2017-03-15 06:40:33 +00:00
|
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
|
layout: api
|
|
|
|
|
page_title: /sys/rekey - HTTP API
|
|
|
|
|
description: The `/sys/rekey` endpoints are used to rekey the unseal keys for Vault.
|
2017-03-15 06:40:33 +00:00
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# `/sys/rekey`
|
|
|
|
|
|
|
|
|
|
The `/sys/rekey` endpoints are used to rekey the unseal keys for Vault.
|
|
|
|
|
|
2017-11-06 17:18:15 +00:00
|
|
|
|
On seals that support stored keys (e.g. HSM PKCS11), the recovery key share(s)
|
|
|
|
|
can be provided to rekey the master key since no unseal keys are available. The
|
2018-03-20 18:54:10 +00:00
|
|
|
|
secret shares, secret threshold, and stored shares parameters must be set to 1.
|
2017-11-06 17:18:15 +00:00
|
|
|
|
Upon successful rekey, no split unseal key shares are returned.
|
|
|
|
|
|
2017-03-15 06:40:33 +00:00
|
|
|
|
## Read Rekey Progress
|
|
|
|
|
|
|
|
|
|
This endpoint reads the configuration and progress of the current rekey attempt.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------- |
|
|
|
|
|
| `GET` | `/sys/rekey/init` |
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-15 06:40:33 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/rekey/init
|
2017-03-15 06:40:33 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"started": true,
|
|
|
|
|
"nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
|
|
|
|
|
"t": 3,
|
|
|
|
|
"n": 5,
|
|
|
|
|
"progress": 1,
|
|
|
|
|
"required": 3,
|
|
|
|
|
"pgp_fingerprints": ["abcd1234"],
|
2018-05-21 16:00:36 +00:00
|
|
|
|
"backup": true,
|
|
|
|
|
"verification_required": false
|
2017-03-15 06:40:33 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
If a rekey is started, then `n` is the new shares to generate and `t` is the
|
|
|
|
|
threshold required for the new shares. `progress` is how many unseal keys have
|
|
|
|
|
been provided for this rekey, where `required` must be reached to complete. The
|
|
|
|
|
`nonce` for the current rekey operation is also displayed. If PGP keys are being
|
|
|
|
|
used to encrypt the final shares, the key fingerprints and whether the final
|
|
|
|
|
keys will be backed up to physical storage will also be displayed.
|
2018-05-21 16:00:36 +00:00
|
|
|
|
`verification_required` indicates whether verification was enabled for this
|
|
|
|
|
operation.
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
## Start Rekey
|
|
|
|
|
|
|
|
|
|
This endpoint initializes a new rekey attempt. Only a single rekey attempt can
|
|
|
|
|
take place at a time, and changing the parameters of a rekey requires canceling
|
|
|
|
|
and starting a new rekey, which will also provide a new nonce.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------- |
|
2022-02-25 14:52:24 +00:00
|
|
|
|
| `POST` | `/sys/rekey/init` |
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `secret_shares` `(int: <required>)` – Specifies the number of shares to split
|
|
|
|
|
the master key into.
|
|
|
|
|
|
|
|
|
|
- `secret_threshold` `(int: <required>)` – Specifies the number of shares
|
|
|
|
|
required to reconstruct the master key. This must be less than or equal to
|
|
|
|
|
`secret_shares`.
|
|
|
|
|
|
|
|
|
|
- `pgp_keys` `(array<string>: nil)` – Specifies an array of PGP public keys used
|
|
|
|
|
to encrypt the output unseal keys. Ordering is preserved. The keys must be
|
|
|
|
|
base64-encoded from their original binary representation. The size of this
|
|
|
|
|
array must be the same as `secret_shares`.
|
|
|
|
|
|
|
|
|
|
- `backup` `(bool: false)` – Specifies if using PGP-encrypted keys, whether
|
2017-09-19 12:44:34 +00:00
|
|
|
|
Vault should also store a plaintext backup of the PGP-encrypted keys at
|
|
|
|
|
`core/unseal-keys-backup` in the physical storage backend. These can then
|
|
|
|
|
be retrieved and removed via the `sys/rekey/backup` endpoint.
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
2018-05-21 16:00:36 +00:00
|
|
|
|
- `require_verification` `(bool: false)` – This turns on verification
|
|
|
|
|
functionality. When verification is turned on, after successful authorization
|
|
|
|
|
with the current unseal keys, the new unseal keys are returned but the master
|
|
|
|
|
key is not actually rotated. The new keys must be provided to authorize the
|
|
|
|
|
actual rotation of the master key. This ensures that the new keys have been
|
|
|
|
|
successfully saved and protects against a risk of the keys being lost after
|
2020-06-11 18:22:49 +00:00
|
|
|
|
rotation but before they can be persisted. This can be used with or without
|
2018-05-22 19:12:12 +00:00
|
|
|
|
`pgp_keys`, and when used with it, it allows ensuring that the returned keys
|
|
|
|
|
can be successfully decrypted before committing to the new shares, which the
|
|
|
|
|
backup functionality does not provide.
|
2018-05-21 16:00:36 +00:00
|
|
|
|
|
2017-03-15 06:40:33 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"secret_shares": 10,
|
|
|
|
|
"secret_threshold": 5
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-15 06:40:33 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2022-02-25 14:52:24 +00:00
|
|
|
|
--request POST \
|
2017-03-15 06:40:33 +00:00
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/rekey/init
|
2017-03-15 06:40:33 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Cancel Rekey
|
|
|
|
|
|
|
|
|
|
This endpoint cancels any in-progress rekey. This clears the rekey settings as
|
|
|
|
|
well as any progress made. This must be called to change the parameters of the
|
2018-05-21 16:00:36 +00:00
|
|
|
|
rekey. Note: verification is still a part of a rekey. If rekeying is canceled
|
|
|
|
|
during the verification flow, the current unseal keys remain valid.
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :---------------- |
|
|
|
|
|
| `DELETE` | `/sys/rekey/init` |
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-15 06:40:33 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/rekey/init
|
2017-03-15 06:40:33 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Backup Key
|
|
|
|
|
|
|
|
|
|
This endpoint returns the backup copy of PGP-encrypted unseal keys. The returned
|
|
|
|
|
value is the nonce of the rekey operation and a map of PGP key fingerprint to
|
|
|
|
|
hex-encoded PGP-encrypted key.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------ |
|
|
|
|
|
| `GET` | `/sys/rekey/backup` |
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-15 06:40:33 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/rekey/backup
|
2017-03-15 06:40:33 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
|
|
|
|
|
"keys": {
|
|
|
|
|
"abcd1234": "..."
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Backup Key
|
|
|
|
|
|
|
|
|
|
This endpoint deletes the backup copy of PGP-encrypted unseal keys.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :------------------ |
|
|
|
|
|
| `DELETE` | `/sys/rekey/backup` |
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-15 06:40:33 +00:00
|
|
|
|
$ curl \
|
2020-11-05 17:54:26 +00:00
|
|
|
|
--header "X-Vault-Token: ..." \
|
2017-03-15 06:40:33 +00:00
|
|
|
|
--request DELETE \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/rekey/backup
|
2017-03-15 06:40:33 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Submit Key
|
|
|
|
|
|
|
|
|
|
This endpoint is used to enter a single master key share to progress the rekey
|
|
|
|
|
of the Vault. If the threshold number of master key shares is reached, Vault
|
|
|
|
|
will complete the rekey. Otherwise, this API must be called multiple times until
|
|
|
|
|
that threshold is met. The rekey nonce operation must be provided with each
|
|
|
|
|
call.
|
|
|
|
|
|
2018-05-21 16:00:36 +00:00
|
|
|
|
When the operation is complete, this will return a response like the example
|
|
|
|
|
below; otherwise the response will be the same as the `GET` method against
|
|
|
|
|
`sys/rekey/init`, providing status on the operation itself.
|
|
|
|
|
|
|
|
|
|
If verification was requested, successfully completing this flow will
|
|
|
|
|
immediately put the operation into a verification state, and provide the nonce
|
|
|
|
|
for the verification operation.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------ |
|
2022-02-25 14:52:24 +00:00
|
|
|
|
| `POST` | `/sys/rekey/update` |
|
2017-03-15 06:40:33 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `key` `(string: <required>)` – Specifies a single master share key.
|
|
|
|
|
|
|
|
|
|
- `nonce` `(string: <required>)` – Specifies the nonce of the rekey operation.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
2018-05-21 16:00:36 +00:00
|
|
|
|
"key": "AB32...",
|
|
|
|
|
"nonce": "abcd1234..."
|
2017-03-15 06:40:33 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-15 06:40:33 +00:00
|
|
|
|
$ curl \
|
2020-11-05 17:54:26 +00:00
|
|
|
|
--header "X-Vault-Token: ..." \
|
2022-02-25 14:52:24 +00:00
|
|
|
|
--request POST \
|
2017-03-15 06:40:33 +00:00
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/sys/rekey/update
|
2017-03-15 06:40:33 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"complete": true,
|
|
|
|
|
"keys": ["one", "two", "three"],
|
|
|
|
|
"nonce": "2dbd10f1-8528-6246-09e7-82b25b8aba63",
|
|
|
|
|
"pgp_fingerprints": ["abcd1234"],
|
|
|
|
|
"keys_base64": ["base64keyvalue"],
|
2018-05-21 16:00:36 +00:00
|
|
|
|
"backup": true,
|
|
|
|
|
"verification_required": true,
|
|
|
|
|
"verification_nonce": "8b112c9e-2738-929d-bcc2-19aff249ff10"
|
2017-03-15 06:40:33 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
If the keys are PGP-encrypted, an array of key fingerprints will also be
|
|
|
|
|
provided (with the order in which the keys were used for encryption) along with
|
|
|
|
|
whether or not the keys were backed up to physical storage.
|
2018-05-21 16:00:36 +00:00
|
|
|
|
|
|
|
|
|
## Read Rekey Verification Progress
|
|
|
|
|
|
|
|
|
|
This endpoint reads the configuration and progress of the current rekey
|
|
|
|
|
verification attempt.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------ |
|
|
|
|
|
| `GET` | `/sys/rekey/verify` |
|
2018-05-21 16:00:36 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2018-05-21 16:00:36 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
http://127.0.0.1:8200/v1/sys/rekey/verify
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"nonce": "8b112c9e-2738-929d-bcc2-19aff249ff10",
|
|
|
|
|
"t": 3,
|
|
|
|
|
"n": 5,
|
|
|
|
|
"progress": 1
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
`n` is the total number of new shares that were generated and `t` is the
|
|
|
|
|
threshold required for the new shares to pass verification. `progress` is how
|
|
|
|
|
many of the new unseal keys have been provided for this verification operation.
|
|
|
|
|
The `nonce` for the current rekey operation is also displayed.
|
|
|
|
|
|
|
|
|
|
## Cancel Rekey Verification
|
|
|
|
|
|
|
|
|
|
This endpoint cancels any in-progress rekey verification operation. This clears
|
|
|
|
|
any progress made and resets the nonce. Unlike a `DELETE` against
|
|
|
|
|
`sys/rekey/init`, this only resets the current verification operation, not the
|
2020-06-11 18:22:49 +00:00
|
|
|
|
entire rekey attempt. The return value is the same as `GET` along with the new
|
2018-05-21 16:00:36 +00:00
|
|
|
|
nonce.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :------------------ |
|
|
|
|
|
| `DELETE` | `/sys/rekey/verify` |
|
2018-05-21 16:00:36 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2018-05-21 16:00:36 +00:00
|
|
|
|
$ curl \
|
2020-11-05 17:54:26 +00:00
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-05-21 16:00:36 +00:00
|
|
|
|
--request DELETE \
|
|
|
|
|
http://127.0.0.1:8200/v1/sys/rekey/verify
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"nonce": "5827bbc1-0110-5725-cc21-beddc129d942",
|
|
|
|
|
"t": 3,
|
|
|
|
|
"n": 5,
|
|
|
|
|
"progress": 0
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Submit Verification Key
|
|
|
|
|
|
|
|
|
|
This endpoint is used to enter a single new key share to progress the rekey
|
2020-01-18 00:18:09 +00:00
|
|
|
|
verification operation. If the threshold number of new key shares is reached,
|
2018-05-21 16:00:36 +00:00
|
|
|
|
Vault will complete the rekey by performing the actual rotation of the master
|
|
|
|
|
key. Otherwise, this API must be called multiple times until that threshold is
|
|
|
|
|
met. The nonce must be provided with each call.
|
|
|
|
|
|
|
|
|
|
When the operation is complete, this will return a response like the example
|
|
|
|
|
below; otherwise the response will be the same as the `GET` method against
|
|
|
|
|
`sys/rekey/verify`, providing status on the operation itself.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------ |
|
2022-02-25 14:52:24 +00:00
|
|
|
|
| `POST` | `/sys/rekey/verify` |
|
2018-05-21 16:00:36 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `key` `(string: <required>)` – Specifies a single master share key from the
|
|
|
|
|
new set of shares.
|
|
|
|
|
|
|
|
|
|
- `nonce` `(string: <required>)` – Specifies the nonce of the rekey
|
|
|
|
|
verification operation.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"key": "A58d...",
|
|
|
|
|
"nonce": "5a27bbc1..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2018-05-21 16:00:36 +00:00
|
|
|
|
$ curl \
|
2020-11-05 17:54:26 +00:00
|
|
|
|
--header "X-Vault-Token: ..." \
|
2022-02-25 14:52:24 +00:00
|
|
|
|
--request POST \
|
2018-05-21 16:00:36 +00:00
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1/sys/rekey/verify
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"nonce": "5827bbc1-0110-5725-cc21-beddc129d942",
|
|
|
|
|
"complete": true
|
|
|
|
|
}
|
|
|
|
|
```
|