Move recovery info behind the barrier
This commit is contained in:
parent
119238149b
commit
9bc24be343
|
@ -171,31 +171,6 @@ func (c *Core) Initialize(barrierConfig, recoveryConfig *SealConfig) (*InitResul
|
||||||
SecretShares: barrierUnsealKeys,
|
SecretShares: barrierUnsealKeys,
|
||||||
}
|
}
|
||||||
|
|
||||||
// Save the configuration regardless, but only generate a key if it's not
|
|
||||||
// disabled
|
|
||||||
if c.seal.RecoveryKeySupported() {
|
|
||||||
err = c.seal.SetRecoveryConfig(recoveryConfig)
|
|
||||||
if err != nil {
|
|
||||||
c.logger.Printf("[ERR] core: failed to save recovery configuration: %v", err)
|
|
||||||
return nil, fmt.Errorf("recovery configuration saving failed: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
if recoveryConfig.SecretShares > 0 {
|
|
||||||
recoveryKey, recoveryUnsealKeys, err := c.generateShares(recoveryConfig)
|
|
||||||
if err != nil {
|
|
||||||
c.logger.Printf("[ERR] core: %v", err)
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
err = c.seal.SetRecoveryKey(recoveryKey)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
results.RecoveryShares = recoveryUnsealKeys
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Initialize the barrier
|
// Initialize the barrier
|
||||||
if err := c.barrier.Initialize(barrierKey); err != nil {
|
if err := c.barrier.Initialize(barrierKey); err != nil {
|
||||||
c.logger.Printf("[ERR] core: failed to initialize barrier: %v", err)
|
c.logger.Printf("[ERR] core: failed to initialize barrier: %v", err)
|
||||||
|
@ -223,6 +198,32 @@ func (c *Core) Initialize(barrierConfig, recoveryConfig *SealConfig) (*InitResul
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Save the configuration regardless, but only generate a key if it's not
|
||||||
|
// disabled. When using recovery keys they are stored in the barrier, so
|
||||||
|
// this must happen post-unseal.
|
||||||
|
if c.seal.RecoveryKeySupported() {
|
||||||
|
err = c.seal.SetRecoveryConfig(recoveryConfig)
|
||||||
|
if err != nil {
|
||||||
|
c.logger.Printf("[ERR] core: failed to save recovery configuration: %v", err)
|
||||||
|
return nil, fmt.Errorf("recovery configuration saving failed: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if recoveryConfig.SecretShares > 0 {
|
||||||
|
recoveryKey, recoveryUnsealKeys, err := c.generateShares(recoveryConfig)
|
||||||
|
if err != nil {
|
||||||
|
c.logger.Printf("[ERR] core: %v", err)
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
err = c.seal.SetRecoveryKey(recoveryKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
results.RecoveryShares = recoveryUnsealKeys
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Generate a new root token
|
// Generate a new root token
|
||||||
rootToken, err := c.tokenStore.rootToken()
|
rootToken, err := c.tokenStore.rootToken()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Loading…
Reference in a new issue