filepilot-enterprise-vault 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +209 -0
- package/admin/enterprise.png +0 -0
- package/admin/index.html +5297 -0
- package/admin/install.html +511 -0
- package/bin/cli.js +247 -0
- package/compliance-checks.cjs +221 -0
- package/db.cjs +999 -0
- package/kms-providers.cjs +329 -0
- package/package.json +59 -0
- package/server.cjs +4214 -0
package/README.md
ADDED
|
@@ -0,0 +1,209 @@
|
|
|
1
|
+
# FilePilot — Corporate Vault Integration Microservice
|
|
2
|
+
|
|
3
|
+
[](https://hub.docker.com/)
|
|
4
|
+
[](#)
|
|
5
|
+
|
|
6
|
+
This microservice simulates or proxies a HashiCorp Vault server, allowing organizations to securely serve Connection Profiles to FilePilot clients over their intranet. It is designed to act as an enterprise config server, managing Key Encryption Keys (KEK), Data Encryption Keys (DEK), and compliance-checked remote connection configurations.
|
|
7
|
+
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
## 🚨 Production Deployment Checklist
|
|
11
|
+
|
|
12
|
+
Before deploying this microservice in a production environment, ensure the following security requirements are met:
|
|
13
|
+
* **Production Database:** Do **NOT** use SQLite for production. Deploy using **PostgreSQL** or **MySQL** to enable proper database-level deletion prevention triggers. Restrict database user privileges (revoke `DELETE` / `DROP` / `TRUNCATE` privileges on audit logs).
|
|
14
|
+
* **Master Encryption Key:** Always set the `VAULT_MASTER_KEY` environment variable as a 256-bit hex/base64 string. Never rely on the auto-generated `.vault_key` file-based fallback on disk in a containerized environment, as containers are ephemeral.
|
|
15
|
+
* **Default Credentials:** Always run the Setup Wizard (`/admin/install.html` on first boot) to establish a strong custom admin password. If default `admin`/`vault-admin-pass` credentials are ever initialized, change them immediately in the admin settings console.
|
|
16
|
+
* **Network Security (TLS/HTTPS):** Run the microservice behind a reverse proxy (e.g., Nginx, Cloudflare, AWS ALB) configured for HTTPS/TLS to protect credentials and tokens in transit.
|
|
17
|
+
* **IP Allowlisting:** Configure strict IP allowlists for all Vault Groups to restrict client synchronization access to designated enterprise subnets and VPN endpoints.
|
|
18
|
+
|
|
19
|
+
---
|
|
20
|
+
|
|
21
|
+
## 📦 Getting Started
|
|
22
|
+
|
|
23
|
+
### Method 1: Local Node.js Setup
|
|
24
|
+
|
|
25
|
+
1. **Install Dependencies**:
|
|
26
|
+
```bash
|
|
27
|
+
npm install
|
|
28
|
+
```
|
|
29
|
+
2. **Start the Microservice**:
|
|
30
|
+
```bash
|
|
31
|
+
npm start
|
|
32
|
+
```
|
|
33
|
+
The server will start listening on port `8200` (or the port specified by the `PORT` env var).
|
|
34
|
+
|
|
35
|
+
---
|
|
36
|
+
|
|
37
|
+
### Method 2: Docker Setup (Recommended)
|
|
38
|
+
|
|
39
|
+
This microservice comes containerized with a lightweight Alpine-based Node.js Dockerfile.
|
|
40
|
+
|
|
41
|
+
#### 1. Build the Docker Image Locally
|
|
42
|
+
```bash
|
|
43
|
+
docker build -t filepilot-enterprise-vault:latest .
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
#### 2. Run the Container
|
|
47
|
+
Run the container mapping port `8443` on the host to port `8443` in the container, passing the master key, and persistent volume mount:
|
|
48
|
+
```bash
|
|
49
|
+
docker run -d \
|
|
50
|
+
-p 8443:8443 \
|
|
51
|
+
-e VAULT_MASTER_KEY="your-super-secret-256-bit-hex-key" \
|
|
52
|
+
-v ./data:/app/data \
|
|
53
|
+
--name filepilot-vault \
|
|
54
|
+
abhibagul/filepilot-enterprise-vault:latest
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
> [!NOTE]
|
|
58
|
+
> Mounting `./data` or a Docker volume to `/app/data` ensures that the configuration, SQLite database, and backups persist across container lifecycles.
|
|
59
|
+
|
|
60
|
+
#### 3. Docker Compose Configuration (`docker-compose.yml`)
|
|
61
|
+
To orchestrate the vault microservice with a Postgres database for enterprise production, configure `docker-compose.yml` as follows:
|
|
62
|
+
|
|
63
|
+
```yaml
|
|
64
|
+
version: '3.8'
|
|
65
|
+
|
|
66
|
+
services:
|
|
67
|
+
vault:
|
|
68
|
+
image: abhibagul/filepilot-enterprise-vault:latest
|
|
69
|
+
build: .
|
|
70
|
+
ports:
|
|
71
|
+
- "8443:8443"
|
|
72
|
+
environment:
|
|
73
|
+
- PORT=8443
|
|
74
|
+
- NODE_ENV=production
|
|
75
|
+
- VAULT_DATA_DIR=/app/data
|
|
76
|
+
- VAULT_MASTER_KEY=4a6f6e617468616e206973206120736563726574206b65792121212121212121
|
|
77
|
+
volumes:
|
|
78
|
+
- vault_data:/app/data
|
|
79
|
+
depends_on:
|
|
80
|
+
- db
|
|
81
|
+
|
|
82
|
+
db:
|
|
83
|
+
image: postgres:15-alpine
|
|
84
|
+
environment:
|
|
85
|
+
- POSTGRES_DB=filepilot_vault
|
|
86
|
+
- POSTGRES_USER=vault_admin
|
|
87
|
+
- POSTGRES_PASSWORD=strong_db_password
|
|
88
|
+
volumes:
|
|
89
|
+
- postgres_data:/var/lib/postgresql/data
|
|
90
|
+
|
|
91
|
+
volumes:
|
|
92
|
+
vault_data:
|
|
93
|
+
postgres_data:
|
|
94
|
+
```
|
|
95
|
+
|
|
96
|
+
---
|
|
97
|
+
|
|
98
|
+
### Method 3: NPM & NPX Setup (CLI)
|
|
99
|
+
|
|
100
|
+
You can run the vault microservice directly using `npx` or install it globally from NPM:
|
|
101
|
+
|
|
102
|
+
#### Option A: Run directly with NPX (No installation required)
|
|
103
|
+
1. **Run the Setup Wizard**:
|
|
104
|
+
```bash
|
|
105
|
+
npx filepilot-enterprise-vault init
|
|
106
|
+
```
|
|
107
|
+
2. **Start the Server**:
|
|
108
|
+
```bash
|
|
109
|
+
npx filepilot-enterprise-vault start
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
#### Option B: Install Globally from NPM
|
|
113
|
+
1. **Install Globally**:
|
|
114
|
+
```bash
|
|
115
|
+
npm install -g filepilot-enterprise-vault
|
|
116
|
+
```
|
|
117
|
+
2. **Run the Setup Wizard**:
|
|
118
|
+
```bash
|
|
119
|
+
filepilot-enterprise-vault init
|
|
120
|
+
```
|
|
121
|
+
3. **Start the Server**:
|
|
122
|
+
```bash
|
|
123
|
+
filepilot-enterprise-vault start
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
---
|
|
127
|
+
|
|
128
|
+
## 🚀 Pushing to Docker Hub & CI/CD
|
|
129
|
+
|
|
130
|
+
This repository includes a preconfigured GitHub Actions workflow in `.github/workflows/docker-publish.yml` to automate builds and pushes.
|
|
131
|
+
|
|
132
|
+
### Prerequisites for GitHub Actions:
|
|
133
|
+
1. Go to your GitHub repository -> **Settings** -> **Secrets and variables** -> **Actions**.
|
|
134
|
+
2. Add the following **Repository Secrets**:
|
|
135
|
+
* `DOCKERHUB_USERNAME`: Your Docker Hub username.
|
|
136
|
+
* `DOCKERHUB_TOKEN`: A Personal Access Token (PAT) generated from your Docker Hub account with write access.
|
|
137
|
+
3. The workflow will automatically trigger, build, tag, and push the image to Docker Hub whenever you push a semantic version tag (e.g. `v1.0.0`) or publish a GitHub release.
|
|
138
|
+
|
|
139
|
+
---
|
|
140
|
+
|
|
141
|
+
## 🔒 Bring Your Own KMS (BYOK)
|
|
142
|
+
|
|
143
|
+
The Corporate Vault microservice supports Bring-Your-Own-KMS (BYOK) configurations. Enterprise administrators can offload Key Encryption Key (KEK) management and remote wrap/unwrap operations to their own customer-managed KMS systems (AWS KMS, Azure Key Vault, or HashiCorp Vault).
|
|
144
|
+
|
|
145
|
+
### Supported KMS Providers & Configuration
|
|
146
|
+
|
|
147
|
+
#### 1. Local (Default)
|
|
148
|
+
Uses the default app-managed `VAULT_MASTER_KEY` environment variable or local master key file to perform wrapping/unwrapping locally via AES-256-GCM. No external cloud credentials are required.
|
|
149
|
+
|
|
150
|
+
#### 2. AWS KMS (`aws-kms`)
|
|
151
|
+
Calls AWS KMS remotely to perform `Encrypt`, `Decrypt`, and `DescribeKey` operations on a customer-provided KMS Key ARN.
|
|
152
|
+
* **Non-secret Configuration (`kms_config`):**
|
|
153
|
+
* `region`: The target AWS Region (e.g. `us-east-1`).
|
|
154
|
+
* `keyArn`: The full AWS KMS Key ARN.
|
|
155
|
+
* **Credentials (`kms_credentials`):**
|
|
156
|
+
* `accessKeyId`: AWS Access Key ID.
|
|
157
|
+
* `secretAccessKey`: AWS Secret Access Key.
|
|
158
|
+
|
|
159
|
+
#### 3. Azure Key Vault (`azure-keyvault`)
|
|
160
|
+
Performs `wrapKey` and `unwrapKey` operations using an Azure Key Vault RSA key (via `RSA-OAEP-256`).
|
|
161
|
+
* **Non-secret Configuration (`kms_config`):**
|
|
162
|
+
* `vaultUrl`: The target Key Vault endpoint URL (e.g. `https://myvault.vault.azure.net`).
|
|
163
|
+
* `keyName`: The Key Name.
|
|
164
|
+
* **Credentials (`kms_credentials`):**
|
|
165
|
+
* `tenantId`: Azure AD Tenant ID.
|
|
166
|
+
* `clientId`: Client App Registration ID.
|
|
167
|
+
* `clientSecret`: Client Secret.
|
|
168
|
+
|
|
169
|
+
#### 4. HashiCorp Vault (`hashicorp-vault`)
|
|
170
|
+
Uses HashiCorp Vault's **Transit Secrets Engine** `encrypt` and `decrypt` endpoints over HTTP.
|
|
171
|
+
* **Non-secret Configuration (`kms_config`):**
|
|
172
|
+
* `vaultAddr`: The address of the Vault server (e.g. `https://vault.corp.internal:8200`).
|
|
173
|
+
* `transitKeyName`: Transit engine key name.
|
|
174
|
+
* **Credentials (`kms_credentials`):**
|
|
175
|
+
* `vaultToken`: Vault access token.
|
|
176
|
+
* `roleId`: AppRole Role ID.
|
|
177
|
+
* `secretId`: AppRole Secret ID.
|
|
178
|
+
|
|
179
|
+
---
|
|
180
|
+
|
|
181
|
+
## 🔒 Tamper-Evidence & Deletion Prevention Security Boundary
|
|
182
|
+
|
|
183
|
+
The security audit logging system uses a cryptographic hash-chain to record actions, with database-level deletion prevention triggers.
|
|
184
|
+
|
|
185
|
+
| Database Engine | Application-level Deletion Block | Database-level Deletion Block | Tamper Detection (Hash-Chain Verification) | OS-level / Filesystem Access Protection |
|
|
186
|
+
| --- | --- | --- | --- | --- |
|
|
187
|
+
| **MySQL** | Yes (No DELETE/TRUNCATE endpoints) | Yes (`prevent_delete_transferlog` trigger blocks direct DELETE/TRUNCATE) | Yes (`verify-full` detects any hash/chain mismatch) | Admin should configure user privileges: revoke `DELETE` / `DROP` |
|
|
188
|
+
| **PostgreSQL** | Yes (No DELETE/TRUNCATE endpoints) | Yes (`prevent_delete_transferlog` trigger blocks direct DELETE/TRUNCATE) | Yes (`verify-full` detects any hash/chain mismatch) | Admin should configure user privileges: revoke `DELETE` / `TRUNCATE` |
|
|
189
|
+
| **SQLite** | Yes (No DELETE/TRUNCATE endpoints) | Yes (`prevent_delete_transferlog` trigger blocks direct DELETE) | Yes (`verify-full` detects any hash/chain mismatch) | None (Any user with read/write access to the database file can modify or delete the file directly) |
|
|
190
|
+
|
|
191
|
+
---
|
|
192
|
+
|
|
193
|
+
## 🔒 SIEM Webhook HMAC Signature Verification
|
|
194
|
+
|
|
195
|
+
This vault microservice sends JSON payloads of all security audit logs to the configured SIEM Webhook URL. Each webhook payload is cryptographically signed using the `siem_webhook_secret` using HMAC-SHA256.
|
|
196
|
+
|
|
197
|
+
The signature is sent in the HTTP header:
|
|
198
|
+
`X-Vault-Signature-256: sha256=<hex signature>`
|
|
199
|
+
|
|
200
|
+
---
|
|
201
|
+
|
|
202
|
+
## 🔗 Integrating with FilePilot Client
|
|
203
|
+
|
|
204
|
+
1. Boot up this microservice (either locally or containerized).
|
|
205
|
+
2. Open the FilePilot client application.
|
|
206
|
+
3. Navigate to **Settings** -> **Enterprise Sync**.
|
|
207
|
+
4. Configure the Vault URL: `http://<your-vault-host>:8200/v1/secret/data/filepilot/profiles`.
|
|
208
|
+
5. Enter the vault access token or credentials configured in the admin panel.
|
|
209
|
+
6. Click **Sync Profiles Now** to retrieve connection profiles over the secure corporate network.
|
|
Binary file
|