25960fd034
* wip * wip * Got it 'working', but not happy about cleanliness yet * Switch to a dedicated defaultSeal with recovery keys This is simpler than trying to hijack SealAccess as before. Instead, if the operator has requested recovery unseal mode (via a flag in the seal stanza), we new up a shamir seal with the recovery unseal key path instead of the auto seal. Then everything proceeds as if you had a shamir seal to begin with. * Handle recovery rekeying * changelog * Revert go.mod redirect * revert multi-blob info * Dumb nil unmarshal target * More comments * Update vault/seal.go Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> * Update changelog/18683.txt Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> * pr feedback * Fix recovery rekey, which needs to fetch root keys and restore them under the new recovery split * Better comment on recovery seal during adjustSealMigration * Make it possible to migrate from an auto-seal in recovery mode to shamir * Fix sealMigrated to account for a recovery seal * comments * Update changelog/18683.txt Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> * Address PR feedback * Refactor duplicated migration code into helpers, using UnsealRecoveryKey/RecoveryKey where appropriate * Don't shortcut the reast of seal migration * get rid of redundant transit server cleanup Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> |
||
|---|---|---|
| .. | ||
| test-fixtures | ||
| config.go | ||
| config_custom_response_headers_test.go | ||
| config_oss_test.go | ||
| config_telemetry_test.go | ||
| config_test.go | ||
| config_test_helpers.go | ||
| config_test_helpers_util.go | ||
| config_util.go | ||
| hcp_link_config_test.go | ||
| listener.go | ||
| listener_tcp.go | ||
| listener_tcp_test.go | ||
| listener_test.go | ||
| listener_unix.go | ||
| listener_unix_test.go | ||
| server_seal_transit_acc_test.go | ||
| tls_util.go | ||