These assets are provided to perform the tasks described in the Transit Secret Re-wrapping guide.
The following files are provided as demo scripts:
demo_setup.shperforms Step 1 through 3 in the guide- Pull and run mysql server 5.7 docker container
- Enable transit secret engine
- Create
my_app_keyencryption key - Create
rewrap_examplepolicy - Generate a token to be used by the app
run_app.shperforms Step 4 in the guide- Runs the example app
- Prints out the commends to explore the MySQL DB
rewrap_example.shperforms Step 5 in the guide- Read the
my_app_keydetails BEFORE the key rotation - Rotate the
my_app_keyencryption key - Read the
my_app_keydetails AFTER the key rotation - Prints out the command to set the
min_decryption_version
- Read the
cleanup.shre-set your environment
NOTE: DON'T FORGET that this demo requires .NET Core and Docker to run the sample app.
-
Run
demo_setup.sh -
Run
run_app.sh
- Open another terminal
- Copy and paste the suggested commands to explorer the
user_datatable in mysql
-
Run
rewrap_example.sha couple of times and review the key version -
Run
run_app.shagain
- See the data in the
user_datatable are now rewrapped with the latest encryption key version
To demonstrate the minimum key version restriction feature, repeat #3 and then run the commands suggested in the output (vault write transit/keys/my_app_key/config min_decryption_version=3). And then, repeat #4.
Finally, run cleanup.sh to re-set your environment so that you can repeat the demo as necessary.
WARNING: The
cleanup.shdisables the transit secret engine. All encryption keys will be deleted. If you are working against a shared Vault server, you might want to manually clean up the environment instead.