Enable encrypted config parameters #8562
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This can use a defined KMS within the configuration marked for `config`
purpose to encrypt or decrypt values. These values can be decrypted with
a corresponding seal/kms block at runtime, so in practice, an operator
that has access to the secrets can run the encrypt command, but the
resulting file is then safe to pass through e.g. CI/CD or store in Git
for deployment.
An example (you'd not want to actually use an AEAD KMS in real life, but
this works well for demo/test):
```
listener "tcp" {
address = "127.0.0.1:8205"
tls_disable = true
}
telemetry {
prometheus_retention_time = "{{encrypt(24h)}}"
disable_hostname = true
}
storage "inmem" {
}
kms "aead" {
purpose = "autoseal"
key = "{{encrypt(kcI2Pyo6jZBRE9Nr7sdniVAYCRwEmOE93tw7qS0Hjq4=)}}"
aead_type = "aes-gcm"
}
kms "aead" {
purpose = "config"
key = "kcI2Pyo6jZBRE9Nr7sdniVAYCRwEmOE93tw7qS0Hjq4="
aead_type = "aes-gcm"
}
```
This becomes encrypted via the command to:
```
listener "tcp" {
address = "127.0.0.1:8205"
tls_disable = true
}
telemetry {
prometheus_retention_time = "{{decrypt(Ch-feItbSZwpND15ovFKly_nFxfEnjlpz3g-f-4RVIon)}}"
disable_hostname = true
}
storage "inmem" {
}
kms "aead" {
purpose = "autoseal"
key = "{{decrypt(Ckg1MovuQwkMyK4m2VKNG0WLnOjsqFxU0WDPu2KIL8_dbQWf4xAOxdG9U8suhu9zargZOo4X50IvxHeyfbT6mHgvQfaZEarnSWk)}}"
aead_type = "aes-gcm"
}
kms "aead" {
purpose = "config"
key = "kcI2Pyo6jZBRE9Nr7sdniVAYCRwEmOE93tw7qS0Hjq4="
aead_type = "aes-gcm"
}
```
At runtime Vault will pass config files, before decoding, to a function
that decrypts with the given KMS.
As is apparent from the example, a nice feature of this is the ability
to encrypt the other seal/KMS block parameters.
sgmiller
reviewed
Jul 21, 2020
| return 0 | ||
| } | ||
|
|
||
| file, err := os.Create(path) |
There was a problem hiding this comment.
Might be handy to have an --output flag (optional) so one could transform into a target file without overwrite. Or is the intent merely redirecting stdout to said file.
| c.configKMS = kms | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Nitpick: Could refactor for code reuse w/ the operator encrypt/decrypt, but nbd.
| @@ -508,7 +506,7 @@ func testLoadConfigDir(t *testing.T) { | |||
| } | |||
|
|
|||
| func testConfig_Sanitized(t *testing.T) { | |||
| config, err := LoadConfigFile("./test-fixtures/config3.hcl") | |||
| config, err := LoadConfigFile("./test-fixtures/config3.hcl", nil) | |||
| if err != nil { | |||
| t.Fatalf("err: %s", err) | |||
| } | |||
There was a problem hiding this comment.
Is there a way to unit test the encrypt/decrypt functionality?
VioletHynes
added
the
hashicorp-contributed-pr
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This provides a new command,
vault operator config encrypt/decryptthat can use a defined KMS within the configuration marked forconfigpurpose to encrypt or decrypt values. These values can be decrypted with a corresponding seal/kms block at runtime, so in practice, an operator that has access to the secrets can run the encrypt command, but the resulting file is then safe to pass through e.g. CI/CD or store in Git for deployment.(Internal RFC link: https://docs.google.com/document/d/1zupY4OTTpwSgBqDAClywyyy_JpNXiY_sqFly0b3z0aY/edit#heading=h.7sk1hglz1ywl)
An example (you'd not want to actually use an AEAD KMS in real life, but this works well for demo/test):
This becomes encrypted via the command to:
At runtime Vault will pass config files, before decoding, to a function that decrypts with the given KMS.
As is apparent from the example, a nice feature of this is the ability to encrypt the other seal/KMS block parameters.