2015-05-29 22:34:29 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: docs
|
|
|
|
|
page_title: Key Rotation
|
|
|
|
|
sidebar_title: Key Rotation
|
|
|
|
|
description: Learn about the details of key rotation within Vault.
|
2015-05-29 22:34:29 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# Key Rotation
|
|
|
|
|
|
|
|
|
|
Vault has multiple encryption keys that are used for various purposes. These keys support
|
|
|
|
|
rotation so that they can be periodically changed or in response to a potential leak or
|
|
|
|
|
compromise. It is useful to first understand the
|
2020-01-22 20:05:41 +00:00
|
|
|
[high-level architecture](/docs/internals/architecture) before learning about key rotation.
|
2015-05-29 22:34:29 +00:00
|
|
|
|
|
|
|
|
As a review, Vault starts in a _sealed_ state. Vault is unsealed by providing the unseal keys.
|
2016-01-14 18:42:47 +00:00
|
|
|
By default, Vault uses a technique known as [Shamir's secret sharing algorithm](https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing)
|
2015-05-29 22:34:29 +00:00
|
|
|
to split the master key into 5 shares, any 3 of which are required to reconstruct the master
|
|
|
|
|
key. The master key is used to protect the encryption key, which is ultimately used to protect
|
|
|
|
|
data written to the storage backend.
|
|
|
|
|
|
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
|
|
|
[](/img/vault-shamir-secret-sharing.svg)
|
2015-05-29 22:34:29 +00:00
|
|
|
|
|
|
|
|
To support key rotation, we need to support changing the unseal keys, master key, and the
|
2016-05-15 16:58:36 +00:00
|
|
|
backend encryption key. We split this into two separate operations, `rekey` and `rotate`.
|
2015-05-29 22:34:29 +00:00
|
|
|
|
|
|
|
|
The `rekey` operation is used to generate a new master key. When this is being done,
|
|
|
|
|
it is possible to change the parameters of the key splitting, so that the number of shares
|
|
|
|
|
and the threshold required to unseal can be changed. To perform a rekey a threshold of the
|
|
|
|
|
current unseal keys must be provided. This is to prevent a single malicious operator from
|
2016-06-03 18:07:54 +00:00
|
|
|
performing a rekey and invalidating the existing master key.
|
2015-05-29 22:34:29 +00:00
|
|
|
|
|
|
|
|
Performing a rekey is fairly straightforward. The rekey operation must be initialized with
|
|
|
|
|
the new parameters for the split and threshold. Once initialized, the current unseal keys
|
|
|
|
|
must be provided until the threshold is met. Once met, Vault will generate the new master
|
|
|
|
|
key, perform the splitting, and re-encrypt the encryption key with the new master key.
|
|
|
|
|
The new unseal keys are then provided to the operator, and the old unseal keys are no
|
|
|
|
|
longer usable.
|
|
|
|
|
|
|
|
|
|
The `rotate` operation is used to change the encryption key used to protect data written
|
|
|
|
|
to the storage backend. This key is never provided or visible to operators, who only
|
|
|
|
|
have unseal keys. This simplifies the rotation, as it does not require the current key
|
|
|
|
|
holders unlike the `rekey` operation. When `rotate` is triggered, a new encryption key
|
|
|
|
|
is generated and added to a keyring. All new values written to the storage backend are
|
|
|
|
|
encrypted with the new key. Old values written with previous encryption keys can still
|
|
|
|
|
be decrypted since older keys are saved in the keyring. This allows key rotation to be
|
|
|
|
|
done online, without an expensive re-encryption process.
|
|
|
|
|
|
|
|
|
|
Both the `rekey` and `rotate` operations can be done online and in a highly available
|
|
|
|
|
configuration. Only the active Vault instance can perform either of the operations
|
|
|
|
|
but standby instances can still assume an active role after either operation. This is
|
|
|
|
|
done by providing an online upgrade path for standby instances. If the current encryption
|
|
|
|
|
key is `N` and a rotation installs `N+1`, Vault creates a special "upgrade" key, which
|
|
|
|
|
provides the `N+1` encryption key protected by the `N` key. This upgrade key is only available
|
2016-12-09 00:51:16 +00:00
|
|
|
for a few minutes enabling standby instances to do a periodic check for upgrades.
|
2015-05-29 22:34:29 +00:00
|
|
|
This allows standby instances to update their keys and stay in-sync with the active Vault
|
|
|
|
|
without requiring operators to perform another unseal.
|
2021-01-07 21:37:37 +00:00
|
|
|
|
|
|
|
|
## NIST Rotation Guidance
|
|
|
|
|
|
|
|
|
|
Period rotation of the encryption keys is recommended, even in the absence of
|
|
|
|
|
compromise. Due to the nature of the AES-256-GCM encryption used, keys should be
|
|
|
|
|
rotated before approximately 2<sup>32</sup> encryptions have been performed, following
|
|
|
|
|
the guidelines of NIST publication 800-38D. Operators can estimate the number
|
|
|
|
|
of encryptions by summing the following:
|
|
|
|
|
|
|
|
|
|
* The `vault.barrier.put` telemetry metric.
|
|
|
|
|
* The `vault.token.creation` metric where the `token_type` label is `batch`.
|
|
|
|
|
* The `merkle.flushDirty.num_pages` metric.
|
|
|
|
|
* The WAL index.
|
|
|
|
|
|
|
|
|
|
The simplest strategy may be to use those metrics to determine a frequency of
|
|
|
|
|
rotation and make that part of the operational process. For example, if one
|
|
|
|
|
determines that the estimated rate is 40 million operations per day, then
|
|
|
|
|
rotating the key every three months is sufficient.
|