From 676e7e0f07f8beb0d0364214220d5c2898dfc864 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Wed, 21 Sep 2016 11:10:57 -0400
Subject: [PATCH] Ensure upgrades have a valid HMAC key

---
 builtin/logical/transit/policy.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/builtin/logical/transit/policy.go b/builtin/logical/transit/policy.go
index 79cd34d27..16b8b2489 100644
--- a/builtin/logical/transit/policy.go
+++ b/builtin/logical/transit/policy.go
@@ -345,6 +345,10 @@ func (p *policy) needsUpgrade() bool {
 		return true
 	}
 
+	if p.Keys[p.LatestVersion].HMACKey == nil || len(p.Keys[p.LatestVersion].HMACKey) == 0 {
+		return true
+	}
+
 	return false
 }
 
@@ -380,6 +384,17 @@ func (p *policy) upgrade(storage logical.Storage) error {
 		persistNeeded = true
 	}
 
+	if p.Keys[p.LatestVersion].HMACKey == nil || len(p.Keys[p.LatestVersion].HMACKey) == 0 {
+		entry := p.Keys[p.LatestVersion]
+		hmacKey, err := uuid.GenerateRandomBytes(32)
+		if err != nil {
+			return err
+		}
+		entry.HMACKey = hmacKey
+		p.Keys[p.LatestVersion] = entry
+		persistNeeded = true
+	}
+
 	if persistNeeded {
 		err := p.Persist(storage)
 		if err != nil {