Propose a new Ockam Vault implementation

[mrinalwadhwa]

Various Ockam protocols depend on a variety of standard cryptographic primitives or building blocks. Depending on the environment, these building blocks may be provided by a software implementation or a cryptographically capable hardware component.

In order to support a variety of cryptographically capable hardware we maintain loose coupling between a protocol and how a specific building block is invoked in a specific hardware. This is achieved using an abstract Vault interface.

A concrete implementation of the Vault interface is called an Ockam Vault. Over time there will be many such implementations.

Here are some of the vault implementation we're considering
https://github.com/ockam-network/ockam/issues?q=is%3Aissue+is%3Aopen+label%3A%22Component%3A+Vault%22

What else should we consider?

[mrinalwadhwa]

Vault implementation candidates may be called TEEs / TPMs / HSMs / Secure Enclave Processors / Crypto Co-Processors etc.

Many primary processors also have AES specific instructions

[hug-dev]

Hey @mrinalwadhwa!

Directly answering your question, I think you should consider implementing a Parsec Ockham Vault 😄!

Parsec is a new CNCF Sandbox project we are working on and some of its features seems to be an exact match of what you are looking for here!

In a bit more details:

• Parsec provides one single API to communicate to a range of different cryptographically capable hardware components. Currently we are supporting TPMs, HSMs, Trusted Service (using TEE), ATECCx08 cryptographic chips. See our operation coverage.
• Parsec is an userspace daemon accessing the hardware, brokering its access amoung multiple tenants in a secure and authenticated way.
• API calls to Parsec are done through a Parsec client which can be implemented in any programming language. Our main one is written in Rust but we also have a C one!

If you can handle the French accent and my poor presentation skills, I made a talk giving an overview of Parsec recently 😬 Bit easier to have an idea of what Parsec is without having to read through all the doc.

Implementing a Parsec Ockham Vault would mean that Ockham could only have to implement one Vault to have access to all crypto-hardware that Parsec supports. I had a look at the Vault traits and I think they seem implementable by our Parsec Client.

Would be very happy to discuss more about this! The team hangs out on the #parsec Slack channel in the CNCF workspace (details here).

[mrinalwadhwa]

Hi @hug-dev 👋 thank you for that suggestion. Parsec looks really interesting!
I'll learn more about it from your video and come back with questions.