Skip to main content

FreeIPA Vault plugin for Custodia

Project description

WARNING custodia.ipa is a tech preview with a provisional API.

custodia.ipa is a storage plugin for Custodia. It provides integration with FreeIPA’s vault facility. Secrets are encrypted and stored in Dogtag’s Key Recovery Agent.



  • pip
  • setuptools >= 18.0


  • custodia >= 0.3.1
  • ipalib >= 4.5.0
  • ipaclient >= 4.5.0
  • Python 2.7 (Python 3 support in IPA vault is unstable.)

custodia.ipa requires an IPA-enrolled host and a Kerberos TGT for authentication. It is recommended to provide credentials with a keytab file or GSS-Proxy.

Testing and development

  • wheel
  • tox

virtualenv requirements

custodia.ipa depends on several binary extensions and shared libraries for e.g. python-cryptography, python-gssapi, python-ldap, and python-nss. For installation in a virtual environment, a C compiler and several development packages are required.

$ virtualenv venv
$ venv/bin/pip install --upgrade custodia.ipa


$ sudo dnf install python2 python-pip python-virtualenv python-devel \
    gcc redhat-rpm-config krb5-workstation krb5-devel libffi-devel \
    nss-devel openldap-devel cyrus-sasl-devel openssl-devel

Debian / Ubuntu

$ sudo apt-get update
$ sudo apt-get install -y python2.7 python-pip python-virtualenv python-dev \
    gcc krb5-user libkrb5-dev libffi-dev libnss3-dev libldap2-dev \
    libsasl2-dev libssl-dev

Example configuration

Create directories

$ sudo mkdir /etc/custodia /var/lib/custodia /var/log/custodia /var/run/custodia
$ sudo chown USER:GROUP /var/lib/custodia /var/log/custodia /var/run/custodia
$ sudo chmod 750 /var/lib/custodia /var/log/custodia

Create service account and keytab

$ kinit admin
$ ipa service-add custodia/client1.ipa.example
$ ipa service-allow-create-keytab custodia/client1.ipa.example --users=admin
$ mkdir -p /etc/custodia
$ ipa-getkeytab -p custodia/client1.ipa.example -k /etc/custodia/custodia.keytab

Create /etc/custodia/custodia.conf

confdir = /etc/custodia
libdir = /var/lib/custodia
logdir = /var/log/custodia
rundir = /var/run/custodia

debug = true
server_socket = ${rundir}/custodia.sock
auditlog = ${logdir}/audit.log

handler = IPAVault
keytab = {confdir}/custodia.keytab
ccache = FILE:{rundir}/ccache

handler = SimpleCredsAuth
uid = root
gid = root

handler = SimplePathAuthz
paths = /. /secrets

handler = Root

handler = Secrets
store = vault

Run Custodia server

$ custodia /etc/custodia/custodia.conf

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for custodia.ipa, version 0.1.0
Filename, size File type Python version Upload date Hashes
Filename, size custodia.ipa-0.1.0-py2.py3-none-any.whl (9.1 kB) File type Wheel Python version py2.py3 Upload date Hashes View
Filename, size custodia.ipa-0.1.0.tar.gz (21.3 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page