App layer crypto codec

.devcontainer/devcontainer.env

@@ -0,0 +1 @@
+IMIX_SERVER_PUBKEY=PLACE_HOLDER

.github/workflows/tests.yml

@@ -33,6 +33,8 @@ jobs:
   implants:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 60
+    env:
+      IMIX_SERVER_PUBKEY: "pR56vDJZb9b3BL3ZvCXIvgK0r2vCk7FiZ1RjeEhJVyU="
     strategy:
       matrix:
         os:
@@ -71,7 +73,7 @@ jobs:
         cd ./bin/reflective_loader/
         cargo +nightly-2025-01-31 build --release -Z build-std=core,compiler_builtins -Z build-std-features=compiler-builtins-mem
     - name: Install latest nextest & cargo-llvm-cov release
-      uses: taiki-e/install-action@v2.52.7
+      uses: taiki-e/install-action@v2
       with:
         tool: nextest,cargo-llvm-cov
     - name: 🔎 Run tests

.vscode/settings.json

@@ -3,6 +3,9 @@
         "--profile",
         "rust-analyzer"
     ],
+    "rust-analyzer.server.extraEnv": {
+        "IMIX_SERVER_PUBKEY": "v3NEg3eB9/e3wi4HHSoIIgPq3BEi6xrurKOSuOVj72g="
+    },
     "rust-analyzer.check.command": "clippy",
     "rust-analyzer.showUnlinkedFileNotification": false,
 }

docs/_docs/admin-guide/tavern.md

@@ -117,6 +117,15 @@ By default, Tavern does not export metrics. You may use the below environment co
 | ENABLE_METRICS | Set to any value to enable the "/metrics" endpoint. | Disabled | No |
 | HTTP_METRICS_LISTEN_ADDR | Listen address for the metrics HTTP server, it must be different than the value of `HTTP_LISTEN_ADDR`. | `127.0.0.1:8080` | No |
 
+### Secrets
+
+By default, Tavern wants to use a GCP KMS for secrets management. The secrets engine is used to generate keypairs when communicating with agents.
+If you're running locally make suer to set the secrets manager to a local file path using:
+
+```bash
+SECRETS_FILE_PATH="/tmp/secrets" go run ./tavern/
+```
+
 ### MySQL
 
 By default, Tavern operates an in-memory SQLite database. To persist data, a MySQL backend is supported. In order to configure Tavern to use MySQL, the `MYSQL_ADDR` environment variable must be set to the `host[:port]` of the database (e.g. `127.0.0.1`, `mydb.com`, or `mydb.com:3306`). You can reference the [mysql.Config](https://pkg.go.dev/github.com/go-sql-driver/mysql#Config) for additional information about Tavern's MySQL configuration.

docs/_docs/user-guide/imix.md

@@ -83,6 +83,11 @@ This isn't ideal as in the UI each new beacon will appear as thought it were on
 
 ## Static cross compilation
 
+**We strongly recommend building agents inside the provided devcontainer `.devcontainer`**
+Building in the dev container limits variables that might cause issues and is the most tested way to compile.
+
+**Imix requires a server public key so it can encrypt messsages to and from the server check the server log for `level=INFO msg="public key: <SERVER_PUBKEY_B64>"`. This base64 encoded string should be passed to the agent using the environment variable `IMIX_SERVER_PUBKEY`**
+
 ### Linux
 
 ```bash
@@ -91,7 +96,7 @@ rustup target add x86_64-unknown-linux-musl
 sudo apt update
 sudo apt install musl-tools
 cd realm/implants/imix/
-cargo build --release --bin imix --target=x86_64-unknown-linux-musl
+IMIX_SERVER_PUBKEY="<SERVER_PUBKEY>" cargo build --release --bin imix --target=x86_64-unknown-linux-musl
 ```
 
 ### MacOS
@@ -113,10 +118,11 @@ sudo apt install gcc-mingw-w64
 
 # Build imix
 cd realm/implants/imix/
+
 # Build imix.exe
-cargo build --release --target=x86_64-pc-windows-gnu
+IMIX_SERVER_PUBKEY="<SERVER_PUBKEY>" cargo build --release --target=x86_64-pc-windows-gnu
 # Build imix.svc.exe
-cargo build --release --features win_service --target=x86_64-pc-windows-gnu
+IMIX_SERVER_PUBKEY="<SERVER_PUBKEY>" cargo build --release --features win_service --target=x86_64-pc-windows-gnu
 # Build imix.dll
-cargo build --release --lib --target=x86_64-pc-windows-gnu
+IMIX_SERVER_PUBKEY="<SERVER_PUBKEY>" cargo build --release --lib --target=x86_64-pc-windows-gnu
 ```