System Overview
BV consists of three actors:
- Requester
- BV Web Application (BVWA)
- BV Key Server (BVKS)
Responsibilities
Requester
- asks for secrets
- uses returned values
BVWA
- public HTTPS API
- authenticates requests
- stores encrypted secret blobs
- delegates all crypto to BVKS
BVKS
- private service
- stores wrapped keys only
- performs all encryption and decryption
- never stores secret values
High-level flow
Requester ==> BVWA ==> BVKS ==> BVWA ==> Requester
Data separation
BVWA:
- encrypted secrets
- metadata
BVKS:
No single component stores both keys and plaintext secrets.