filepilot-enterprise-vault 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md ADDED
@@ -0,0 +1,209 @@
1
+ # FilePilot — Corporate Vault Integration Microservice
2
+
3
+ [![Docker Image](https://img.shields.io/badge/docker-ready-blue.svg?logo=docker)](https://hub.docker.com/)
4
+ [![License](https://img.shields.io/badge/License-UNLICENSED-red.svg)](#)
5
+
6
+ This microservice simulates or proxies a HashiCorp Vault server, allowing organizations to securely serve Connection Profiles to FilePilot clients over their intranet. It is designed to act as an enterprise config server, managing Key Encryption Keys (KEK), Data Encryption Keys (DEK), and compliance-checked remote connection configurations.
7
+
8
+ ---
9
+
10
+ ## 🚨 Production Deployment Checklist
11
+
12
+ Before deploying this microservice in a production environment, ensure the following security requirements are met:
13
+ * **Production Database:** Do **NOT** use SQLite for production. Deploy using **PostgreSQL** or **MySQL** to enable proper database-level deletion prevention triggers. Restrict database user privileges (revoke `DELETE` / `DROP` / `TRUNCATE` privileges on audit logs).
14
+ * **Master Encryption Key:** Always set the `VAULT_MASTER_KEY` environment variable as a 256-bit hex/base64 string. Never rely on the auto-generated `.vault_key` file-based fallback on disk in a containerized environment, as containers are ephemeral.
15
+ * **Default Credentials:** Always run the Setup Wizard (`/admin/install.html` on first boot) to establish a strong custom admin password. If default `admin`/`vault-admin-pass` credentials are ever initialized, change them immediately in the admin settings console.
16
+ * **Network Security (TLS/HTTPS):** Run the microservice behind a reverse proxy (e.g., Nginx, Cloudflare, AWS ALB) configured for HTTPS/TLS to protect credentials and tokens in transit.
17
+ * **IP Allowlisting:** Configure strict IP allowlists for all Vault Groups to restrict client synchronization access to designated enterprise subnets and VPN endpoints.
18
+
19
+ ---
20
+
21
+ ## 📦 Getting Started
22
+
23
+ ### Method 1: Local Node.js Setup
24
+
25
+ 1. **Install Dependencies**:
26
+ ```bash
27
+ npm install
28
+ ```
29
+ 2. **Start the Microservice**:
30
+ ```bash
31
+ npm start
32
+ ```
33
+ The server will start listening on port `8200` (or the port specified by the `PORT` env var).
34
+
35
+ ---
36
+
37
+ ### Method 2: Docker Setup (Recommended)
38
+
39
+ This microservice comes containerized with a lightweight Alpine-based Node.js Dockerfile.
40
+
41
+ #### 1. Build the Docker Image Locally
42
+ ```bash
43
+ docker build -t filepilot-enterprise-vault:latest .
44
+ ```
45
+
46
+ #### 2. Run the Container
47
+ Run the container mapping port `8443` on the host to port `8443` in the container, passing the master key, and persistent volume mount:
48
+ ```bash
49
+ docker run -d \
50
+ -p 8443:8443 \
51
+ -e VAULT_MASTER_KEY="your-super-secret-256-bit-hex-key" \
52
+ -v ./data:/app/data \
53
+ --name filepilot-vault \
54
+ abhibagul/filepilot-enterprise-vault:latest
55
+ ```
56
+
57
+ > [!NOTE]
58
+ > Mounting `./data` or a Docker volume to `/app/data` ensures that the configuration, SQLite database, and backups persist across container lifecycles.
59
+
60
+ #### 3. Docker Compose Configuration (`docker-compose.yml`)
61
+ To orchestrate the vault microservice with a Postgres database for enterprise production, configure `docker-compose.yml` as follows:
62
+
63
+ ```yaml
64
+ version: '3.8'
65
+
66
+ services:
67
+ vault:
68
+ image: abhibagul/filepilot-enterprise-vault:latest
69
+ build: .
70
+ ports:
71
+ - "8443:8443"
72
+ environment:
73
+ - PORT=8443
74
+ - NODE_ENV=production
75
+ - VAULT_DATA_DIR=/app/data
76
+ - VAULT_MASTER_KEY=4a6f6e617468616e206973206120736563726574206b65792121212121212121
77
+ volumes:
78
+ - vault_data:/app/data
79
+ depends_on:
80
+ - db
81
+
82
+ db:
83
+ image: postgres:15-alpine
84
+ environment:
85
+ - POSTGRES_DB=filepilot_vault
86
+ - POSTGRES_USER=vault_admin
87
+ - POSTGRES_PASSWORD=strong_db_password
88
+ volumes:
89
+ - postgres_data:/var/lib/postgresql/data
90
+
91
+ volumes:
92
+ vault_data:
93
+ postgres_data:
94
+ ```
95
+
96
+ ---
97
+
98
+ ### Method 3: NPM & NPX Setup (CLI)
99
+
100
+ You can run the vault microservice directly using `npx` or install it globally from NPM:
101
+
102
+ #### Option A: Run directly with NPX (No installation required)
103
+ 1. **Run the Setup Wizard**:
104
+ ```bash
105
+ npx filepilot-enterprise-vault init
106
+ ```
107
+ 2. **Start the Server**:
108
+ ```bash
109
+ npx filepilot-enterprise-vault start
110
+ ```
111
+
112
+ #### Option B: Install Globally from NPM
113
+ 1. **Install Globally**:
114
+ ```bash
115
+ npm install -g filepilot-enterprise-vault
116
+ ```
117
+ 2. **Run the Setup Wizard**:
118
+ ```bash
119
+ filepilot-enterprise-vault init
120
+ ```
121
+ 3. **Start the Server**:
122
+ ```bash
123
+ filepilot-enterprise-vault start
124
+ ```
125
+
126
+ ---
127
+
128
+ ## 🚀 Pushing to Docker Hub & CI/CD
129
+
130
+ This repository includes a preconfigured GitHub Actions workflow in `.github/workflows/docker-publish.yml` to automate builds and pushes.
131
+
132
+ ### Prerequisites for GitHub Actions:
133
+ 1. Go to your GitHub repository -> **Settings** -> **Secrets and variables** -> **Actions**.
134
+ 2. Add the following **Repository Secrets**:
135
+ * `DOCKERHUB_USERNAME`: Your Docker Hub username.
136
+ * `DOCKERHUB_TOKEN`: A Personal Access Token (PAT) generated from your Docker Hub account with write access.
137
+ 3. The workflow will automatically trigger, build, tag, and push the image to Docker Hub whenever you push a semantic version tag (e.g. `v1.0.0`) or publish a GitHub release.
138
+
139
+ ---
140
+
141
+ ## 🔒 Bring Your Own KMS (BYOK)
142
+
143
+ The Corporate Vault microservice supports Bring-Your-Own-KMS (BYOK) configurations. Enterprise administrators can offload Key Encryption Key (KEK) management and remote wrap/unwrap operations to their own customer-managed KMS systems (AWS KMS, Azure Key Vault, or HashiCorp Vault).
144
+
145
+ ### Supported KMS Providers & Configuration
146
+
147
+ #### 1. Local (Default)
148
+ Uses the default app-managed `VAULT_MASTER_KEY` environment variable or local master key file to perform wrapping/unwrapping locally via AES-256-GCM. No external cloud credentials are required.
149
+
150
+ #### 2. AWS KMS (`aws-kms`)
151
+ Calls AWS KMS remotely to perform `Encrypt`, `Decrypt`, and `DescribeKey` operations on a customer-provided KMS Key ARN.
152
+ * **Non-secret Configuration (`kms_config`):**
153
+ * `region`: The target AWS Region (e.g. `us-east-1`).
154
+ * `keyArn`: The full AWS KMS Key ARN.
155
+ * **Credentials (`kms_credentials`):**
156
+ * `accessKeyId`: AWS Access Key ID.
157
+ * `secretAccessKey`: AWS Secret Access Key.
158
+
159
+ #### 3. Azure Key Vault (`azure-keyvault`)
160
+ Performs `wrapKey` and `unwrapKey` operations using an Azure Key Vault RSA key (via `RSA-OAEP-256`).
161
+ * **Non-secret Configuration (`kms_config`):**
162
+ * `vaultUrl`: The target Key Vault endpoint URL (e.g. `https://myvault.vault.azure.net`).
163
+ * `keyName`: The Key Name.
164
+ * **Credentials (`kms_credentials`):**
165
+ * `tenantId`: Azure AD Tenant ID.
166
+ * `clientId`: Client App Registration ID.
167
+ * `clientSecret`: Client Secret.
168
+
169
+ #### 4. HashiCorp Vault (`hashicorp-vault`)
170
+ Uses HashiCorp Vault's **Transit Secrets Engine** `encrypt` and `decrypt` endpoints over HTTP.
171
+ * **Non-secret Configuration (`kms_config`):**
172
+ * `vaultAddr`: The address of the Vault server (e.g. `https://vault.corp.internal:8200`).
173
+ * `transitKeyName`: Transit engine key name.
174
+ * **Credentials (`kms_credentials`):**
175
+ * `vaultToken`: Vault access token.
176
+ * `roleId`: AppRole Role ID.
177
+ * `secretId`: AppRole Secret ID.
178
+
179
+ ---
180
+
181
+ ## 🔒 Tamper-Evidence & Deletion Prevention Security Boundary
182
+
183
+ The security audit logging system uses a cryptographic hash-chain to record actions, with database-level deletion prevention triggers.
184
+
185
+ | Database Engine | Application-level Deletion Block | Database-level Deletion Block | Tamper Detection (Hash-Chain Verification) | OS-level / Filesystem Access Protection |
186
+ | --- | --- | --- | --- | --- |
187
+ | **MySQL** | Yes (No DELETE/TRUNCATE endpoints) | Yes (`prevent_delete_transferlog` trigger blocks direct DELETE/TRUNCATE) | Yes (`verify-full` detects any hash/chain mismatch) | Admin should configure user privileges: revoke `DELETE` / `DROP` |
188
+ | **PostgreSQL** | Yes (No DELETE/TRUNCATE endpoints) | Yes (`prevent_delete_transferlog` trigger blocks direct DELETE/TRUNCATE) | Yes (`verify-full` detects any hash/chain mismatch) | Admin should configure user privileges: revoke `DELETE` / `TRUNCATE` |
189
+ | **SQLite** | Yes (No DELETE/TRUNCATE endpoints) | Yes (`prevent_delete_transferlog` trigger blocks direct DELETE) | Yes (`verify-full` detects any hash/chain mismatch) | None (Any user with read/write access to the database file can modify or delete the file directly) |
190
+
191
+ ---
192
+
193
+ ## 🔒 SIEM Webhook HMAC Signature Verification
194
+
195
+ This vault microservice sends JSON payloads of all security audit logs to the configured SIEM Webhook URL. Each webhook payload is cryptographically signed using the `siem_webhook_secret` using HMAC-SHA256.
196
+
197
+ The signature is sent in the HTTP header:
198
+ `X-Vault-Signature-256: sha256=<hex signature>`
199
+
200
+ ---
201
+
202
+ ## 🔗 Integrating with FilePilot Client
203
+
204
+ 1. Boot up this microservice (either locally or containerized).
205
+ 2. Open the FilePilot client application.
206
+ 3. Navigate to **Settings** -> **Enterprise Sync**.
207
+ 4. Configure the Vault URL: `http://<your-vault-host>:8200/v1/secret/data/filepilot/profiles`.
208
+ 5. Enter the vault access token or credentials configured in the admin panel.
209
+ 6. Click **Sync Profiles Now** to retrieve connection profiles over the secure corporate network.
Binary file