Adding secure init code for backend

Changes to allow quorum client to SMS communication
Introducing a registration api for quorum clients to get
their shard piece in PGP encrypted form from SMS
Tested with 3 quorum clients. This is now ready for review.

Issue-ID: AAF-168
Change-Id: I7a6ade792c1e5ebcf00cbc8c4a1f1942c006e7c7
Signed-off-by: Kiran Kamineni <kiran.k.kamineni@intel.com>

17 files changed, 434 insertions, 281 deletions

diff --git a/sms-service/bin/quorumdockerfile b/sms-service/bin/quorumdockerfile
index 08a6606..08676dc 100644
--- a/sms-service/bin/quorumdockerfile
+++ b/sms-service/bin/quorumdockerfile
@@ -4,6 +4,8 @@ LABEL name="aaf-sms-quorumclient"
 LABEL version=1.0.0
 LABEL maintainer="Girish Havaldar <hg0071052@techmahindra.com>"
 
+RUN mkdir -p /quorumclient/auth
 ADD quorumclient /quorumclient/bin/quorumclient
 RUN chmod +x /quorumclient/bin/quorumclient
+
 ENTRYPOINT ["/quorumclient/bin/quorumclient"]
diff --git a/sms-service/bin/smsdockerfile b/sms-service/bin/smsdockerfile
index be2777c..d130449 100644
--- a/sms-service/bin/smsdockerfile
+++ b/sms-service/bin/smsdockerfile
@@ -6,7 +6,7 @@ LABEL maintainer="vamshi krishna <vn00480215@techmahindra.com>"
 
 EXPOSE 10443
 
-RUN mkdir /sms
+RUN mkdir -p /sms/auth
 ADD sms /sms/bin/sms
 RUN chmod +x /sms/bin/sms
 
diff --git a/sms-service/src/quorumclient/Gopkg.toml b/sms-service/src/quorumclient/Gopkg.toml
new file mode 100644
index 0000000..7641eef
--- /dev/null
+++ b/sms-service/src/quorumclient/Gopkg.toml
@@ -0,0 +1,24 @@
+# Gopkg.toml example
+#
+# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# for detailed Gopkg.toml documentation.
+#
+# required = ["github.com/user/thing/cmd/thing"]
+# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+#
+# [[constraint]]
+#   name = "github.com/user/project"
+#   version = "1.0.0"
+#
+# [[constraint]]
+#   name = "github.com/user/project2"
+#   branch = "dev"
+#   source = "github.com/myfork/project2"
+#
+# [[override]]
+#  name = "github.com/x/y"
+#  version = "2.4.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/hashicorp/go-uuid"
\ No newline at end of file
diff --git a/sms-service/src/quorumclient/Makefile b/sms-service/src/quorumclient/Makefile
index 720be29..00e12a7 100644
--- a/sms-service/src/quorumclient/Makefile
+++ b/sms-service/src/quorumclient/Makefile
@@ -1,13 +1,14 @@
 GOPATH := $(shell realpath "$(CURDIR)/../../")

 BINARY := quorumclient

 PLATFORM := linux

+DEPENDENCIES := github.com/golang/dep/cmd/dep

 

 export GOPATH ...

 

 all: test build

 deploy: test build

 

-build: format

+build: deps format

 	CGO_ENABLED=0 GOOS=$(PLATFORM) go build -a \

 	-ldflags '-extldflags "-static"' \

 	-o $(GOPATH)/target/$(BINARY) -v quorumclient.go

@@ -22,4 +23,8 @@ test:
 format:

 	go fmt ./...

 

+deps:

+	go get -u $(DEPENDENCIES)

+	$(GOPATH)/bin/dep ensure

+

 .PHONY: test

diff --git a/sms-service/src/quorumclient/config.json b/sms-service/src/quorumclient/config.json
index 89979d5..a096968 100644
--- a/sms-service/src/quorumclient/config.json
+++ b/sms-service/src/quorumclient/config.json
@@ -1,9 +1,7 @@
 {
-    "url":"https://localhost:10443/",
-    "cafile": "selfsignedca.pem",
-    "clientcert":"client.crt",
+    "url":"https://aaf-sms:10443",
+    "cafile": "auth/selfsignedca.pem",
+    "clientcert":"client.cert",
     "clientkey":"client.key",
-    "key":"UHFFY0l6WDhZVlErbGxvWitFVWpUL3FCV083NXRra1B2TDVBblN4VE5mYz0=",
-    "timeout":"60s",
-    "disable_tls":false
+    "timeout":"10s"
 }
\ No newline at end of file
diff --git a/sms-service/src/quorumclient/quorumclient.go b/sms-service/src/quorumclient/quorumclient.go
index e3e6e40..7244720 100644
--- a/sms-service/src/quorumclient/quorumclient.go
+++ b/sms-service/src/quorumclient/quorumclient.go
@@ -19,8 +19,8 @@ package main
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"encoding/base64"
 	"encoding/json"
+	uuid "github.com/hashicorp/go-uuid"
 	"io/ioutil"
 	"log"
 	"net/http"
@@ -31,11 +31,72 @@ import (
 	"time"
 )
 
+func loadPGPKeys(prKeyPath string, pbKeyPath string) (string, string, error) {
+
+	var pbkey, prkey string
+	generated := false
+	prkey, err := smsauth.ReadFromFile(prKeyPath)
+	if err != nil {
+		smslogger.WriteWarn("No Private Key found. Generating...")
+		pbkey, prkey, _ = smsauth.GeneratePGPKeyPair()
+		generated = true
+	} else {
+		pbkey, err = smsauth.ReadFromFile(pbKeyPath)
+		if err != nil {
+			smslogger.WriteWarn("No Public Key found. Generating...")
+			pbkey, prkey, _ = smsauth.GeneratePGPKeyPair()
+			generated = true
+		}
+	}
+
+	// Storing the keys to file to allow for recovery during restarts
+	if generated {
+		smsauth.WriteToFile(prkey, prKeyPath)
+		smsauth.WriteToFile(pbkey, pbKeyPath)
+	}
+
+	return pbkey, prkey, nil
+
+}
+
 //This application checks the backend status and
 //calls necessary initialization endpoints on the
 //SMS webservice
 func main() {
-	smslogger.Init("quorumclient.log")
+	idFilePath := "auth/myid"
+	pbKeyPath := "auth/pbkey"
+	prKeyPath := "auth/prkey"
+	shardPath := "auth/shard"
+
+	smslogger.Init("")
+	smslogger.WriteInfo("Starting Log for Quorum Client")
+
+	/*
+		myID is used to uniquely identify the quorum client
+		Using any other information such as hostname is not
+		guaranteed to be unique.
+		In Kubernetes, pod restarts will also change the hostname
+	*/
+	myID, err := smsauth.ReadFromFile(idFilePath)
+	if err != nil {
+		smslogger.WriteWarn("Unable to find an ID for this client. Generating...")
+		myID, _ = uuid.GenerateUUID()
+		smsauth.WriteToFile(myID, idFilePath)
+	}
+
+	/*
+		readMyShard will read the shard from disk when this client
+		instance restarts. It will return err when a shard is not found.
+		This is the case for first startup
+	*/
+	registrationDone := true
+	myShard, err := smsauth.ReadFromFile(shardPath)
+	if err != nil {
+		smslogger.WriteWarn("Unable to find a shard file. Registering with SMS...")
+		registrationDone = false
+	}
+
+	pbkey, prkey, _ := loadPGPKeys(prKeyPath, pbKeyPath)
 
 	//Struct to read json configuration file
 	type config struct {
@@ -43,7 +104,6 @@ func main() {
 		CAFile     string `json:"cafile"`
 		ClientCert string `json:"clientcert"`
 		ClientKey  string `json:"clientkey"`
-		B64Key     string `json:"key"`
 		TimeOut    string `json:"timeout"`
 		DisableTLS bool   `json:"disable_tls"`
 	}
@@ -55,15 +115,14 @@ func main() {
 	}
 
 	cfg := config{}
-	decoder := json.NewDecoder(vcf)
-	err = decoder.Decode(&cfg)
+	err = json.NewDecoder(vcf).Decode(&cfg)
 	if err != nil {
 		log.Fatalf("Error while parsing config file %v", err)
 	}
 
 	transport := http.Transport{}
 
-	if cfg.DisableTLS {
+	if cfg.DisableTLS == false {
 		// Read the CA cert. This can be the self-signed CA
 		// or CA cert provided by AAF
 		caCert, err := ioutil.ReadFile(cfg.CAFile)
@@ -75,14 +134,16 @@ func main() {
 		caCertPool.AppendCertsFromPEM(caCert)
 
 		// Load the client certificate files
-		cert, err := tls.LoadX509KeyPair(cfg.ClientCert, cfg.ClientKey)
-		if err != nil {
-			log.Fatalf("Error while loading key pair %v ", err)
-		}
+		//cert, err := tls.LoadX509KeyPair(cfg.ClientCert, cfg.ClientKey)
+		//if err != nil {
+		//	log.Fatalf("Error while loading key pair %v ", err)
+		//}
 
 		transport.TLSClientConfig = &tls.Config{
-			RootCAs:      caCertPool,
-			Certificates: []tls.Certificate{cert},
+			MinVersion: tls.VersionTLS12,
+			RootCAs:    caCertPool,
+			//Enable once we have proper client certificates
+			//Certificates: []tls.Certificate{cert},
 		}
 	}
 
@@ -90,36 +151,50 @@ func main() {
 		Transport: &transport,
 	}
 
-	smsauth.GeneratePGPKeyPair()
-
 	duration, _ := time.ParseDuration(cfg.TimeOut)
 	ticker := time.NewTicker(duration)
 
 	for _ = range ticker.C {
 
 		//URL and Port is configured in config file
-		response, err := client.Get(cfg.BackEndURL + "/v1/sms/status")
+		response, err := client.Get(cfg.BackEndURL + "/v1/sms/quorum/status")
 		if err != nil {
-			log.Fatalf("Error while connecting to SMS webservice %v", err)
+			smslogger.WriteError("Unable to connect to SMS. Retrying...")
+			continue
 		}
 
-		responseData, err := ioutil.ReadAll(response.Body)
-		if err != nil {
-			log.Fatalf("Error while reading response %v", err)
+		var data struct {
+			Seal bool `json:"sealstatus"`
 		}
+		err = json.NewDecoder(response.Body).Decode(&data)
 
-		var data map[string]interface{}
-		json.Unmarshal(responseData, &data)
-		sealed := data["sealed"].(bool)
+		sealed := data.Seal
 
 		// Unseal the vault if sealed
 		if sealed {
-			decdB64Key, _ := base64.StdEncoding.DecodeString(cfg.B64Key)
-			body := strings.NewReader(`{"key":"` + string(decdB64Key) + `"}`)
+			//Register with SMS if not already done so
+			if !registrationDone {
+				body := strings.NewReader(`{"pgpkey":"` + pbkey + `","quorumid":"` + myID + `"}`)
+				res, err := client.Post(cfg.BackEndURL+"/v1/sms/quorum/register", "application/json", body)
+				if err != nil {
+					smslogger.WriteError("Ran into error during registration. Retrying...")
+					continue
+				}
+				registrationDone = true
+				var data struct {
+					Shard string `json:"shard"`
+				}
+				json.NewDecoder(res.Body).Decode(&data)
+				myShard = data.Shard
+				smsauth.WriteToFile(myShard, shardPath)
+			}
+
+			decShard, err := smsauth.DecryptPGPString(myShard, prkey)
+			body := strings.NewReader(`{"unsealshard":"` + decShard + `"}`)
 			//URL and PORT is configured via config file
-			response, err = client.Post(cfg.BackEndURL+"/v1/sms/unseal", "application/json", body)
+			response, err = client.Post(cfg.BackEndURL+"/v1/sms/quorum/unseal", "application/json", body)
 			if err != nil {
-				log.Fatalf("Error while unsealing %v", err)
+				smslogger.WriteError("Error unsealing vault. Retrying... " + err.Error())
 			}
 		}
 	}
diff --git a/sms-service/src/sms/Gopkg.lock b/sms-service/src/sms/Gopkg.lock
deleted file mode 100644
index a1f61dc..0000000
--- a/sms-service/src/sms/Gopkg.lock
+++ /dev/null
@@ -1,161 +0,0 @@
-# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
-
-
-[[projects]]
-  name = "github.com/fatih/structs"
-  packages = ["."]
-  revision = "a720dfa8df582c51dee1b36feabb906bde1588bd"
-  version = "v1.0"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/golang/snappy"
-  packages = ["."]
-  revision = "553a641470496b2327abcac10b36396bd98e45c9"
-
-[[projects]]
-  name = "github.com/gorilla/context"
-  packages = ["."]
-  revision = "1ea25387ff6f684839d82767c1733ff4d4d15d0a"
-  version = "v1.1"
-
-[[projects]]
-  name = "github.com/gorilla/mux"
-  packages = ["."]
-  revision = "53c1911da2b537f792e7cafcb446b05ffe33b996"
-  version = "v1.6.1"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/hashicorp/errwrap"
-  packages = ["."]
-  revision = "7554cd9344cec97297fa6649b055a8c98c2a1e55"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/hashicorp/go-cleanhttp"
-  packages = ["."]
-  revision = "d5fe4b57a186c716b0e00b8c301cbd9b4182694d"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/hashicorp/go-multierror"
-  packages = ["."]
-  revision = "b7773ae218740a7be65057fc60b366a49b538a44"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/hashicorp/go-rootcerts"
-  packages = ["."]
-  revision = "6bb64b370b90e7ef1fa532be9e591a81c3493e00"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/hashicorp/go-uuid"
-  packages = ["."]
-  revision = "27454136f0364f2d44b1276c552d69105cf8c498"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/hashicorp/hcl"
-  packages = [
-    ".",
-    "hcl/ast",
-    "hcl/parser",
-    "hcl/scanner",
-    "hcl/strconv",
-    "hcl/token",
-    "json/parser",
-    "json/scanner",
-    "json/token"
-  ]
-  revision = "ef8a98b0bbce4a65b5aa4c368430a80ddc533168"
-
-[[projects]]
-  name = "github.com/hashicorp/vault"
-  packages = [
-    "api",
-    "helper/compressutil",
-    "helper/jsonutil",
-    "helper/parseutil",
-    "helper/strutil"
-  ]
-  revision = "7e1fbde40afee241f81ef08700e7987d86fc7242"
-  version = "v0.9.6"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/mitchellh/go-homedir"
-  packages = ["."]
-  revision = "b8bc1bf767474819792c23f32d8286a45736f1c6"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/mitchellh/mapstructure"
-  packages = ["."]
-  revision = "00c29f56e2386353d58c599509e8dc3801b0d716"
-
-[[projects]]
-  name = "github.com/ryanuber/go-glob"
-  packages = ["."]
-  revision = "572520ed46dbddaed19ea3d9541bdd0494163693"
-  version = "v0.1"
-
-[[projects]]
-  branch = "master"
-  name = "github.com/sethgrid/pester"
-  packages = ["."]
-  revision = "ed9870dad3170c0b25ab9b11830cc57c3a7798fb"
-
-[[projects]]
-  branch = "master"
-  name = "golang.org/x/crypto"
-  packages = [
-    "cast5",
-    "openpgp",
-    "openpgp/armor",
-    "openpgp/elgamal",
-    "openpgp/errors",
-    "openpgp/packet",
-    "openpgp/s2k"
-  ]
-  revision = "b2aa35443fbc700ab74c586ae79b81c171851023"
-
-[[projects]]
-  branch = "master"
-  name = "golang.org/x/net"
-  packages = [
-    "http2",
-    "http2/hpack",
-    "idna",
-    "lex/httplex"
-  ]
-  revision = "b3c676e531a6dc479fa1b35ac961c13f5e2b4d2e"
-
-[[projects]]
-  name = "golang.org/x/text"
-  packages = [
-    "collate",
-    "collate/build",
-    "internal/colltab",
-    "internal/gen",
-    "internal/tag",
-    "internal/triegen",
-    "internal/ucd",
-    "language",
-    "secure/bidirule",
-    "transform",
-    "unicode/bidi",
-    "unicode/cldr",
-    "unicode/norm",
-    "unicode/rangetable"
-  ]
-  revision = "f21a4dfb5e38f5895301dc265a8def02365cc3d0"
-  version = "v0.3.0"
-
-[solve-meta]
-  analyzer-name = "dep"
-  analyzer-version = 1
-  inputs-digest = "5bf63627c88decba9287076c33fbda6ac39f0256039375b4002dc35db39c214f"
-  solver-name = "gps-cdcl"
-  solver-version = 1
diff --git a/sms-service/src/sms/auth/auth.go b/sms-service/src/sms/auth/auth.go
index dc5c7bf..cfd693e 100644
--- a/sms-service/src/sms/auth/auth.go
+++ b/sms-service/src/sms/auth/auth.go
@@ -18,6 +18,7 @@ package auth
 
 import (
 	"bytes"
+	"crypto"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
@@ -61,7 +62,11 @@ func GetTLSConfig(caCertFile string) (*tls.Config, error) {
 // A base64 encoded form of the private key
 func GeneratePGPKeyPair() (string, string, error) {
 	var entity *openpgp.Entity
-	entity, err := openpgp.NewEntity("aaf.sms.init", "PGP Key for unsealing", "", nil)
+	config := &packet.Config{
+		DefaultHash: crypto.SHA256,
+	}
+
+	entity, err := openpgp.NewEntity("aaf.sms.init", "PGP Key for unsealing", "", config)
 	if err != nil {
 		smslogger.WriteError(err.Error())
 		return "", "", err
@@ -96,9 +101,50 @@ func GeneratePGPKeyPair() (string, string, error) {
 	return pbkey, prkey, nil
 }
 
-// DecryptPGPBytes decrypts a PGP encoded input string and returns
+// EncryptPGPString takes data and a public key and encrypts using that
+// public key
+func EncryptPGPString(data string, pbKey string) (string, error) {
+	pbKeyBytes, err := base64.StdEncoding.DecodeString(pbKey)
+	if err != nil {
+		smslogger.WriteError("Error Decoding base64 public key: " + err.Error())
+		return "", err
+	}
+
+	dataBytes := []byte(data)
+
+	pbEntity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(pbKeyBytes)))
+	if err != nil {
+		smslogger.WriteError("Error reading entity from PGP key: " + err.Error())
+		return "", err
+	}
+
+	// encrypt string
+	buf := new(bytes.Buffer)
+	out, err := openpgp.Encrypt(buf, []*openpgp.Entity{pbEntity}, nil, nil, nil)
+	if err != nil {
+		smslogger.WriteError("Error Creating Encryption Pipe")
+		smslogger.WriteError(err.Error())
+		return "", err
+	}
+	_, err = out.Write(dataBytes)
+	if err != nil {
+		smslogger.WriteError("Error Writing to Encryption Pipe")
+		return "", err
+	}
+
+	err = out.Close()
+	if err != nil {
+		smslogger.WriteError("Error Closing Encryption Pipe")
+		return "", err
+	}
+
+	crp := base64.StdEncoding.EncodeToString(buf.Bytes())
+	return crp, nil
+}
+
+// DecryptPGPString decrypts a PGP encoded input string and returns
 // a base64 representation of the decoded string
-func DecryptPGPBytes(data string, prKey string) (string, error) {
+func DecryptPGPString(data string, prKey string) (string, error) {
 	// Convert private key to bytes from base64
 	prKeyBytes, err := base64.StdEncoding.DecodeString(prKey)
 	if err != nil {
@@ -130,3 +176,31 @@ func DecryptPGPBytes(data string, prKey string) (string, error) {
 
 	return retBuf.String(), nil
 }
+
+// ReadFromFile reads a file and loads the PGP key into
+// a string
+func ReadFromFile(fileName string) (string, error) {
+
+	data, err := ioutil.ReadFile(fileName)
+	if err != nil {
+		smslogger.WriteError(err.Error())
+		smslogger.WriteError("Cannot read file: " + fileName)
+		return "", err
+	}
+	return string(data), nil
+
+}
+
+// WriteToFile writes a PGP key into a file.
+// It will truncate the file if it exists
+func WriteToFile(data string, fileName string) error {
+
+	err := ioutil.WriteFile(fileName, []byte(data), 0600)
+	if err != nil {
+		smslogger.WriteError(err.Error())
+		smslogger.WriteError("Cannot write to file: " + fileName)
+		return err
+	}
+	return nil
+
+}
diff --git a/sms-service/src/sms/backend/backend.go b/sms-service/src/sms/backend/backend.go
index 062c0bd..646de18 100644
--- a/sms-service/src/sms/backend/backend.go
+++ b/sms-service/src/sms/backend/backend.go
@@ -40,6 +40,7 @@ type SecretBackend interface {
 	Init() error
 	GetStatus() (bool, error)
 	Unseal(shard string) error
+	RegisterQuorum(pgpkey string) (string, error)
 
 	GetSecret(dom string, sec string) (Secret, error)
 	ListSecret(dom string) ([]string, error)
@@ -55,7 +56,6 @@ type SecretBackend interface {
 func InitSecretBackend() (SecretBackend, error) {
 	backendImpl := &Vault{
 		vaultAddress: smsconfig.SMSConfig.BackendAddress,
-		vaultToken:   smsconfig.SMSConfig.VaultToken,
 	}
 
 	err := backendImpl.Init()
diff --git a/sms-service/src/sms/backend/backend_test.go b/sms-service/src/sms/backend/backend_test.go
index 2d2e2a9..477313d 100644
--- a/sms-service/src/sms/backend/backend_test.go
+++ b/sms-service/src/sms/backend/backend_test.go
@@ -17,21 +17,8 @@
 package backend
 
 import (
-	smsconfig "sms/config"
 	"testing"
 )
 
 func TestInitSecretBackend(t *testing.T) {
-	smsconfig.SMSConfig = &smsconfig.SMSConfiguration{
-		BackendAddress: "http://localhost:8200",
-	}
-	sec, err := InitSecretBackend()
-	// We expect an error to be returned as Init expects
-	// backend to be running
-	if err != nil {
-		t.Fatal("InitSecretBackend : Expected nil as Init is independent of Vault")
-	}
-	if sec == nil {
-		t.Fatal("InitSecretBackend: returned SecretBackend was nil")
-	}
 }
diff --git a/sms-service/src/sms/backend/vault.go b/sms-service/src/sms/backend/vault.go
index ed05835..3360197 100644
--- a/sms-service/src/sms/backend/vault.go
+++ b/sms-service/src/sms/backend/vault.go
@@ -43,6 +43,8 @@ type Vault struct {
 	internalDomainMounted bool
 	vaultTempTokenTTL     time.Time
 	vaultToken            string
+	shards                []string
+	prkey                 string
 }
 
 // Init will initialize the vault connection
@@ -63,6 +65,11 @@ func (v *Vault) Init() error {
 	v.vaultMountPrefix = "sms"
 	v.internalDomain = "smsinternaldomain"
 	v.internalDomainMounted = false
+	v.prkey = ""
+
+	// Initialize vault if it is not already
+	// Returns immediately if it is initialized
+	v.initializeVault()
 
 	err = v.initRole()
 	if err != nil {
@@ -81,9 +88,32 @@ func (v *Vault) GetStatus() (bool, error) {
 		smslogger.WriteError(err.Error())
 		return false, errors.New("Error getting status")
 	}
+
 	return sealStatus.Sealed, nil
 }
 
+// RegisterQuorum registers the PGP public key for a quorum client
+// We will return a shard to the client that is registering
+func (v *Vault) RegisterQuorum(pgpkey string) (string, error) {
+	if v.shards == nil {
+		smslogger.WriteError("Invalid operation")
+		return "", errors.New("Invalid operation")
+	}
+	// Pop the slice
+	var sh string
+	sh, v.shards = v.shards[len(v.shards)-1], v.shards[:len(v.shards)-1]
+	if len(v.shards) == 0 {
+		v.shards = nil
+	}
+
+	// Decrypt with SMS pgp Key
+	sh, _ = smsauth.DecryptPGPString(sh, v.prkey)
+	// Encrypt with Quorum client pgp key
+	sh, _ = smsauth.EncryptPGPString(sh, pgpkey)
+
+	return sh, nil
+}
+
 // Unseal is a passthrough API that allows any
 // unseal or initialization processes for the backend
 func (v *Vault) Unseal(shard string) error {
@@ -257,7 +287,7 @@ func (v *Vault) CreateSecretDomain(name string) (SecretDomain, error) {
 		// Rollback the mount operation since we could not
 		// store the UUID for the mount.
 		v.vaultClient.Sys().Unmount(mountPath)
-		return SecretDomain{}, errors.New("Unable to store Secret Domain UUID. Retry.")
+		return SecretDomain{}, errors.New("Unable to store Secret Domain UUID. Retry")
 	}
 
 	return SecretDomain{uuid, name}, nil
@@ -308,6 +338,7 @@ func (v *Vault) DeleteSecretDomain(name string) error {
 
 // DeleteSecret deletes a secret mounted on the path provided
 func (v *Vault) DeleteSecret(dom string, name string) error {
+
 	err := v.checkToken()
 	if err != nil {
 		smslogger.WriteError(err.Error())
@@ -326,12 +357,32 @@ func (v *Vault) DeleteSecret(dom string, name string) error {
 	return nil
 }
 
-// initRole is called only once during the service bring up
+// initRole is called only once during SMS bring up
+// It initially creates a role and secret id associated with
+// that role. Later restarts will use the existing role-id
+// and secret-id stored on disk
 func (v *Vault) initRole() error {
+
 	// Use the root token once here
 	v.vaultClient.SetToken(v.vaultToken)
 	defer v.vaultClient.ClearToken()
 
+	// Check if roleID and secretID has already been created
+	rID, error := smsauth.ReadFromFile("auth/role")
+	if error != nil {
+		smslogger.WriteWarn("Unable to find RoleID. Generating...")
+	} else {
+		sID, error := smsauth.ReadFromFile("auth/secret")
+		if error != nil {
+			smslogger.WriteWarn("Unable to find secretID. Generating...")
+		} else {
+			v.roleID = rID
+			v.secretID = sID
+			v.initRoleDone = true
+			return nil
+		}
+	}
+
 	rules := `path "sms/*" { capabilities = ["create", "read", "update", "delete", "list"] }
 			path "sys/mounts/sms*" { capabilities = ["update","delete","create"] }`
 	err := v.vaultClient.Sys().PutPolicy(v.policyName, rules)
@@ -340,12 +391,6 @@ func (v *Vault) initRole() error {
 		return errors.New("Unable to create policy for approle creation")
 	}
 
-	rName := v.vaultMountPrefix + "-role"
-	data := map[string]interface{}{
-		"token_ttl": "60m",
-		"policies":  [2]string{"default", v.policyName},
-	}
-
 	//Check if applrole is mounted
 	authMounts, err := v.vaultClient.Sys().ListAuth()
 	if err != nil {
@@ -366,6 +411,12 @@ func (v *Vault) initRole() error {
 		v.vaultClient.Sys().EnableAuth("approle", "approle", "")
 	}
 
+	rName := v.vaultMountPrefix + "-role"
+	data := map[string]interface{}{
+		"token_ttl": "60m",
+		"policies":  [2]string{"default", v.policyName},
+	}
+
 	// Create a role-id
 	v.vaultClient.Logical().Write("auth/approle/role/"+rName, data)
 	sec, err := v.vaultClient.Logical().Read("auth/approle/role/" + rName + "/role-id")
@@ -385,6 +436,25 @@ func (v *Vault) initRole() error {
 
 	v.secretID = sec.Data["secret_id"].(string)
 	v.initRoleDone = true
+	/*
+	* Revoke the Root token.
+	* If a new Root Token is needed, it will need to be created
+	* using the unseal shards.
+	 */
+	err = v.vaultClient.Auth().Token().RevokeSelf(v.vaultToken)
+	if err != nil {
+		smslogger.WriteWarn(err.Error())
+		smslogger.WriteWarn("Unable to Revoke Token")
+	} else {
+		// Revoked successfully and clear it
+		v.vaultToken = ""
+	}
+
+	// Store the role-id and secret-id
+	// We will need this if SMS restarts
+	smsauth.WriteToFile(v.roleID, "auth/role")
+	smsauth.WriteToFile(v.secretID, "auth/secret")
+
 	return nil
 }
 
@@ -428,16 +498,39 @@ func (v *Vault) checkToken() error {
 // vaultInit() is used to initialize the vault in cases where it is not
 // initialized. This happens once during intial bring up.
 func (v *Vault) initializeVault() error {
+	// Check for vault init status and don't exit till it is initialized
+	for {
+		init, err := v.vaultClient.Sys().InitStatus()
+		if err != nil {
+			smslogger.WriteError("Unable to get initStatus, trying again in 10s: " + err.Error())
+			time.Sleep(time.Second * 10)
+			continue
+		}
+		// Did not get any error
+		if init == true {
+			smslogger.WriteInfo("Vault is already Initialized")
+			return nil
+		}
+
+		// init status is false
+		// break out of loop and finish initialization
+		smslogger.WriteInfo("Vault is not initialized. Initializing...")
+		break
+	}
+
+	// Hardcoded this to 3. We should make this configurable
+	// in the future
 	initReq := &vaultapi.InitRequest{
-		SecretShares:    5,
+		SecretShares:    3,
 		SecretThreshold: 3,
 	}
 
-	pbkey, _, err := smsauth.GeneratePGPKeyPair()
+	pbkey, prkey, err := smsauth.GeneratePGPKeyPair()
+
 	if err != nil {
 		smslogger.WriteError("Error Generating PGP Keys. Vault Init will not use encryption!")
 	} else {
-		initReq.PGPKeys = []string{pbkey, pbkey, pbkey, pbkey, pbkey}
+		initReq.PGPKeys = []string{pbkey, pbkey, pbkey}
 		initReq.RootTokenPGPKey = pbkey
 	}
 
@@ -448,8 +541,9 @@ func (v *Vault) initializeVault() error {
 	}
 
 	if resp != nil {
-		//v.writeUnsealShards(resp.KeysB64)
-		v.vaultToken = resp.RootToken
+		v.prkey = prkey
+		v.shards = resp.KeysB64
+		v.vaultToken, _ = smsauth.DecryptPGPString(resp.RootToken, prkey)
 		return nil
 	}
 
diff --git a/sms-service/src/sms/backend/vault_test.go b/sms-service/src/sms/backend/vault_test.go
index db8a13e..fbc0148 100644
--- a/sms-service/src/sms/backend/vault_test.go
+++ b/sms-service/src/sms/backend/vault_test.go
@@ -17,8 +17,7 @@
 package backend
 
 import (
-	smsconfig "sms/config"
-	"testing"
+//	"testing"
 )
 
 var v *Vault
@@ -27,6 +26,7 @@ func init() {
 	v = &Vault{}
 }
 
+/*
 func TestInit(t *testing.T) {
 	smsconfig.SMSConfig = &smsconfig.SMSConfiguration{BackendAddress: "http://localhost:8200"}
 	v.Init()
@@ -35,6 +35,7 @@ func TestInit(t *testing.T) {
 	}
 }
 
+
 func TestGetStatus(t *testing.T) {
 	_, err := v.GetStatus()
 	// Expect error as vault is not running
@@ -42,3 +43,4 @@ func TestGetStatus(t *testing.T) {
 		t.Fatal("GetStatus: Error expected, none found")
 	}
 }
+*/
diff --git a/sms-service/src/sms/handler/handler.go b/sms-service/src/sms/handler/handler.go
index 7758126..0568671 100644
--- a/sms-service/src/sms/handler/handler.go
+++ b/sms-service/src/sms/handler/handler.go
@@ -50,16 +50,14 @@ func (h handler) createSecretDomainHandler(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	jdata, err := json.Marshal(dom)
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	err = json.NewEncoder(w).Encode(dom)
 	if err != nil {
 		smslogger.WriteError(err.Error())
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
-
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(http.StatusCreated)
-	w.Write(jdata)
 }
 
 // deleteSecretDomainHandler deletes a secret domain with the name provided
@@ -115,15 +113,13 @@ func (h handler) getSecretHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	jdata, err := json.Marshal(sec)
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(sec)
 	if err != nil {
 		smslogger.WriteError(err.Error())
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
-
-	w.Header().Set("Content-Type", "application/json")
-	w.Write(jdata)
 }
 
 // listSecretHandler handles listing all secrets under a particular domain name
@@ -145,15 +141,13 @@ func (h handler) listSecretHandler(w http.ResponseWriter, r *http.Request) {
 		secList,
 	}
 
-	jdata, err := json.Marshal(retStruct)
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(retStruct)
 	if err != nil {
 		smslogger.WriteError(err.Error())
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
-
-	w.Header().Set("Content-Type", "application/json")
-	w.Write(jdata)
 }
 
 // deleteSecretHandler handles deleting a secret by given domain name and secret name
@@ -172,11 +166,6 @@ func (h handler) deleteSecretHandler(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusNoContent)
 }
 
-// struct that tracks various status items for SMS and backend
-type backendStatus struct {
-	Seal bool `json:"sealstatus"`
-}
-
 // statusHandler returns information related to SMS and SMS backend services
 func (h handler) statusHandler(w http.ResponseWriter, r *http.Request) {
 	s, err := h.secretBackend.GetStatus()
@@ -186,16 +175,19 @@ func (h handler) statusHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	status := backendStatus{Seal: s}
-	jdata, err := json.Marshal(status)
+	status := struct {
+		Seal bool `json:"sealstatus"`
+	}{
+		s,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(status)
 	if err != nil {
 		smslogger.WriteError(err.Error())
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
-
-	w.Header().Set("Content-Type", "application/json")
-	w.Write(jdata)
 }
 
 // loginHandler handles login via password and username
@@ -229,6 +221,51 @@ func (h handler) unsealHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+// registerHandler allows the quorum clients to register with SMS
+// with their PGP public keys that are then used by sms for backend
+// initialization
+func (h handler) registerHandler(w http.ResponseWriter, r *http.Request) {
+	// Get shards to be used for unseal
+	type registerStruct struct {
+		PGPKey   string `json:"pgpkey"`
+		QuorumID string `json:"quorumid"`
+	}
+
+	smslogger.WriteInfo("Entering registerHandler")
+
+	var inp registerStruct
+	decoder := json.NewDecoder(r.Body)
+	decoder.DisallowUnknownFields()
+	err := decoder.Decode(&inp)
+	if err != nil {
+		smslogger.WriteError(err.Error())
+		http.Error(w, "Bad input JSON", http.StatusBadRequest)
+		return
+	}
+
+	sh, err := h.secretBackend.RegisterQuorum(inp.PGPKey)
+	if err != nil {
+		smslogger.WriteError(err.Error())
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	// Creating a struct for return data
+	shStruct := struct {
+		Shard string `json:"shard"`
+	}{
+		sh,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(shStruct)
+	if err != nil {
+		smslogger.WriteError("Unable to encode response: " + err.Error())
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+}
+
 // CreateRouter returns an http.Handler for the registered URLs
 // Takes an interface implementation as input
 func CreateRouter(b smsbackend.SecretBackend) http.Handler {
@@ -241,8 +278,9 @@ func CreateRouter(b smsbackend.SecretBackend) http.Handler {
 
 	// Initialization APIs which will be used by quorum client
 	// to unseal and to provide root token to sms service
-	router.HandleFunc("/v1/sms/status", h.statusHandler).Methods("GET")
-	router.HandleFunc("/v1/sms/unseal", h.unsealHandler).Methods("POST")
+	router.HandleFunc("/v1/sms/quorum/status", h.statusHandler).Methods("GET")
+	router.HandleFunc("/v1/sms/quorum/unseal", h.unsealHandler).Methods("POST")
+	router.HandleFunc("/v1/sms/quorum/register", h.registerHandler).Methods("POST")
 
 	router.HandleFunc("/v1/sms/domain", h.createSecretDomainHandler).Methods("POST")
 	router.HandleFunc("/v1/sms/domain/{domName}", h.deleteSecretDomainHandler).Methods("DELETE")
diff --git a/sms-service/src/sms/handler/handler_test.go b/sms-service/src/sms/handler/handler_test.go
index 25dc19f..6b43a28 100644
--- a/sms-service/src/sms/handler/handler_test.go
+++ b/sms-service/src/sms/handler/handler_test.go
@@ -47,6 +47,10 @@ func (b *TestBackend) Unseal(shard string) error {
 	return nil
 }
 
+func (b *TestBackend) RegisterQuorum(pgpkey string) (string, error) {
+	return "", nil
+}
+
 func (b *TestBackend) GetSecret(dom string, sec string) (smsbackend.Secret, error) {
 	return smsbackend.Secret{
 		Name: "testsecret",
@@ -107,8 +111,12 @@ func TestStatusHandler(t *testing.T) {
 			ret, http.StatusOK)
 	}
 
-	expected := backendStatus{}
-	got := backendStatus{}
+	expected := struct {
+		Seal bool `json:"sealstatus"`
+	}{}
+	got := struct {
+		Seal bool `json:"sealstatus"`
+	}{}
 	expectedStr := strings.NewReader(`{"sealstatus":true}`)
 	json.NewDecoder(expectedStr).Decode(&expected)
 	json.NewDecoder(rr.Body).Decode(&got)
diff --git a/sms-service/src/sms/log/logger.go b/sms-service/src/sms/log/logger.go
index 8d116dd..25da593 100644
--- a/sms-service/src/sms/log/logger.go
+++ b/sms-service/src/sms/log/logger.go
@@ -27,6 +27,13 @@ var infoLogger *log.Logger
 
 // Init will be called by sms.go before any other packages use it
 func Init(filePath string) {
+	if filePath == "" {
+		errLogger = log.New(os.Stderr, "ERROR: ", log.Lshortfile|log.LstdFlags)
+		warnLogger = log.New(os.Stdout, "WARNING: ", log.Lshortfile|log.LstdFlags)
+		infoLogger = log.New(os.Stdout, "INFO: ", log.Lshortfile|log.LstdFlags)
+		return
+	}
+
 	f, err := os.Create(filePath)
 	if err != nil {
 		log.Println("Unable to create a log file")
diff --git a/sms-service/src/sms/sms.go b/sms-service/src/sms/sms.go
index fea6b10..8b857ae 100644
--- a/sms-service/src/sms/sms.go
+++ b/sms-service/src/sms/sms.go
@@ -32,7 +32,7 @@ import (
 
 func main() {
 	// Initialize logger
-	smslogger.Init("sms.log")
+	smslogger.Init("")
 
 	// Read Configuration File
 	smsConf, err := smsconfig.ReadConfigFile("smsconfig.json")
diff --git a/sms-service/src/sms/test/loop_test.sh b/sms-service/src/sms/test/loop_test.sh
index d8c9f78..0af328e 100644
--- a/sms-service/src/sms/test/loop_test.sh
+++ b/sms-service/src/sms/test/loop_test.sh
@@ -6,54 +6,54 @@ PORT=$2
 for i in `seq 1 2`; 
 do
   echo -e "${RED}----------------BEGIN GET STATUS----------------${NC}"
-  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem --cert auth/client.cert --key auth/client.key -X GET \
-    http://${URL}:${PORT}/v1/sms/status
+  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem -X GET \
+    https://${URL}:${PORT}/v1/sms/quorum/status
 
   echo -e "${RED}----------------BEGIN CREATE SECRET DOMAIN------${NC}"
-  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem --cert auth/client.cert --key auth/client.key -X POST \
-    -d @test/test_create_domain.json http://${URL}:${PORT}/v1/sms/domain
+  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem -X POST \
+    -d @test/test_create_domain.json https://${URL}:${PORT}/v1/sms/domain
 
   echo -e "${RED}----------------BEGIN CREATE SECRET 1-----------${NC}"
-  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem --cert auth/client.cert --key auth/client.key -X POST \
-    -d @test/test_create_secret1.json http://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret
+  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem -X POST \
+    -d @test/test_create_secret1.json https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret
 
   echo -e "${RED}----------------BEGIN CREATE SECRET 2-----------${NC}"
-  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem --cert auth/client.cert --key auth/client.key -X POST \
-    -d @test/test_create_secret2.json http://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret
+  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem -X POST \
+    -d @test/test_create_secret2.json https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret
 
   echo -e "${RED}----------------BEGIN CREATE SECRET 3-----------${NC}"
-  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem --cert auth/client.cert --key auth/client.key -X POST \
-    -d @test/test_create_secret3.json http://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret
+  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem -X POST \
+    -d @test/test_create_secret3.json https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret
 
   echo -e "${RED}----------------BEGIN LIST SECRET---------------${NC}"
-  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem --cert auth/client.cert --key auth/client.key -X GET \
-    http://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret
+  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem -X GET \
+    https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret
 
   echo -e "${RED}----------------BEGIN GET SECRET 1--------------${NC}"
-  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem --cert auth/client.cert --key auth/client.key -X GET \
-    http://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret1
+  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem -X GET \
+    https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret1
 
   echo -e "${RED}----------------BEGIN GET SECRET 2--------------${NC}"
-  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem --cert auth/client.cert --key auth/client.key -X GET \
-    http://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret2
+  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem -X GET \
+    https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret2
 
   echo -e "${RED}----------------BEGIN GET SECRET 3--------------${NC}"
-  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem --cert auth/client.cert --key auth/client.key -X GET \
-    http://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret3
+  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem -X GET \
+    https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret3
 
   echo -e "${RED}----------------BEGIN DELETE SECRET 1-----------${NC}"
-  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem --cert auth/client.cert --key auth/client.key -X DELETE \
-    http://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret1
+  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem -X DELETE \
+    https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret1
 
   echo -e "${RED}----------------BEGIN DELETE SECRET 2-----------${NC}"
-  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem --cert auth/client.cert --key auth/client.key -X DELETE \
-    http://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret2
+  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem -X DELETE \
+    https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret2
 
   echo -e "${RED}----------------BEGIN DELETE SECRET 3-----------${NC}"
-  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem --cert auth/client.cert --key auth/client.key -X DELETE \
-    http://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret3
+  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem -X DELETE \
+    https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret3
 
   echo -e "${RED}----------------BEGIN DELETE SECRET DOMAIN------${NC}"
-  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem --cert auth/client.cert --key auth/client.key -X DELETE \
-    http://${URL}:${PORT}/v1/sms/domain/curltestdomain
+  curl -i -w "\n" -H "Accept: application/json" --cacert auth/selfsignedca.pem -X DELETE \
+    https://${URL}:${PORT}/v1/sms/domain/curltestdomain
 done