open-vault/website/source/docs/secrets/transit/index.html.md
Jeff Escalante a3dfde5cec New Docs Website (#5535)
* conversion stage 1

* correct image paths

* add sidebar title to frontmatter

* docs/concepts and docs/internals

* configuration docs and multi-level nav corrections

* commands docs, index file corrections, small item nav correction

* secrets converted

* auth

* add enterprise and agent docs

* add extra dividers

* secret section, wip

* correct sidebar nav title in front matter for apu section, start working on api items

* auth and backend, a couple directory structure fixes

* remove old docs

* intro side nav converted

* reset sidebar styles, add hashi-global-styles

* basic styling for nav sidebar

* folder collapse functionality

* patch up border length on last list item

* wip restructure for content component

* taking middleman hacking to the extreme, but its working

* small css fix

* add new mega nav

* fix a small mistake from the rebase

* fix a content resolution issue with middleman

* title a couple missing docs pages

* update deps, remove temporary markup

* community page

* footer to layout, community page css adjustments

* wip downloads page

* deps updated, downloads page ready

* fix community page

* homepage progress

* add components, adjust spacing

* docs and api landing pages

* a bunch of fixes, add docs and api landing pages

* update deps, add deploy scripts

* add readme note

* update deploy command

* overview page, index title

* Update doc fields

Note this still requires the link fields to be populated -- this is solely related to copy on the description fields

* Update api_basic_categories.yml

Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.

* Add bottom hero, adjust CSS, responsive friendly

* Add mega nav title

* homepage adjustments, asset boosts

* small fixes

* docs page styling fixes

* meganav title

* some category link corrections

* Update API categories page

updated to reflect the second level headings for api categories

* Update docs_detailed_categories.yml

Updated to represent the existing docs structure

* Update docs_detailed_categories.yml

* docs page data fix, extra operator page remove

* api data fix

* fix makefile

* update deps, add product subnav to docs and api landing pages

* Rearrange non-hands-on guides to _docs_

Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.

* WIP Redirects for guides to docs

* content and component updates

* font weight hotfix, redirects

* fix guides and intro sidenavs

* fix some redirects

* small style tweaks

* Redirects to learn and internally to docs

* Remove redirect to `/vault`

* Remove `.html` from destination on redirects

* fix incorrect index redirect

* final touchups

* address feedback from michell for makefile and product downloads
2018-10-19 08:40:11 -07:00

8.7 KiB

layout page_title sidebar_title sidebar_current description
docs Transit - Secrets Engines Transit docs-secrets-transit The transit secrets engine for Vault encrypts/decrypts data in-transit. It doesn't store any secrets.

Transit Secrets Engine

The transit secrets engine handles cryptographic functions on data in-transit. Vault doesn't store the data sent to the secrets engine. It can also be viewed as "cryptography as a service" or "encryption as a service". The transit secrets engine can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.

The primary use case for transit is to encrypt data from applications while still storing that encrypted data in some primary data store. This relieves the burden of proper encryption/decryption from application developers and pushes the burden onto the operators of Vault.

Key derivation is supported, which allows the same key to be used for multiple purposes by deriving a new key based on a user-supplied context value. In this mode, convergent encryption can optionally be supported, which allows the same input values to produce the same ciphertext.

Datakey generation allows processes to request a high-entropy key of a given bit length be returned to them, encrypted with the named key. Normally this will also return the key in plaintext to allow for immediate use, but this can be disabled to accommodate auditing requirements.

Working Set Management

This secrets engine does not currently delete keys. Keys that are out of the working set (earlier than a key's specified min_decryption_version are instead archived. This is a performance consideration to keep key loading fast, as well as a security consideration: by disallowing decryption of old versions of keys, found ciphertext corresponding to obsolete (but sensitive) data can not be decrypted by most users, but in an emergency the min_decryption_version can be moved back to allow for legitimate decryption.

Currently this archive is stored in a single storage entry. With some storage backends, notably those using Raft or Paxos for HA capabilities, frequent rotation may lead to a storage entry size for the archive that is larger than the storage backend can handle. For frequent rotation needs, using named keys that correspond to time bounds (e.g. five-minute periods floored to the closest multiple of five) may provide a good alternative, allowing for several keys to be live at once and a deterministic way to decide which key to use at any given time.

Key Types

As of now, the transit secrets engine supports the following key types (all key types also generate separate HMAC keys):

  • aes256-gcm96: AES-GCM with a 256-bit AES key and a 96-bit nonce; supports encryption, decryption, key derivation, and convergent encryption
  • chacha20-poly1305: ChaCha20-Poly1305 with a 256-bit key; supports encryption, decryption, key derivation, and convergent encryption
  • ed25519: Ed25519; supports signing, signature verification, and key derivation
  • ecdsa-p256: ECDSA using curve P256; supports signing and signature verification
  • rsa-2048: 2048-bit RSA key; supports encryption, decryption, signing, and signature verification
  • rsa-4096: 4096-bit RSA key; supports encryption, decryption, signing, and signature verification

Convergent Encryption

Convergent encryption is a mode where the same set of plaintext+context always result in the same ciphertext. It does this by deriving a key using a key derivation function but also by deterministically deriving a nonce. Because these properties differ for any combination of plaintext and ciphertext over a keyspace the size of 2^256, the risk of nonce reuse is near zero.

This has many practical uses. A key usage mode is to allow values to be stored encrypted in a database, but with limited lookup/query support, so that rows with the same value for a specific field can be returned from a query.

To accommodate for any needed upgrades to the algorithm, different versions of convergent encryption have historically been supported:

  • Version 1 required the client to provide their own nonce, which is highly flexible but if done incorrectly can be dangerous. This was only in Vault 0.6.1, and keys using this version cannot be upgraded.
  • Version 2 used an algorithmic approach to deriving the parameters. However, the algorithm used was susceptible to offline plaintext-confirmation attacks, which could allow attackers to brute force decryption if the plaintext size was small. Keys using version 2 can be upgraded by simply performing a rotate operation to a new key version; existing values can then be rewrapped against the new key version and will use the version 3 algorithm.
  • Version 3 uses a different algorithm designed to be resistant to offline plaintext-confirmation attacks. It is similar to AES-SIV in that it uses a PRF to generate the nonce from the plaintext.

Setup

Most secrets engines must be configured in advance before they can perform their functions. These steps are usually completed by an operator or configuration management tool.

  1. Enable the Transit secrets engine:

    $ vault secrets enable transit
    Success! Enabled the transit secrets engine at: transit/
    

    By default, the secrets engine will mount at the name of the engine. To enable the secrets engine at a different path, use the -path argument.

  2. Create a named encryption key:

    $ vault write -f transit/keys/my-key
    Success! Data written to: transit/keys/my-key
    

    Usually each application has its own encryption key.

Usage

After the secrets engine is configured and a user/machine has a Vault token with the proper permission, it can use this secrets engine.

  1. Encrypt some plaintext data using the /encrypt endpoint with a named key:

    $ vault write transit/encrypt/my-key plaintext=$(base64 <<< "my secret data")
    
    Key           Value
    ---           -----
    ciphertext    vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
    

    All plaintext data must be base64-encoded. The reason for this requirement is that Vault does not require that the plaintext is "text". It could be a binary file such as a PDF or image. The easiest safe transport mechanism for this data as part of a JSON payload is to base64-encode it.

    Note that Vault does not store any of this data. The caller is responsible for storing the encrypted ciphertext. When the caller wants the plaintext, it must provide the ciphertext back to Vault to decrypt the value.

  2. Decrypt a piece of data using the /decrypt endpoint with a named key:

    $ vault write transit/decrypt/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
    
    Key          Value
    ---          -----
    plaintext    bXkgc2VjcmV0IGRhdGEK
    

    The resulting data is base64-encoded (see the note above for details on why). Decode it to get the raw plaintext:

    $ base64 --decode <<< "bXkgc2VjcmV0IGRhdGEK"
    my secret data
    

    It is also possible to script this decryption using some clever shell scripting in one command:

    $ vault write -field=plaintext transit/decrypt/my-key ciphertext=... | base64 --decode
    my secret data
    

    Using ACLs, it is possible to restrict using the transit secrets engine such that trusted operators can manage the named keys, and applications can only encrypt or decrypt using the named keys they need access to.

  3. Rotate the underlying encryption key. This will generate a new encryption key and add it to the keyring for the named key:

    $ vault write -f transit/keys/my-key/rotate
    Success! Data written to: transit/keys/my-key/rotate
    

    Future encryptions will use this new key. Old data can still be decrypted due to the use of a key ring.

  4. Upgrade already-encrypted data to a new key. Vault will decrypt the value using the appropriate key in the keyring and then encrypted the resulting plaintext with the newest key in the keyring.

    $ vault write transit/rewrap/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
    
    Key           Value
    ---           -----
    ciphertext    vault:v2:0VHTTBb2EyyNYHsa3XiXsvXOQSLKulH+NqS4eRZdtc2TwQCxqJ7PUipvqQ==
    

    This process does not reveal the plaintext data. As such, a Vault policy could grant almost an untrusted process the ability to "rewrap" encrypted data, since the process would not be able to get access to the plaintext data.

API

The Transit secrets engine has a full HTTP API. Please see the Transit secrets engine API for more details.