luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/source/docs/enterprise/hsm/behavior.html.md
Jeff Escalante a3dfde5cec New Docs Website (#5535) 
* conversion stage 1

* correct image paths

* add sidebar title to frontmatter

* docs/concepts and docs/internals

* configuration docs and multi-level nav corrections

* commands docs, index file corrections, small item nav correction

* secrets converted

* auth

* add enterprise and agent docs

* add extra dividers

* secret section, wip

* correct sidebar nav title in front matter for apu section, start working on api items

* auth and backend, a couple directory structure fixes

* remove old docs

* intro side nav converted

* reset sidebar styles, add hashi-global-styles

* basic styling for nav sidebar

* folder collapse functionality

* patch up border length on last list item

* wip restructure for content component

* taking middleman hacking to the extreme, but its working

* small css fix

* add new mega nav

* fix a small mistake from the rebase

* fix a content resolution issue with middleman

* title a couple missing docs pages

* update deps, remove temporary markup

* community page

* footer to layout, community page css adjustments

* wip downloads page

* deps updated, downloads page ready

* fix community page

* homepage progress

* add components, adjust spacing

* docs and api landing pages

* a bunch of fixes, add docs and api landing pages

* update deps, add deploy scripts

* add readme note

* update deploy command

* overview page, index title

* Update doc fields

Note this still requires the link fields to be populated -- this is solely related to copy on the description fields

* Update api_basic_categories.yml

Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.

* Add bottom hero, adjust CSS, responsive friendly

* Add mega nav title

* homepage adjustments, asset boosts

* small fixes

* docs page styling fixes

* meganav title

* some category link corrections

* Update API categories page

updated to reflect the second level headings for api categories

* Update docs_detailed_categories.yml

Updated to represent the existing docs structure

* Update docs_detailed_categories.yml

* docs page data fix, extra operator page remove

* api data fix

* fix makefile

* update deps, add product subnav to docs and api landing pages

* Rearrange non-hands-on guides to _docs_

Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.

* WIP Redirects for guides to docs

* content and component updates

* font weight hotfix, redirects

* fix guides and intro sidenavs

* fix some redirects

* small style tweaks

* Redirects to learn and internally to docs

* Remove redirect to `/vault`

* Remove `.html` from destination on redirects

* fix incorrect index redirect

* final touchups

* address feedback from michell for makefile and product downloads
2018-10-19 08:40:11 -07:00

4.2 KiB
Raw Blame History

layout page_title sidebar_title sidebar_current description
docs Behavioral Changes - HSM Integration - Vault Enterprise Behavioral Changes docs-vault-enterprise-hsm-behavior Vault Enterprise HSM support changes the way Vault works with regard to unseal and recovery keys as well as rekey and recovery operations.

Vault Enterprise HSM Behavioral Changes

This page contains information about the behavioral differences that take effect when using Vault with an HSM.

Key Split Between Unseal Keys and Recovery Keys

Normally, Vault uses a single set of unseal keys to perform both decryption of the cryptographic barrier and to authorize recovery operations, such as the generate-root functionality.

When using an HSM, because the HSM automatically unseals the barrier but recovery operations should still have human oversight, Vault instead uses two sets of keys: unseal keys and recovery keys.

Unseal (Master) Key

Vault usually generates a master key and splits it using Shamir's Secret Sharing to prevent a single operator from being able to modify and unseal Vault (see more information about Vault's security model here).

When using an HSM, Vault instead stores the master key, encrypted by the HSM, into its internal storage. As a result, during an init command, the number of key shares, threshold, and stored shares are required to be set to 1, meaning to not split the master key, so that the single key share is itself the master key. (Vault does not do this automatically as it generally prefers to error rather than change parameters set by an operator.)

Both rekeying the master key and rotation of the underlying data encryption key are supported when using an HSM.

Recovery Key

When Vault is initialized while using an HSM, rather than unseal keys being returned to the operator, recovery keys are returned. These are generated from an internal recovery key that is split via Shamir's Secret Sharing, similar to Vault's treatment of unseal keys when running without an HSM.

Details about initialization and rekeying follow. When performing an operation that uses recovery keys, such as generate-root, selection of the recovery keys for this purpose, rather than the barrier unseal keys, is automatic.

Initialization

When initializing, the split is performed according to the following CLI flags and their API equivalents in the /sys/init endpoint:

  • recovery-shares: The number of shares into which to split the recovery key. This value is equivalent to the recovery_shares value in the API endpoint.
  • recovery-threshold: The threshold of shares required to reconstruct the recovery key. This value is equivalent to the recovery_threshold value in the API endpoint.
  • recovery-pgp-keys: The PGP keys to use to encrypt the returned recovery key shares. This value is equivalent to the recovery_pgp_keys value in the API endpoint, although as with pgp_keys the object in the API endpoint is an array, not a string.

Additionally, Vault will refuse to initialize if the option has not been set to generate a key but no key is found. See Configuration for more details.

Rekeying

Unseal Key

Vault's unseal key can be rekeyed using a normal vault operator rekey operation from the CLI or the matching API calls. The rekey operation is authorized by meeting the threshold of recovery keys. After rekeying, the new barrier key is wrapped by the HSM and stored like the previous key; it is not returned to the users that submitted their recovery keys.

Recovery Key

The recovery key can be rekeyed to change the number of shares/threshold or to target different key holders via different PGP keys. When using the Vault CLI, this is performed by using the -recovery-key=true flag to vault operator rekey.

Via the API, the rekey operation is performed with the same parameters as the normal /sys/rekey endpoint; however, the API prefix for this operation is at /sys/rekey-recovery-key rather than /sys/rekey.