GlusterError> for Error {
         GlusterError(err)
     }
 }
+
+#[cfg(feature = "vault")]
+impl From<::vault::Error> for Error {
+    fn from(err: ::vault::Error) -> Error {
+        VaultError(err)
+    }
+}

src/main.rs

@@ -21,6 +21,8 @@ extern crate rand;
 extern crate tempdir;
 extern crate time;
 extern crate url;
+#[cfg(feature = "vault")]
+extern crate hashicorp_vault as vault;
 
 mod archive;
 mod backend;