New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable encrypted config parameters #8562
base: main
Are you sure you want to change the base?
Conversation
This can use a defined KMS within the configuration marked for `config` purpose to encrypt or decrypt values. These values can be decrypted with a corresponding seal/kms block at runtime, so in practice, an operator that has access to the secrets can run the encrypt command, but the resulting file is then safe to pass through e.g. CI/CD or store in Git for deployment. An example (you'd not want to actually use an AEAD KMS in real life, but this works well for demo/test): ``` listener "tcp" { address = "127.0.0.1:8205" tls_disable = true } telemetry { prometheus_retention_time = "{{encrypt(24h)}}" disable_hostname = true } storage "inmem" { } kms "aead" { purpose = "autoseal" key = "{{encrypt(kcI2Pyo6jZBRE9Nr7sdniVAYCRwEmOE93tw7qS0Hjq4=)}}" aead_type = "aes-gcm" } kms "aead" { purpose = "config" key = "kcI2Pyo6jZBRE9Nr7sdniVAYCRwEmOE93tw7qS0Hjq4=" aead_type = "aes-gcm" } ``` This becomes encrypted via the command to: ``` listener "tcp" { address = "127.0.0.1:8205" tls_disable = true } telemetry { prometheus_retention_time = "{{decrypt(Ch-feItbSZwpND15ovFKly_nFxfEnjlpz3g-f-4RVIon)}}" disable_hostname = true } storage "inmem" { } kms "aead" { purpose = "autoseal" key = "{{decrypt(Ckg1MovuQwkMyK4m2VKNG0WLnOjsqFxU0WDPu2KIL8_dbQWf4xAOxdG9U8suhu9zargZOo4X50IvxHeyfbT6mHgvQfaZEarnSWk)}}" aead_type = "aes-gcm" } kms "aead" { purpose = "config" key = "kcI2Pyo6jZBRE9Nr7sdniVAYCRwEmOE93tw7qS0Hjq4=" aead_type = "aes-gcm" } ``` At runtime Vault will pass config files, before decoding, to a function that decrypts with the given KMS. As is apparent from the example, a nice feature of this is the ability to encrypt the other seal/KMS block parameters.
return 0 | ||
} | ||
|
||
file, err := os.Create(path) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be handy to have an --output flag (optional) so one could transform into a target file without overwrite. Or is the intent merely redirecting stdout to said file.
c.configKMS = kms | ||
} | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: Could refactor for code reuse w/ the operator encrypt/decrypt, but nbd.
@@ -508,7 +506,7 @@ func testLoadConfigDir(t *testing.T) { | |||
} | |||
|
|||
func testConfig_Sanitized(t *testing.T) { | |||
config, err := LoadConfigFile("./test-fixtures/config3.hcl") | |||
config, err := LoadConfigFile("./test-fixtures/config3.hcl", nil) | |||
if err != nil { | |||
t.Fatalf("err: %s", err) | |||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way to unit test the encrypt/decrypt functionality?
This provides a new command,
vault operator config encrypt/decrypt
that can use a defined KMS within the configuration marked forconfig
purpose to encrypt or decrypt values. These values can be decrypted with a corresponding seal/kms block at runtime, so in practice, an operator that has access to the secrets can run the encrypt command, but the resulting file is then safe to pass through e.g. CI/CD or store in Git for deployment.(Internal RFC link: https://docs.google.com/document/d/1zupY4OTTpwSgBqDAClywyyy_JpNXiY_sqFly0b3z0aY/edit#heading=h.7sk1hglz1ywl)
An example (you'd not want to actually use an AEAD KMS in real life, but this works well for demo/test):
This becomes encrypted via the command to:
At runtime Vault will pass config files, before decoding, to a function that decrypts with the given KMS.
As is apparent from the example, a nice feature of this is the ability to encrypt the other seal/KMS block parameters.