open-vault/vault/barrier.go

177 lines
7.0 KiB
Go
Raw Normal View History

2015-03-05 21:27:35 +00:00
package vault
import (
"context"
"errors"
"io"
2015-05-28 00:25:36 +00:00
"time"
"github.com/hashicorp/vault/sdk/logical"
)
2015-03-05 21:27:35 +00:00
var (
// ErrBarrierSealed is returned if an operation is performed on
// a sealed barrier. No operation is expected to succeed before unsealing
ErrBarrierSealed = errors.New("Vault is sealed")
// ErrBarrierAlreadyInit is returned if the barrier is already
// initialized. This prevents a re-initialization.
ErrBarrierAlreadyInit = errors.New("Vault is already initialized")
// ErrBarrierNotInit is returned if a non-initialized barrier
// is attempted to be unsealed.
ErrBarrierNotInit = errors.New("Vault is not initialized")
// ErrBarrierInvalidKey is returned if the Unseal key is invalid
ErrBarrierInvalidKey = errors.New("Unseal failed, invalid key")
2015-03-05 21:27:35 +00:00
)
const (
// barrierInitPath is the path used to store our init sentinel file
barrierInitPath = "barrier/init"
2015-05-27 22:23:43 +00:00
// keyringPath is the location of the keyring data. This is encrypted
// by the master key.
2017-11-30 14:43:07 +00:00
keyringPath = "core/keyring"
keyringPrefix = "core/"
2015-05-28 22:52:26 +00:00
// keyringUpgradePrefix is the path used to store keyring update entries.
// When running in HA mode, the active instance will install the new key
// and re-write the keyring. For standby instances, they need an upgrade
// path from key N to N+1. They cannot just use the master key because
// in the event of a rekey, that master key can no longer decrypt the keyring.
// When key N+1 is installed, we create an entry at "prefix/N" which uses
// encryption key N to provide the N+1 key. The standby instances scan
// for this periodically and refresh their keyring. The upgrade keys
// are deleted after a few minutes, but this provides enough time for the
// standby instances to upgrade without causing any disruption.
keyringUpgradePrefix = "core/upgrade/"
// masterKeyPath is the location of the master key. This is encrypted
// by the latest key in the keyring. This is only used by standby instances
// to handle the case of a rekey. If the active instance does a rekey,
// the standby instances can no longer reload the keyring since they
// have the old master key. This key can be decrypted if you have the
// keyring to discover the new master key. The new master key is then
// used to reload the keyring itself.
masterKeyPath = "core/master"
// shamirKekPath is used with Shamir in v1.3+ to store a copy of the
// unseal key behind the barrier. As with masterKeyPath this is primarily
// used by standbys to handle rekeys. It also comes into play when restoring
// raft snapshots.
shamirKekPath = "core/shamir-kek"
2015-03-05 21:27:35 +00:00
)
// SecurityBarrier is a critical component of Vault. It is used to wrap
// an untrusted physical backend and provide a single point of encryption,
// decryption and checksum verification. The goal is to ensure that any
// data written to the barrier is confidential and that integrity is preserved.
// As a real-world analogy, this is the steel and concrete wrapper around
// a Vault. The barrier should only be Unlockable given its key.
type SecurityBarrier interface {
// Initialized checks if the barrier has been initialized
// and has a master key set.
Initialized(ctx context.Context) (bool, error)
2015-03-05 21:27:35 +00:00
// Initialize works only if the barrier has not been initialized
// and makes use of the given master key. When sealKey is provided
// it's because we're using a new-style Shamir seal, and masterKey
// is to be stored using sealKey to encrypt it.
Initialize(ctx context.Context, masterKey []byte, sealKey []byte, random io.Reader) error
2015-03-05 21:27:35 +00:00
// GenerateKey is used to generate a new key
GenerateKey(io.Reader) ([]byte, error)
2015-03-05 21:27:35 +00:00
2015-03-12 18:20:27 +00:00
// KeyLength is used to sanity check a key
KeyLength() (int, int)
2015-03-05 21:27:35 +00:00
// Sealed checks if the barrier has been unlocked yet. The Barrier
// is not expected to be able to perform any CRUD until it is unsealed.
Sealed() (bool, error)
// Unseal is used to provide the master key which permits the barrier
// to be unsealed. If the key is not correct, the barrier remains sealed.
Unseal(ctx context.Context, key []byte) error
2015-03-05 21:27:35 +00:00
2015-05-28 18:28:33 +00:00
// VerifyMaster is used to check if the given key matches the master key
VerifyMaster(key []byte) error
// SetMasterKey is used to directly set a new master key. This is used in
2018-03-20 18:54:10 +00:00
// replicated scenarios due to the chicken and egg problem of reloading the
// keyring from disk before we have the master key to decrypt it.
SetMasterKey(key []byte) error
2015-05-28 23:09:15 +00:00
// ReloadKeyring is used to re-read the underlying keyring.
// This is used for HA deployments to ensure the latest keyring
// is present in the leader.
ReloadKeyring(ctx context.Context) error
2015-05-28 23:09:15 +00:00
// ReloadMasterKey is used to re-read the underlying masterkey.
// This is used for HA deployments to ensure the latest master key
// is available for keyring reloading.
ReloadMasterKey(ctx context.Context) error
2015-03-05 21:27:35 +00:00
// Seal is used to re-seal the barrier. This requires the barrier to
// be unsealed again to perform any further operations.
Seal() error
2015-05-28 00:05:02 +00:00
// Rotate is used to create a new encryption key. All future writes
// should use the new key, while old values should still be decryptable.
Rotate(ctx context.Context, reader io.Reader) (uint32, error)
2015-05-28 00:05:02 +00:00
// CreateUpgrade creates an upgrade path key to the given term from the previous term
CreateUpgrade(ctx context.Context, term uint32) error
// DestroyUpgrade destroys the upgrade path key to the given term
DestroyUpgrade(ctx context.Context, term uint32) error
// CheckUpgrade looks for an upgrade to the current term and installs it
CheckUpgrade(ctx context.Context) (bool, uint32, error)
2015-05-28 22:52:26 +00:00
2015-05-28 00:25:36 +00:00
// ActiveKeyInfo is used to inform details about the active key
ActiveKeyInfo() (*KeyInfo, error)
2015-05-28 00:13:40 +00:00
// Rekey is used to change the master key used to protect the keyring
Rekey(context.Context, []byte) error
2015-05-28 00:13:40 +00:00
// For replication we must send over the keyring, so this must be available
Keyring() (*Keyring, error)
// SecurityBarrier must provide the storage APIs
logical.Storage
// SecurityBarrier must provide the encryption APIs
BarrierEncryptor
}
// BarrierStorage is the storage only interface required for a Barrier.
type BarrierStorage interface {
2015-03-05 21:27:35 +00:00
// Put is used to insert or update an entry
Put(ctx context.Context, entry *logical.StorageEntry) error
2015-03-05 21:27:35 +00:00
// Get is used to fetch an entry
Get(ctx context.Context, key string) (*logical.StorageEntry, error)
2015-03-05 21:27:35 +00:00
// Delete is used to permanently delete an entry
Delete(ctx context.Context, key string) error
2015-03-05 21:27:35 +00:00
// List is used ot list all the keys under a given
// prefix, up to the next prefix.
List(ctx context.Context, prefix string) ([]string, error)
2015-03-05 21:27:35 +00:00
}
// BarrierEncryptor is the in memory only interface that does not actually
// use the underlying barrier. It is used for lower level modules like the
// Write-Ahead-Log and Merkle index to allow them to use the barrier.
type BarrierEncryptor interface {
Encrypt(ctx context.Context, key string, plaintext []byte) ([]byte, error)
Decrypt(ctx context.Context, key string, ciphertext []byte) ([]byte, error)
}
2015-05-28 00:25:36 +00:00
// KeyInfo is used to convey information about the encryption key
type KeyInfo struct {
Term int
InstallTime time.Time
}