2017-06-29 13:43:43 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: guides
|
|
|
|
page_title: Rekeying & Rotating Vault - Guides
|
|
|
|
sidebar_title: Rekeying & Rotating
|
2017-06-29 13:43:43 +00:00
|
|
|
description: |-
|
|
|
|
Vault supports generating new unseal keys as well as rotating the underlying
|
|
|
|
encryption keys. This guide covers rekeying and rotating Vault's encryption
|
|
|
|
keys.
|
|
|
|
---
|
|
|
|
|
|
|
|
# Rekeying & Rotating Vault
|
|
|
|
|
|
|
|
~> **Advanced Topic** This guide presents an advanced topic that is not required
|
|
|
|
for a basic understanding of Vault. Knowledge of this topic is not required for
|
|
|
|
daily Vault use.
|
|
|
|
|
|
|
|
## Background
|
|
|
|
|
|
|
|
In order to prevent no one person from having complete access to the system,
|
2017-08-01 14:27:06 +00:00
|
|
|
Vault employs [Shamir's Secret Sharing Algorithm][shamir]. Under this process,
|
2017-06-29 13:43:43 +00:00
|
|
|
a secret is divided into a subset of parts such that a subset of those parts are
|
|
|
|
needed to reconstruct the original secret. Vault makes heavy use of this
|
2020-01-22 20:05:41 +00:00
|
|
|
algorithm as part of the [unsealing process](/docs/concepts/seal).
|
2017-06-29 13:43:43 +00:00
|
|
|
|
|
|
|
When a Vault server is first initialized, Vault generates a master key and
|
|
|
|
immediately splits this master key into a series of key shares following
|
|
|
|
Shamir's Secret Sharing Algorithm. Vault never stores the master key, therefore,
|
|
|
|
the only way to retrieve the master key is to have a quorum of unseal keys
|
|
|
|
re-generate it.
|
|
|
|
|
|
|
|
The master key is used to decrypt the underlying encryption key. Vault uses the
|
|
|
|
encryption key to encrypt data at rest in a storage backend like the filesystem
|
|
|
|
or Consul.
|
|
|
|
|
|
|
|
Typically each of these key shares is distributed to trusted parties in the
|
|
|
|
organization. These parties must come together to "unseal" the Vault by entering
|
|
|
|
their key share.
|
|
|
|
|
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
|
|
|
[![Vault Shamir Secret Sharing Algorithm](/img/vault-shamir-secret-sharing.svg)](/img/vault-shamir-secret-sharing.svg)
|
2017-06-29 13:43:43 +00:00
|
|
|
|
|
|
|
[shamir]: https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing
|
|
|
|
|
|
|
|
In some cases, you may want to re-generate the master key and key shares. Here
|
|
|
|
are a few examples:
|
|
|
|
|
|
|
|
- Someone joins or leaves the organization
|
|
|
|
- Security wants to change the number of shares or threshold of shares
|
|
|
|
- Compliance mandates the master key be rotated at a regular interval
|
|
|
|
|
|
|
|
In addition to rekeying the master key, there may be an independent desire to
|
|
|
|
rotate the underlying encryption key Vault uses to encrypt data at rest.
|
|
|
|
|
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
|
|
|
[![Vault Rekey vs Rotate](/img/vault-rekey-vs-rotate.svg)](/img/vault-rekey-vs-rotate.svg)
|
2017-06-29 13:43:43 +00:00
|
|
|
|
|
|
|
In Vault, _rekeying_ and _rotating_ are two separate operations. The process for
|
|
|
|
generating a new master key and applying Shamir's algorithm is called
|
|
|
|
"rekeying". The process for generating a new encryption key for Vault to encrypt
|
|
|
|
data at rest is called "rotating".
|
|
|
|
|
|
|
|
Both rekeying the Vault and rotating Vault's underlying encryption key are fully
|
|
|
|
online operations. Vault will continue to service requests uninterrupted during
|
|
|
|
either of these processes.
|
|
|
|
|
|
|
|
## Rekeying Vault
|
|
|
|
|
|
|
|
Rekeying the Vault requires a quorum of unseal keys. Before continuing, you
|
2017-12-02 18:34:51 +00:00
|
|
|
should ensure enough unseal key holders are available to assist with the
|
|
|
|
rekeying to match the threshold configured when the keys were issued.
|
2017-06-29 13:43:43 +00:00
|
|
|
|
|
|
|
First, initialize a rekeying operation. The flags represent the **newly
|
|
|
|
desired** number of keys and threshold:
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2017-09-21 20:56:29 +00:00
|
|
|
$ vault operator rekey -init -key-shares=3 -key-threshold=2
|
2017-06-29 13:43:43 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
This will generate a nonce value and start the rekeying process. All other
|
|
|
|
unseal keys must also provide this nonce value. This nonce value is not a
|
|
|
|
secret, so it is safe to distribute over insecure channels like chat, email, or
|
|
|
|
carrier pigeon.
|
|
|
|
|
|
|
|
```text
|
2017-09-21 20:56:29 +00:00
|
|
|
Key Value
|
|
|
|
--- -----
|
|
|
|
Nonce dc1aec3b-ae67-5780-b4b5-2a10ca05b17c
|
|
|
|
Started true
|
|
|
|
Rekey Progress 0/1
|
|
|
|
New Shares 3
|
|
|
|
New Threshold 2
|
2017-06-29 13:43:43 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
Each unseal key holder runs the following command and enters their unseal key:
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-06-05 16:37:26 +00:00
|
|
|
$ vault operator rekey -nonce=<nonce>
|
2017-09-21 20:56:29 +00:00
|
|
|
Rekey operation nonce: dc1aec3b-ae67-5780-b4b5-2a10ca05b17c
|
2017-06-29 13:43:43 +00:00
|
|
|
Key (will be hidden):
|
|
|
|
```
|
|
|
|
|
|
|
|
When the final unseal key holder enters their key, Vault will output the new
|
|
|
|
unseal keys:
|
|
|
|
|
|
|
|
```text
|
|
|
|
Key 1: EDj4NZK6z5Y9rpr+TtihTulfdHvFzXtBYQk36dmBczuQ
|
|
|
|
Key 2: sCkM1i5BGGNDFk5GsqtVolWRPyd5mWn2eZG0gUySiCF7
|
|
|
|
Key 3: e5DUvDIH0cPU8Q+hh1KNVkkMc9lliliPVe9u3Fzbzv38
|
|
|
|
|
2017-09-21 20:56:29 +00:00
|
|
|
Operation nonce: dc1aec3b-ae67-5780-b4b5-2a10ca05b17c
|
2017-06-29 13:43:43 +00:00
|
|
|
|
|
|
|
Vault rekeyed with 3 keys and a key threshold of 2. Please
|
|
|
|
securely distribute the above keys. When the vault is re-sealed,
|
|
|
|
restarted, or stopped, you must provide at least 2 of these keys
|
|
|
|
to unseal it again.
|
|
|
|
|
|
|
|
Vault does not store the master key. Without at least 2 keys,
|
|
|
|
your vault will remain permanently sealed.
|
|
|
|
```
|
|
|
|
|
|
|
|
Like the initialization process, Vault supports PGP encrypting the resulting
|
|
|
|
unseal keys and creating backup encryption keys for disaster recovery.
|
|
|
|
|
|
|
|
## Rotating the Encryption Key
|
|
|
|
|
|
|
|
Unlike rekeying the Vault, rotating Vault's encryption key does not require a
|
|
|
|
quorum of unseal keys. Anyone with the proper permissions in Vault can perform
|
|
|
|
the encryption key rotation.
|
|
|
|
|
|
|
|
To trigger a key rotation, execute the command:
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2018-06-05 16:37:26 +00:00
|
|
|
$ vault operator rotate
|
2017-06-29 13:43:43 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
This will output the key version and installation time:
|
|
|
|
|
|
|
|
```text
|
|
|
|
Key Term: 2
|
|
|
|
Installation Time: ...
|
|
|
|
```
|
|
|
|
|
|
|
|
This will add a new key to the keyring. All new values written to the storage
|
|
|
|
backend will be encrypted with this new key.
|