Pluggable
khaled features seven plugin types including client authentication, principal claims mapping, policy sourcing, policy evaluation, and protocol transport, making it customizable to any operational environment or need.
khaled
A pluggable reference implementation of a CABE Key Server.
khaled is the reference implementation of a key server within the CABE Architecture. It distributes cryptographic keys to authorized clients according to a centrally managed policy, to facilitate managed encryption and decryption of arbitrary objects according to the principles of Attribute-Based Access Control (ABAC).
CABE-compliant
khaled serves as a centerpiece of a CABE deployment, enabling clients to encapsulate and de-encapsulate information using CABE.
SPIFFE and Kubernetes-aware
khaled is able to authenticate clients using X.509-SVIDs in a SPIFFE-enabled Kubernetes or non-Kubernetes SPIFFE infrastructure environment, and can perform Kubernetes-aware attestation to gate access to keys based on policy expressed over Kubernetes pod metadata such as labels, attributes, or container images.
Cedar-based ABAC policy
Write arbitrary programmatic policy in the AWS-proven Cedar policy language to enforce arbitrary attribute-based access control requirements, or swap out the Cedar plugin for an alternative of your choice.
Start here
Section titled “Start here” What is khaled? khaled's role in the CABE ecosystem.
Architecture khaled's plugin-based architecture.
Key Schedule How khaled manages the key schedule.