-
Notifications
You must be signed in to change notification settings - Fork 18
Using HashiCorp Vault Built In Signing Capability (NIST curves only)
jimthematrix edited this page Mar 8, 2020
·
2 revisions
Signing with NIST standard curves is supported with the built-in transit
secret engine. It must first be enabled.
$ vault secrets enable transit
Success! Enabled the transit secrets engine at: transit/
Use the transit engine to generate new signing keys. Note that the default key type is aes256-gcm96
which is only for encryption/decryption. To generate a signing key, specify the type: ecdsa-p256
parameter:
curl -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"type":"ecdsa-p256"}' http://localhost:8200/v1/transit/keys/signingKey-1
You can list them:
$ curl -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" http://localhost:8200/v1/transit/keys -X LIST |jq
{
"request_id": "15f87d0a-8465-9bd4-c3a8-44cc9e9f09de",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"keys": [
"my-key1",
"my-key2"
]
},
"wrap_info": null,
"warnings": null,
"auth": null
}
For details like public key:
$ curl -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" http://localhost:8200/v1/transit/keys/my-key2 |jq
{
"request_id": "18aaea03-33e9-bb87-9d59-ff8bfd1e3f3f",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"allow_plaintext_backup": false,
"deletion_allowed": false,
"derived": false,
"exportable": false,
"keys": {
"1": {
"creation_time": "2020-02-14T15:29:24.645615-05:00",
"name": "P-256",
"public_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDuv5joQsiAiiwkvxFWdwuT8hDl/Q\nAMpLqzYEOpPqA7mFx29ESyDeHj9cTapvli9Vs0JN3PIc78MyurINUOCNvA==\n-----END PUBLIC KEY-----\n"
}
},
"latest_version": 1,
"min_available_version": 0,
"min_decryption_version": 1,
"min_encryption_version": 0,
"name": "my-key2",
"supports_decryption": false,
"supports_derivation": false,
"supports_encryption": false,
"supports_signing": true,
"type": "ecdsa-p256"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
Use it to sign data:
$ curl -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"input": "aGVsbG8gd29ybGQuCg=="}' http://localhost:8200/v1/transit/sign/my-key2 |jq
{
"request_id": "466ce263-a2eb-e71b-8ee9-b8f4bab4b2ea",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"signature": "vault:v1:MEUCIQDorJmWf3MNsfwgww5oCipfxRPNI9hfxC69PiXOQWW0wgIgYiloF5U4NTj2MkxRgagI5AYrEGBuWA6GSRDzQVc0gdI="
},
"wrap_info": null,
"warnings": null,
"auth": null
}