Unable to write .jks (Java Key Store) to Vault

[tyrostone]

I would like to store several jks files to Vault, then retrieve them and write them to disk. However, I am encountering issues in my attempts. I've tried two ways of doing this: writing to Vault using @file and writing to Vault using value=@file. Details below:

I attempted to write to Vault with the following command:
vault write secret/testsecret @faketruststore.jks

When I use this command, I get the following error:
Error loading data: Invalid key/value pair '@truststore-qa.jks': invalid character 'þ' looking for beginning of value
1.
I can successfully write this to Vault using the following command:
vault write secret/testsecret value=@faketruststore.jks

However, when I attempt to write this to disk (using the Python hvac/Vault client), I encounter one of two problems:
A. A Python error when writing to disk:
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-3: ordinal not in range(128)
B. A Java error when attempting to use the content written to disk:
javax.crypto.BadPaddingException: Given final block not properly padded

I would like to be able to write and retrieve this data using the @ alone (scenario 1). I would also love more insight into how this data is stored/interpreted in Vault, for my own troubleshooting purposes.

[vishalnayak]

@tyrostone
vault write secret/* endpoint stores any arbitrary data that can be represent in JSON format.

I don't understand the distinction between being able to write to Vault and not being able to write to the disk. If you are using a storage backend with Vault, anything you store in Vault will land in the storage backend.

In order to avoid encoding issues, you can try base64 encoding the input and then storing it as a value for a JSON key.

You can then read the value corresponding to the key, base64 decode it and then use it.

Hope this helps!

[jefferai]

@tyrostone Just to add to what @vishalnayak said, using the @ syntax will read in a file but doesn't process it in any way -- it treats it verbatim as a string. The API is pure JSON, so you can't just send binary data over, even represented as a string. However, if you want to use the CLI, you can do something like this:

$ base64 Archive.zip | vault write secret/testsecret value=-
Success! Data written to: secret/testsecret

$ vault read -field=value secret/testsecret | base64 -d > Archive.zip.out

$ sha256sum Archive.zip*
973749b7aeb66d48e0694d9b921676ce470a84386c7c856f82cb2dc2615a09cb  Archive.zip
973749b7aeb66d48e0694d9b921676ce470a84386c7c856f82cb2dc2615a09cb  Archive.zip.out

Hope that helps!

[tyrostone]

@jefferai and @vishalnayak thanks for the responses! This works in Vault 0.4.1 (it does not in Vault 0.2.0).

[jefferai]

Hi @tyrostone ,

Generally speaking the advice we give corresponds to the latest released version, unless we are told that you are running a previous version (this also is the case for our website documentation, which always corresponds to the latest released version).

Because Vault is moving rapidly, it is very hard for us to support old versions, and because there are security updates (both within Vault and within our dependencies, such as Go) we recommend keeping relatively up-to-date with our releases. If you've just migrated to 0.4.1 from 0.2, I do strongly recommend upgrading to 0.5.2 as well.