Document the procedure to use gpg keys with vault init. #682

Closed
eedgar opened this Issue Oct 8, 2015 · 17 comments

Comments

Projects
None yet
5 participants
@eedgar

eedgar commented Oct 8, 2015

I would like to explore using gpg keys to encrypt the keys but the documentation is fairly vague on how to do this.

@jefferai

This comment has been minimized.

Show comment
Hide comment
@jefferai

jefferai Oct 8, 2015

Member

Hi,

Take a look at the output of vault init -h -- I think this will give you the information you need!

Member

jefferai commented Oct 8, 2015

Hi,

Take a look at the output of vault init -h -- I think this will give you the information you need!

@eedgar

This comment has been minimized.

Show comment
Hide comment
@eedgar

eedgar Oct 8, 2015

my exploration has uncovered how to do this. Documenting for others. This may not be secure use at your own risk

  1. generate individual keys you will need one key for each key-share
    gpg --gen-key
    (1) RSA and RSA
    (2) 4096 keysize
    (3) 1 year # Note this can be shorter but you will need to renew the key
    (4) Real Name # eg John Doe
    (5) email address
    (6) comment # John Doe's vault signing key
    (7) Ok
    (8) Use a memorable passphrase

export the generated pubkey for use on the vault server
use gpg -K to list the keys
sec 4096R/1659DFAB 2015-10-08 [expires: 2016-10-07]
uid John Doe (Vault Signing Key) john@doe.com
ssb 4096R/7C55979E 2015-10-08

gpg --export 4096R/1659DFAB > JohnDoeVaultPubKey.out

copy the JohnDoeVaultPubKey.out to the vault server

Once you have a few keys you are ready to initialize the vault. My next example is insecure because we are using a single key-share. Please follow the documentation and use 3 or more. Also I had started my vault server without https enabled. In a production server you will want https

[root@vault-dev files]# VAULT_ADDR=http://localhost:8200 vault init -key-shares=1 -key-threshold=1 -pgp-keys /tmp/JohnDoeVaultPubKey.out
Key 1: c1c14c03538a08cea61cebed01100006b38f89b531e74086f47a9e63251f4b9375990d0bf034373c3ae2769e1601282c48b56b1a7db5948b41644b2e8a438f22e498eea5b90a63b5e93231e8b2ef87ca607819bd0df
...
c29465e13c863d8d541e41c32e02fe4ac11b5719a4bb6dc5404c3b62b757affe25128d33fe19fa800
Initial Root Token: 0f70cd41-5982-a8cf-637a-93de48a2c40c

Send Key 1 back to the first user to decrypt so that it can be used to unseal the vault or seal it if necessary.

echo c1c14..... | xxd -r -p > vault.gpg

gpg -d vault.gpg # you will need the pass phrase from creating the gpg key

assuming you did everything right you should have one of your unseal keys.
f440229dd758fac734d9cbbca0404d3d2942f245f0927f84a33ef11372945305

VAULT_ADDR=http://localhost:8200 vault unseal
Key (will be hidden):
Sealed: false
Key Shares: 1
Key Threshold: 1
Unseal Progress: 0

eedgar commented Oct 8, 2015

my exploration has uncovered how to do this. Documenting for others. This may not be secure use at your own risk

  1. generate individual keys you will need one key for each key-share
    gpg --gen-key
    (1) RSA and RSA
    (2) 4096 keysize
    (3) 1 year # Note this can be shorter but you will need to renew the key
    (4) Real Name # eg John Doe
    (5) email address
    (6) comment # John Doe's vault signing key
    (7) Ok
    (8) Use a memorable passphrase

export the generated pubkey for use on the vault server
use gpg -K to list the keys
sec 4096R/1659DFAB 2015-10-08 [expires: 2016-10-07]
uid John Doe (Vault Signing Key) john@doe.com
ssb 4096R/7C55979E 2015-10-08

gpg --export 4096R/1659DFAB > JohnDoeVaultPubKey.out

copy the JohnDoeVaultPubKey.out to the vault server

Once you have a few keys you are ready to initialize the vault. My next example is insecure because we are using a single key-share. Please follow the documentation and use 3 or more. Also I had started my vault server without https enabled. In a production server you will want https

[root@vault-dev files]# VAULT_ADDR=http://localhost:8200 vault init -key-shares=1 -key-threshold=1 -pgp-keys /tmp/JohnDoeVaultPubKey.out
Key 1: c1c14c03538a08cea61cebed01100006b38f89b531e74086f47a9e63251f4b9375990d0bf034373c3ae2769e1601282c48b56b1a7db5948b41644b2e8a438f22e498eea5b90a63b5e93231e8b2ef87ca607819bd0df
...
c29465e13c863d8d541e41c32e02fe4ac11b5719a4bb6dc5404c3b62b757affe25128d33fe19fa800
Initial Root Token: 0f70cd41-5982-a8cf-637a-93de48a2c40c

Send Key 1 back to the first user to decrypt so that it can be used to unseal the vault or seal it if necessary.

echo c1c14..... | xxd -r -p > vault.gpg

gpg -d vault.gpg # you will need the pass phrase from creating the gpg key

assuming you did everything right you should have one of your unseal keys.
f440229dd758fac734d9cbbca0404d3d2942f245f0927f84a33ef11372945305

VAULT_ADDR=http://localhost:8200 vault unseal
Key (will be hidden):
Sealed: false
Key Shares: 1
Key Threshold: 1
Unseal Progress: 0

@jefferai

This comment has been minimized.

Show comment
Hide comment
@jefferai

jefferai Oct 8, 2015

Member

Glad you got it sorted!

Member

jefferai commented Oct 8, 2015

Glad you got it sorted!

@jefferai jefferai closed this Oct 8, 2015

@eedgar

This comment has been minimized.

Show comment
Hide comment
@eedgar

eedgar Oct 8, 2015

I still think this should be documented at least in a tips/tricks page for others who may not be total security experts

eedgar commented Oct 8, 2015

I still think this should be documented at least in a tips/tricks page for others who may not be total security experts

@chiefy

This comment has been minimized.

Show comment
Hide comment
@chiefy

chiefy Jan 18, 2016

Contributor

👍 this would be super helpful to include in the docs

Contributor

chiefy commented Jan 18, 2016

👍 this would be super helpful to include in the docs

@jefferai

This comment has been minimized.

Show comment
Hide comment
@jefferai

jefferai Jan 18, 2016

Member

This won't be included as it's too specific to one person's methodology and needs. You can feel free to ask questions on the mailing list if you're stuck, though!

Member

jefferai commented Jan 18, 2016

This won't be included as it's too specific to one person's methodology and needs. You can feel free to ask questions on the mailing list if you're stuck, though!

@chiefy

This comment has been minimized.

Show comment
Hide comment
@chiefy

chiefy Jan 18, 2016

Contributor

@jefferai not sure if this is a bug but I can't seem to get base64 pub keys to work:

* invalid seal configuration: Error parsing given PGP key: openpgp: invalid data: tag byte does not have MSB set

If I export my pub key as binary, everything works as expected.

using vault 0.4.1

 -pgp-keys                If provided, must be a comma-separated list of
                          files on disk containing binary- or base64-format
                          public PGP keys. The number of files must match
                          'key-shares'. The output unseal keys will encrypted
                          and hex-encoded, in order, with the given public keys.
                          If you want to use them with the 'vault unseal'
                          command, you will need to hex decode and decrypt;
                          this will be the plaintext unseal key.
Contributor

chiefy commented Jan 18, 2016

@jefferai not sure if this is a bug but I can't seem to get base64 pub keys to work:

* invalid seal configuration: Error parsing given PGP key: openpgp: invalid data: tag byte does not have MSB set

If I export my pub key as binary, everything works as expected.

using vault 0.4.1

 -pgp-keys                If provided, must be a comma-separated list of
                          files on disk containing binary- or base64-format
                          public PGP keys. The number of files must match
                          'key-shares'. The output unseal keys will encrypted
                          and hex-encoded, in order, with the given public keys.
                          If you want to use them with the 'vault unseal'
                          command, you will need to hex decode and decrypt;
                          this will be the plaintext unseal key.
@jefferai

This comment has been minimized.

Show comment
Hide comment
@jefferai

jefferai Jan 18, 2016

Member

@chiefy what was your procedure? Did you take the binary file and run it through b64?

Member

jefferai commented Jan 18, 2016

@chiefy what was your procedure? Did you take the binary file and run it through b64?

@chiefy

This comment has been minimized.

Show comment
Hide comment
@chiefy

chiefy Jan 18, 2016

Contributor

@jefferai no, I used the gpg cli to export gpg --export -a mykey, my bad, should've been gpg --export mykey | base64 i'm such a n00b

Contributor

chiefy commented Jan 18, 2016

@jefferai no, I used the gpg cli to export gpg --export -a mykey, my bad, should've been gpg --export mykey | base64 i'm such a n00b

@jefferai

This comment has been minimized.

Show comment
Hide comment
@jefferai

jefferai Jan 18, 2016

Member
Member

jefferai commented Jan 18, 2016

@jefferai

This comment has been minimized.

Show comment
Hide comment
@jefferai

jefferai Jan 18, 2016

Member

@chiefy I took a quick look and I was right; although the value exported by -a in gpg is b64 encoded, it's not a straight encoding of the key; it's a PEM-ish format that is an ASCII armored keychain file. I can put in some logic to handle these.

Member

jefferai commented Jan 18, 2016

@chiefy I took a quick look and I was right; although the value exported by -a in gpg is b64 encoded, it's not a straight encoding of the key; it's a PEM-ish format that is an ASCII armored keychain file. I can put in some logic to handle these.

@jefferai

This comment has been minimized.

Show comment
Hide comment
@jefferai

jefferai Jan 18, 2016

Member

@chiefy ah, didn't see your comment, but we can easily support this anyways. The code already exists for Keybase, so I've filed the new issue to track porting it over.

Member

jefferai commented Jan 18, 2016

@chiefy ah, didn't see your comment, but we can easily support this anyways. The code already exists for Keybase, so I've filed the new issue to track porting it over.

@chiefy

This comment has been minimized.

Show comment
Hide comment
@chiefy

chiefy Jan 18, 2016

Contributor

@jefferai 👍 thanks!

Contributor

chiefy commented Jan 18, 2016

@jefferai 👍 thanks!

@jefferai

This comment has been minimized.

Show comment
Hide comment
@jefferai

jefferai Jan 18, 2016

Member

@chiefy Support is in master. I wrote unit tests and did some manual testing, but if you don't mind testing it in your environment as well that would be great.

Member

jefferai commented Jan 18, 2016

@chiefy Support is in master. I wrote unit tests and did some manual testing, but if you don't mind testing it in your environment as well that would be great.

@OWSM

This comment has been minimized.

Show comment
Hide comment
@OWSM

OWSM Feb 10, 2016

PGP usage should really be in the docs. It's an incredibly useful feature.

OWSM commented Feb 10, 2016

PGP usage should really be in the docs. It's an incredibly useful feature.

@chiefy

This comment has been minimized.

Show comment
Hide comment
@sgujrati16

This comment has been minimized.

Show comment
Hide comment
@sgujrati16

sgujrati16 Jun 23, 2016

@chiefy Thanks for sharing your post. Very helpful.

@chiefy Thanks for sharing your post. Very helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment