vault: share keyring persistence code

2015-05-27 16:29:59 -07:00 · 2015-05-27 16:29:59 -07:00 · e8e9103300
parent 0e9136d14c
commit e8e9103300
1 changed files with 13 additions and 24 deletions
--- a/vault/barrier_aes_gcm.go
+++ b/vault/barrier_aes_gcm.go
@ -102,12 +102,6 @@ func (b *AESGCMBarrier) Initialize(key []byte) error {
 		return ErrBarrierAlreadyInit
 	}

-	// Create the AES-GCM
-	gcm, err := b.aeadFromKey(key)
-	if err != nil {
-		return err
-	}
-
 	// Generate encryption key
 	encrypt, err := b.GenerateKey()
 	if err != nil {
@ -122,7 +116,12 @@ func (b *AESGCMBarrier) Initialize(key []byte) error {
 		Version: 1,
 		Value:   encrypt,
 	})
+	return b.persistKeyring(keyring)
+}

+// persistKeyring is used to write out the keyring using the
+// master key to encrypt it.
+func (b *AESGCMBarrier) persistKeyring(keyring *Keyring) error {
 	// Create the keyring entry
 	buf, err := keyring.Serialize()
 	if err != nil {
@ -130,6 +129,12 @@ func (b *AESGCMBarrier) Initialize(key []byte) error {
 	}
 	defer memzero(buf)

+	// Create the AES-GCM
+	gcm, err := b.aeadFromKey(keyring.MasterKey())
+	if err != nil {
+		return err
+	}
+
 	// Encrypt the barrier init value
 	value := b.encrypt(initialKeyTerm, gcm, buf)

@ -244,24 +249,8 @@ func (b *AESGCMBarrier) Unseal(key []byte) error {
 		Version: 1,
 		Value:   init.Key,
 	})
-
-	// Serialize the keyring
-	buf, err := keyring.Serialize()
-	if err != nil {
-		return fmt.Errorf("failed to serialize keyring: %v", err)
-	}
-	defer memzero(buf)
-
-	// Encrypt the barrier init value
-	value := b.encrypt(initialKeyTerm, gcm, buf)
-
-	// Create the barrierInitPath
-	pe := &physical.Entry{
-		Key:   keyringPath,
-		Value: value,
-	}
-	if err := b.backend.Put(pe); err != nil {
-		return fmt.Errorf("failed to persist keyring: %v", err)
+	if err := b.persistKeyring(keyring); err != nil {
+		return err
 	}

 	// Set the vault as unsealed