1c98152fa0
Shamir seals now come in two varieties: legacy and new-style. Legacy Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
41 lines
961 B
Go
41 lines
961 B
Go
package seal
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/hashicorp/vault/sdk/physical"
|
|
)
|
|
|
|
const (
|
|
Shamir = "shamir"
|
|
PKCS11 = "pkcs11"
|
|
AliCloudKMS = "alicloudkms"
|
|
AWSKMS = "awskms"
|
|
GCPCKMS = "gcpckms"
|
|
AzureKeyVault = "azurekeyvault"
|
|
OCIKMS = "ocikms"
|
|
Transit = "transit"
|
|
Test = "test-auto"
|
|
|
|
// HSMAutoDeprecated is a deprecated seal type prior to 0.9.0.
|
|
// It is still referenced in certain code paths for upgrade purporses
|
|
HSMAutoDeprecated = "hsm-auto"
|
|
)
|
|
|
|
type Encryptor interface {
|
|
Encrypt(context.Context, []byte) (*physical.EncryptedBlobInfo, error)
|
|
Decrypt(context.Context, *physical.EncryptedBlobInfo) ([]byte, error)
|
|
}
|
|
|
|
// Access is the embedded implementation of autoSeal that contains logic
|
|
// specific to encrypting and decrypting data, or in this case keys.
|
|
type Access interface {
|
|
SealType() string
|
|
KeyID() string
|
|
|
|
Init(context.Context) error
|
|
Finalize(context.Context) error
|
|
|
|
Encryptor
|
|
}
|