1c98152fa0
Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
42 lines
1.1 KiB
Go
42 lines
1.1 KiB
Go
package vault
|
|
|
|
import (
|
|
"github.com/hashicorp/go-hclog"
|
|
"github.com/hashicorp/vault/sdk/helper/logging"
|
|
"github.com/hashicorp/vault/vault/seal"
|
|
shamirseal "github.com/hashicorp/vault/vault/seal/shamir"
|
|
testing "github.com/mitchellh/go-testing-interface"
|
|
)
|
|
|
|
func NewTestSeal(t testing.T, opts *TestSealOpts) Seal {
|
|
t.Helper()
|
|
if opts == nil {
|
|
opts = &TestSealOpts{}
|
|
}
|
|
if opts.Logger == nil {
|
|
opts.Logger = logging.NewVaultLogger(hclog.Debug)
|
|
}
|
|
|
|
switch opts.StoredKeys {
|
|
case StoredKeysSupportedShamirMaster:
|
|
newSeal := NewDefaultSeal(shamirseal.NewSeal(opts.Logger))
|
|
// Need StoredShares set or this will look like a legacy shamir seal.
|
|
newSeal.SetCachedBarrierConfig(&SealConfig{
|
|
StoredShares: 1,
|
|
SecretThreshold: 1,
|
|
SecretShares: 1,
|
|
})
|
|
return newSeal
|
|
case StoredKeysNotSupported:
|
|
newSeal := NewDefaultSeal(shamirseal.NewSeal(opts.Logger))
|
|
newSeal.SetCachedBarrierConfig(&SealConfig{
|
|
StoredShares: 0,
|
|
SecretThreshold: 1,
|
|
SecretShares: 1,
|
|
})
|
|
return newSeal
|
|
default:
|
|
return NewAutoSeal(seal.NewTestSeal(opts.Secret))
|
|
}
|
|
}
|