Skip to content

Using HashiCorp Vault Built In Signing Capability (NIST curves only)

Jump to bottom
jimthematrix edited this page Mar 8, 2020 · 2 revisions

Signing with NIST standard curves is supported with the built-in transit secret engine. It must first be enabled.

$ vault secrets enable transit
Success! Enabled the transit secrets engine at: transit/

Use the transit engine to generate new signing keys. Note that the default key type is aes256-gcm96 which is only for encryption/decryption. To generate a signing key, specify the type: ecdsa-p256 parameter:

curl -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"type":"ecdsa-p256"}' http://localhost:8200/v1/transit/keys/signingKey-1

You can list them:

$ curl -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" http://localhost:8200/v1/transit/keys -X LIST |jq
{
  "request_id": "15f87d0a-8465-9bd4-c3a8-44cc9e9f09de",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "keys": [
      "my-key1",
      "my-key2"
    ]
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

For details like public key:

$ curl -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" http://localhost:8200/v1/transit/keys/my-key2 |jq
{
  "request_id": "18aaea03-33e9-bb87-9d59-ff8bfd1e3f3f",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "allow_plaintext_backup": false,
    "deletion_allowed": false,
    "derived": false,
    "exportable": false,
    "keys": {
      "1": {
        "creation_time": "2020-02-14T15:29:24.645615-05:00",
        "name": "P-256",
        "public_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDuv5joQsiAiiwkvxFWdwuT8hDl/Q\nAMpLqzYEOpPqA7mFx29ESyDeHj9cTapvli9Vs0JN3PIc78MyurINUOCNvA==\n-----END PUBLIC KEY-----\n"
      }
    },
    "latest_version": 1,
    "min_available_version": 0,
    "min_decryption_version": 1,
    "min_encryption_version": 0,
    "name": "my-key2",
    "supports_decryption": false,
    "supports_derivation": false,
    "supports_encryption": false,
    "supports_signing": true,
    "type": "ecdsa-p256"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

Use it to sign data:

$ curl -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"input": "aGVsbG8gd29ybGQuCg=="}' http://localhost:8200/v1/transit/sign/my-key2 |jq
{
  "request_id": "466ce263-a2eb-e71b-8ee9-b8f4bab4b2ea",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "signature": "vault:v1:MEUCIQDorJmWf3MNsfwgww5oCipfxRPNI9hfxC69PiXOQWW0wgIgYiloF5U4NTj2MkxRgagI5AYrEGBuWA6GSRDzQVc0gdI="
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}
Clone this wiki locally