Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support external decryption of tls_key_file #6716

Open
sgrimm-sg opened this issue May 10, 2019 · 1 comment
Open

Support external decryption of tls_key_file #6716

sgrimm-sg opened this issue May 10, 2019 · 1 comment
Labels
core/http enhancement

Comments

@sgrimm-sg
Copy link

Vault reads its TLS private key from the server's filesystem, and requires it to be in plaintext unless a human is present to supply a passphrase.

That's not ideal when auto-unseal is enabled, since it means a human still has to be present to spin up a new Vault instance even though there's no longer an unseal key.

Auto-unseal environments need an external service that supports encrypting and decrypting data. That could be used to decrypt the private key, such that the key doesn't need to be stored in plaintext on the server filesystem but Vault can still start up with TLS enabled without human intervention.
@dwanderson-intel
Copy link

I was able to pipe the password in and things worked as desired.

cat /path/to/ssl_password_file | /usr/bin/vault -server

(my actual implementation is a little more involved, but that's the gist of it)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core/http enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@michelvocks @sgrimm-sg @dwanderson-intel