Summary

SPIKE is a SPIFFE-native secrets management system designed to provide secure, identity-based secret storage and distribution. Built from the ground up with SPIFFE principles in mind, SPIKE offers a lightweight, secure, and Vault-kv-v2-compatible solution that leverages SPIFFE identities for authentication and authorization.

Initial Maintainer List

• Lead Maintainer: Volkan Özçelik

Project Purpose and Direction

SPIKE consists of three core components:

1. SPIKE Nexus: The primary component responsible for secrets management, handling encryption/decryption, and managing the root encryption key.
2. SPIKE Keeper: A simple, reliable component focused on maintaining a copy of the root key in memory for automatic recovery.
3. SPIKE Pilot: The CLI interface that converts commands to RESTful mTLS API calls to SPIKE Nexus.

What Need Is This Project Solving for the SPIFFE/SPIRE Community?

SPIFFE-Native Secrets Management

SPIKE addresses a crucial gap in the SPIFFE ecosystem by providing a secrets management solution that is:

1. SPIFFE-First: Built from the ground up to leverage SPIFFE identities, making it a natural fit for SPIFFE-enabled environments. While there are secrets management solutions such as VMware Secrets Manager that use SPIFFE as its identity control plane, SPIKE takes this one level further and it is a direct first class citizen of SPIFFE (in contrast, VSecM requires a Kubernetes cluster to establish its functionality)
2. Environment Agnostic: Works in any environment where SPIFFE is supported, not limited to specific platforms like Kubernetes.
3. Interoperable: Compatible with any valid SPIFFE implementation, including both SPIRE and proprietary solutions.

Enhanced Security Through Identity

SPIKE strengthens the SPIFFE ecosystem by:

1. Leveraging SVID-based Authentication: All inter-component communication is secured through SPIFFE mTLS.
2. Identity-Based Access Control: Secret paths can be aligned with SPIFFE IDs, enabling natural, identity-based access patterns.
3. Policy Management: Supports defining access policies based on SPIFFE IDs.

Community Benefits

1. Simplified Integration: Provides a familiar Vault-kv-v2-compatible interface while maintaining SPIFFE-native security properties.
2. Lightweight Alternative: Offers a focused, maintainable solution for organizations that need secure secret management without the complexity and bloat of solutions that provide everything but the kitchen sink. SPIKE is a secure SPIFFE-first key-value store; does one things, and does one thing well.
3. Reference Implementation: Serves as a reference for building SPIFFE-native applications, demonstrating best practices for identity-based security.

Alignment with SPIFFE's Mission and Goals

SPIKE directly advances SPIFFE's mission of establishing strong identities for services in dynamic, heterogeneous environments by:

1. Demonstrating SPIFFE's Versatility: Shows how SPIFFE identities can be used as the foundation for secure secret management.
2. Promoting Identity-First Design: Exemplifies how to build security systems around SPIFFE identities rather than retrofitting identity into existing systems.
3. Supporting Heterogeneous Environments: Works across different platforms and environments, aligned with SPIFFE's goal of platform independence.

Project Maturity

The project currently exists in a work-in-progress state at https://github.com/zerotohero-dev/spike. Key aspects of its maturity:

1. Design Phase: Core architecture and security model are well-defined
2. Implementation: Initial implementation is underway with focus on core functionality
3. Scope: Deliberately limited scope to ensure quality and maintainability

Governance

We propose a lightweight governance model:

1. Initial Phase: Core maintainer will review and approve contributions
2. Community Engagement: Open to contributions following the SPIFFE project's code of conduct
3. Decision Making: Technical decisions will be made through pull requests and issues with community input
4. Documentation: All major design decisions will be documented through Architecture Decision Records (ADRs)

Future Plans

1. Short-term Goals:

   • Complete core functionality
   • Implement Vault-kv-v2 compatibility
   • Establish comprehensive test coverage

2. Medium-term Goals:

   • Enhance policy management capabilities
   • Implement automated key rotation
   • Add support for multiple Keeper instances

3. Long-term Vision:

   • Serve as the reference implementation for SPIFFE-native secret management
   • Foster ecosystem of compatible tools and integrations

Security Model

SPIKE follows a security-first approach:

1. Trust Boundaries: Clearly defined at the machine level
2. Key Management: In-memory root key with secure backup mechanisms
3. Authentication: Pure SPIFFE mTLS-based component authentication
4. Authorization: Identity-based access control using SPIFFE IDs

We welcome feedback and discussion from the SPIFFE community on this proposal.