Encrypted Cloud Relays - for any application!
Here's something to try with this release!
Let's create an end-to-end encrypted, mutually authenticated, secure and private cloud relay detailed explanation
# Install ockam command
brew install build-trust/ockam/ockam
# Create a cryptographic identity and enroll with Ockam Orchestrator.
# This will sign you up for an account with Ockam Orchestrator and setup a
# trial space and project for you.
ockam enroll
# -- APPLICATION SERVICE --
# Start our application service, listening on a local ip and port, that clients
# would access through the cloud relay. We'll use a simple http server for our
# first example but this could be some other application service.
python3 -m http.server --bind 127.0.0.1 5000
# Setup an ockam node, called blue, as a sidecar next to our application service.
# Create a tcp outlet on the blue node to send raw tcp traffic to the application service.
# Then create a forwarding relay at your default orchestrator project to blue.
ockam node create blue
ockam tcp-outlet create --at /node/blue --from /service/outlet --to 127.0.0.1:5000
ockam forwarder create blue --at /project/default --to /node/blue
# -- APPLICATION CLIENT --
# Setup an ockam node, called green, as a sidecar next to our application client.
# Then create an end-to-end encrypted secure channel with blue, through the cloud relay.
# Then tunnel traffic from a local tcp inlet through this end-to-end secure channel.
ockam node create green
ockam secure-channel create --from /node/green --to /project/default/service/forward_to_blue/service/api \
| ockam tcp-inlet create --at /node/green --from 127.0.0.1:7000 --to -/service/outlet
# Access the application service though the end-to-end encrypted, secure relay.
$ curl 127.0.0.1:7000
We just created end-to-end encrypted, mutually authenticated, and authorized secure communication between a tcp client and server. This client and server can be running in separate private networks / NATs. We didn't have to expose our server by opening a port on the Internet or punching a hole in our firewall.
The two sides authenticated and authorized each other's known, cryptographically provable identifiers. In later examples we'll see how we can build granular, attribute-based access control with authorization policies.
A more detailed explanation https://docs.ockam.io/guides/encrypted-cloud-relays
To learn more, install and run ockam --help
Homebrew
To install this release using Homebrew:
$ brew install build-trust/ockam/ockam
Docker
To use the Docker OCI package:
docker pull ghcr.io/build-trust/ockam:0.75.0
Precompiled Binaries
To install a precompiled binary:
# download ockam command binary for your architecture
curl --proto '=https' --tlsv1.2 -sSfL -O \
https://github.com/build-trust/ockam/releases/download/ockam_v0.75.0/ockam.x86_64-unknown-linux-gnu
# rename the download binary and give it permission to execute
mv ockam.x86_64-unknown-linux-gnu ockam
chmod u+x ockam
Verify:
# download sha256sums.txt
curl --proto '=https' --tlsv1.2 -sSfL -O \
https://github.com/build-trust/ockam/releases/download/ockam_v0.75.0/sha256sums.txt
# download sha256sums.txt.sig
curl --proto '=https' --tlsv1.2 -sSfL -O \
https://github.com/build-trust/ockam/releases/download/ockam_v0.75.0/sha256sums.txt.sig
# download our release public key
curl --proto '=https' --tlsv1.2 -sSfL -o ockam.pub \
https://raw.githubusercontent.com/build-trust/ockam/develop/tools/docker/cosign.pub
# verify signatures
cosign verify-blob --key ockam.pub --signature sha256sums.txt.sig sha256sums.txt
# download ockam command binary for your architecture
curl --proto '=https' --tlsv1.2 -sSfL -O \
https://github.com/build-trust/ockam/releases/download/ockam_v0.75.0/ockam.x86_64-unknown-linux-gnu
# verify that the sha256 hash of the downloaded binary is the same as
# the corresponding hash mentioned in sha256sums.txt
cat sha256sums.txt | grep ockam.x86_64-unknown-linux-gnu | sha256sum -c
# rename the download binary and give it permission to execure
mv ockam.x86_64-unknown-linux-gnu ockam
chmod u+x ockam
Rust Crates
To use Ockam as a Rust library, run the following command within your project directory:
cargo add ockam@0.75.0
The following crates were published as part of this release:
ockam 0.75.0
(Documentation, CHANGELOG)ockam_abac 0.9.0
(Documentation, CHANGELOG)ockam_api 0.18.0
(Documentation, CHANGELOG)ockam_channel 0.69.0
(Documentation, CHANGELOG)ockam_command 0.75.0
(Documentation, CHANGELOG)ockam_core 0.69.0
(Documentation, CHANGELOG)ockam_examples 0.42.0
(Documentation, CHANGELOG)ockam_executor 0.37.0
(Documentation, CHANGELOG)ockam-ffi 0.61.0
(Documentation, CHANGELOG)ockam_identity 0.63.0
(Documentation, CHANGELOG)ockam_key_exchange_core 0.60.0
(Documentation, CHANGELOG)ockam_key_exchange_x3dh 0.64.0
(Documentation, CHANGELOG)ockam_key_exchange_xx 0.65.0
(Documentation, CHANGELOG)ockam_macros 0.23.0
(Documentation, CHANGELOG)ockam_multiaddr 0.9.0
(Documentation, CHANGELOG)ockam_node 0.72.0
(Documentation, CHANGELOG)ockam_transport_ble 0.30.0
(Documentation, CHANGELOG)ockam_transport_core 0.42.0
(Documentation, CHANGELOG)ockam_transport_tcp 0.70.0
(Documentation, CHANGELOG)ockam_transport_udp 0.17.0
(Documentation, CHANGELOG)ockam_transport_websocket 0.61.0
(Documentation, CHANGELOG)ockam_vault 0.65.0
(Documentation, CHANGELOG)
Contributors
- @adrianbenavides, @BeenzSyed, @hairyhum, @mattgreg, @metaclips, @mrinalwadhwa, @polvorin, @sobi3ch, @SanjoDeundiak, @twittner contributed to this release.
Community Contributors
- @tacoda made their first contribution in 3443
- @leonzchang made some more awesome contributions in 3431 and 3439