* conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
6.8 KiB
layout | page_title | sidebar_title | sidebar_current | description |
---|---|---|---|---|
docs | Using PGP, GPG, and Keybase | PGP, GPG, and Keybase | docs-concepts-pgp-gpg-keybase | Vault has the ability to integrate with OpenPGP-compatible programs like GPG and services like Keybase.io to provide an additional layer of security when performing certain operations. This page details the various GPG integrations, their use, and operation. |
Using PGP, GPG, and Keybase
Vault has the ability to integrate with OpenPGP-compatible programs like GPG and services like Keybase.io to provide an additional layer of security when performing certain operations. This page details the various PGP integrations, their use, and operation.
Keybase.io support is available only in the command-line tool and not via the Vault HTTP API, tools that help with initialization should use the Keybase.io API in order to obtain the GPG keys needed for a secure initialization if you want them to use Keybase for keys.
Once the Vault has been initialized, it is possible to use Keybase to decrypt the shards and unseal normally.
Initializing with PGP
One of the early fundamental problems when bootstrapping and initializing Vault was that the first user (the initializer) received a plain-text copy of all of the unseal keys. This defeats the promises of Vault's security model, and it also makes the distribution of those keys more difficult. Since Vault 0.3, Vault can optionally be initialized using PGP keys. In this mode, Vault will generate the unseal keys and then immediately encrypt them using the given users' public PGP keys. Only the owner of the corresponding private key is then able to decrypt the value, revealing the plain-text unseal key.
First, you must create, acquire, or import the appropriate key(s) onto the local machine from which you are initializing Vault. This guide will not attempt to cover all aspects of PGP keys but give examples using two popular programs: Keybase and GPG.
For beginners, we suggest using Keybase.io ("Keybase") as it can be both simpler and has a number of useful behaviors and properties around key management, such as verification of users' identities using a number of public online sources. It also exposes the ability for users to have PGP keys generated, stored, and managed securely on their servers. Using Vault with Keybase will be discussed first as it is simpler.
Initializing with Keybase
To generate unseal keys for Keybase users, Vault accepts the keybase:
prefix
to the -pgp-keys
argument:
$ vault operator init -key-shares=3 -key-threshold=2 \
-pgp-keys="keybase:jefferai,keybase:vishalnayak,keybase:sethvargo"
This requires far fewer steps than traditional PGP (e.g. with gpg
) because
Keybase handles a few of the tedious steps. The output will be the similar to
the following:
Key 1: wcBMA37rwGt6FS1VAQgAk1q8XQh6yc...
Key 2: wcBMA0wwnMXgRzYYAQgAavqbTCxZGD...
Key 3: wcFMA2DjqDb4YhTAARAAeTFyYxPmUd...
...
The output should be rather long in comparison to a regular unseal key. These
keys are encrypted, and only the user holding the corresponding private key can
decrypt the value. The keys are encrypted in the order in which specified in
the -pgp-keys
attribute. As such, the keys belong to respective Keybase
accounts of jefferai
, vishalnayak
, and sethvargo
. These keys can be
distributed over almost any medium, although common sense and judgement are
best advised. The encrypted keys are base64 encoded before returning.
Unsealing with Keybase
As a user, the easiest way to decrypt your unseal key is with the Keybase CLI tool. You can download it from Keybase.io download page. After you have downloaded and configured the Keybase CLI, you are now tasked with entering your unseal key. To get the plain-text unseal key, you must decrypt the value given to you by the initializer. To get the plain-text value, run the following command:
$ echo "wcBMA37..." | base64 -d | keybase pgp decrypt
And replace wcBMA37...
with the encrypted key.
You will be prompted to enter your Keybase passphrase. The output will be the plain-text unseal key.
6ecb46277133e04b29bd0b1b05e60722dab7cdc684a0d3ee2de50ce4c38a357101
This is your unseal key in plain-text and should be guarded the same way you
guard a password. Now you can enter your key to the unseal
command:
$ vault operator unseal
Key (will be hidden): ...
Initializing with GPG
GPG is an open-source implementation of the OpenPGP standard and is available on nearly every platform. For more information, please see the GPG manual.
To create a new PGP key, run, following the prompts:
$ gpg --gen-key
To import an existing key, download the public key onto disk and run:
$ gpg --import key.asc
Once you have imported the users' public keys, you need to save their values to disk as either base64 or binary key files. For example:
$ gpg --export 348FFC4C | base64 > seth.asc
These key files must exist on disk in base64 (the "standard" base64 character set,
without ASCII armoring) or binary. Once saved to disk, the path to these files
can be specified as an argument to the -pgp-keys
flag.
$ vault operator init -key-shares=3 -key-threshold=2 \
-pgp-keys="jeff.asc,vishal.asc,seth.asc"
The result should look something like this:
Key 1: wcBMA37rwGt6FS1VAQgAk1q8XQh6yc...
Key 2: wcBMA0wwnMXgRzYYAQgAavqbTCxZGD...
Key 3: wcFMA2DjqDb4YhTAARAAeTFyYxPmUd...
...
The output should be rather long in comparison to a regular unseal key. These
keys are encrypted, and only the user holding the corresponding private key
can decrypt the value. The keys are encrypted in the order in which specified
in the -pgp-keys
attribute. As such, the first key belongs to Jeff, the second
to Vishal, and the third to Seth. These keys can be distributed over almost any
medium, although common sense and judgement are best advised. The encrypted
keys are base64 encoded before returning.
Unsealing with a GPG
Assuming you have been given an unseal key that was encrypted using your public PGP key, you are now tasked with entering your unseal key. To get the plain-text unseal key, you must decrypt the value given to you by the initializer. To get the plain-text value, run the following command:
$ echo "wcBMA37..." | base64 -d | gpg -dq
And replace wcBMA37...
with the encrypted key.
If you encrypted your private PGP key with a passphrase, you may be prompted to enter it. After you enter your password, the output will be the plain-text key:
6ecb46277133e04b29bd0b1b05e60722dab7cdc684a0d3ee2de50ce4c38a357101
This is your unseal key in plain-text and should be guarded the same way you
guard a password. Now you can enter your key to the unseal
command:
$ vault operator unseal
Key (will be hidden): ...