2017-03-15 18:31:14 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: docs
|
|
|
|
page_title: Behavioral Changes - HSM Integration - Vault Enterprise
|
|
|
|
sidebar_title: Behavioral Changes
|
|
|
|
description: >-
|
|
|
|
Vault Enterprise HSM support changes the way Vault works with regard to unseal
|
|
|
|
and recovery keys as well as rekey and recovery operations.
|
2017-03-15 18:31:14 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
# Vault Enterprise HSM Behavioral Changes
|
|
|
|
|
|
|
|
This page contains information about the behavioral differences that take
|
|
|
|
effect when using Vault with an HSM.
|
|
|
|
|
|
|
|
## Key Split Between Unseal Keys and Recovery Keys
|
|
|
|
|
|
|
|
Normally, Vault uses a single set of unseal keys to perform both decryption of
|
|
|
|
the cryptographic barrier and to authorize recovery operations, such as the
|
2020-01-22 20:05:41 +00:00
|
|
|
[`generate-root`](/api/system/generate-root)
|
2017-03-15 18:31:14 +00:00
|
|
|
functionality.
|
|
|
|
|
|
|
|
When using an HSM, because the HSM automatically unseals the barrier but
|
|
|
|
recovery operations should still have human oversight, Vault instead uses two
|
|
|
|
sets of keys: unseal keys and recovery keys.
|
|
|
|
|
|
|
|
## Unseal (Master) Key
|
|
|
|
|
|
|
|
Vault usually generates a master key and splits it using [Shamir's Secret
|
|
|
|
Sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing) to prevent a
|
|
|
|
single operator from being able to modify and unseal Vault (see more
|
|
|
|
information about Vault's security model
|
2020-01-22 20:05:41 +00:00
|
|
|
[here](/docs/internals/security)).
|
2017-03-15 18:31:14 +00:00
|
|
|
|
|
|
|
When using an HSM, Vault instead stores the master key, encrypted by the HSM,
|
|
|
|
into its internal storage. As a result, during an `init` command, the number of
|
|
|
|
key shares, threshold, and stored shares are required to be set to `1`, meaning
|
|
|
|
to not split the master key, so that the single key share is itself the master
|
|
|
|
key. (Vault does not do this automatically as it generally prefers to error
|
|
|
|
rather than change parameters set by an operator.)
|
|
|
|
|
2018-04-26 14:10:30 +00:00
|
|
|
Both rekeying the master key and rotation of the underlying data
|
|
|
|
encryption key are supported when using an HSM.
|
2017-03-15 18:31:14 +00:00
|
|
|
|
|
|
|
## Recovery Key
|
|
|
|
|
|
|
|
When Vault is initialized while using an HSM, rather than unseal keys being
|
|
|
|
returned to the operator, recovery keys are returned. These are generated from
|
|
|
|
an internal recovery key that is split via Shamir's Secret Sharing, similar to
|
|
|
|
Vault's treatment of unseal keys when running without an HSM.
|
|
|
|
|
|
|
|
Details about initialization and rekeying follow. When performing an operation
|
|
|
|
that uses recovery keys, such as `generate-root`, selection of the recovery
|
|
|
|
keys for this purpose, rather than the barrier unseal keys, is automatic.
|
|
|
|
|
|
|
|
### Initialization
|
|
|
|
|
|
|
|
When initializing, the split is performed according to the following CLI flags
|
|
|
|
and their API equivalents in the
|
2020-01-22 20:05:41 +00:00
|
|
|
[/sys/init](/api/system/init) endpoint:
|
2017-03-15 18:31:14 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
- `recovery-shares`: The number of shares into which to split the recovery
|
|
|
|
key. This value is equivalent to the `recovery_shares` value in the API
|
|
|
|
endpoint.
|
|
|
|
- `recovery-threshold`: The threshold of shares required to reconstruct the
|
|
|
|
recovery key. This value is equivalent to the `recovery_threshold` value in
|
|
|
|
the API endpoint.
|
|
|
|
- `recovery-pgp-keys`: The PGP keys to use to encrypt the returned recovery
|
|
|
|
key shares. This value is equivalent to the `recovery_pgp_keys` value in the
|
|
|
|
API endpoint, although as with `pgp_keys` the object in the API endpoint is
|
|
|
|
an array, not a string.
|
2017-03-15 18:31:14 +00:00
|
|
|
|
|
|
|
Additionally, Vault will refuse to initialize if the option has not been set to
|
|
|
|
generate a key but no key is found. See
|
2020-01-22 20:05:41 +00:00
|
|
|
[Configuration](/docs/configuration/seal/pkcs11) for more details.
|
2017-03-15 18:31:14 +00:00
|
|
|
|
|
|
|
### Rekeying
|
|
|
|
|
2018-05-13 20:49:42 +00:00
|
|
|
#### Unseal Key
|
|
|
|
|
2018-06-05 16:37:26 +00:00
|
|
|
Vault's unseal key can be rekeyed using a normal `vault operator rekey`
|
|
|
|
operation from the CLI or the matching API calls. The rekey operation is
|
|
|
|
authorized by meeting the threshold of recovery keys. After rekeying, the new
|
|
|
|
barrier key is wrapped by the HSM and stored like the previous key; it is not
|
|
|
|
returned to the users that submitted their recovery keys.
|
2018-05-13 20:49:42 +00:00
|
|
|
|
|
|
|
#### Recovery Key
|
|
|
|
|
2017-03-15 18:31:14 +00:00
|
|
|
The recovery key can be rekeyed to change the number of shares/threshold or to
|
|
|
|
target different key holders via different PGP keys. When using the Vault CLI,
|
2018-11-13 19:27:14 +00:00
|
|
|
this is performed by using the `-target=recovery` flag to `vault operator rekey`.
|
2017-03-15 18:31:14 +00:00
|
|
|
|
|
|
|
Via the API, the rekey operation is performed with the same parameters as the
|
|
|
|
[normal `/sys/rekey`
|
2020-01-22 20:05:41 +00:00
|
|
|
endpoint](/api/system/rekey); however, the
|
2017-03-15 18:31:14 +00:00
|
|
|
API prefix for this operation is at `/sys/rekey-recovery-key` rather than
|
|
|
|
`/sys/rekey`.
|
2020-09-14 16:28:23 +00:00
|
|
|
|
|
|
|
## Performance and Availability
|
|
|
|
|
|
|
|
When an HSM is used for generating various CSPs or for entropy augmentation,
|
|
|
|
interaction with the HSM becomes part of the request processing for
|
|
|
|
functionality using it. This means the HSM must be online and available for
|
|
|
|
those requests to succeed. Additionally, some operations are performed much
|
|
|
|
more frequently than key generation where interaction with the HSM may
|
|
|
|
impact performance. A mount with seal wrapping enabled will interact with
|
|
|
|
the HSM on every write for example. Vault tokens (non-batch) generated with
|
|
|
|
entropy augmentation enabled will interact with the HSM when created.
|