<img align=right src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=150>
<img src=images/acme.jpeg width=100 align="left">

# Key Management Secrets Engine

You want to maintain root of trust and control of the encryption key lifecycle.

<img src="images/vault-tokenization-1.png">


**Prerequisites:**
* Vault Enterprise binary with Advanced Data Protection
* Vault License

## Setup

In [6]:
/bin/rm -rf $HOME/demos/vault_cluster/vrd/data/*

In [148]:
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_SKIP_VERIFY=true
export VAULT_ROOT_TOKEN=root

In [16]:
which vault
vault --version


/usr/local/bin/vault
[0mVault v1.6.0 (7ce0bd9691998e0443bc77e98b1e2a4ab1e965d4)[0m


\
**EXECUTE the following command in SEPARATE window**

```
VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8200 evault server -log-level=trace -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200 -dev-ha -dev-transactional
```
OR   
`evrd1`   

## (Optional)  Apply the license

In [151]:
curl \
    --insecure \
    --header "X-Vault-Token: $VAULT_ROOT_TOKEN" \
    --request PUT \
    --data @/Users/tio/Documents/vault_license.json \
    $VAULT_ADDR/v1/sys/license

In [152]:
vault status

[0mKey             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.6.1+ent
Storage Type    inmem_transactional_ha
Cluster Name    vault-cluster-60e9d409
Cluster ID      5c25711e-51db-0b79-f3d5-4e9a0080828e
HA Enabled      true
HA Cluster      https://127.0.0.1:8201
HA Mode         active
Last WAL        35[0m


##### Notice Initialized (=true) and Sealed (=false) status 

## Enable the Key Management secrets engine

In [201]:
vault secrets enable keymgmt

[0mSuccess! Enabled the keymgmt secrets engine at: keymgmt/[0m


### Write keys

Let's write a pair of RSA keys to the secret engine


In [203]:
vault write keymgmt/key/rsa-1 type="rsa-2048"

[0mSuccess! Data written to: keymgmt/key/rsa-1[0m


In [206]:
vault write keymgmt/key/rsa-2 type="rsa-2048"

[0mSuccess! Data written to: keymgmt/key/rsa-2[0m


### Read keys

In [204]:
vault read keymgmt/key/rsa-1 -format=json | jq

[1;39m{
  [0m[34;1m"request_id"[0m[1;39m: [0m[0;32m"667cd555-6243-ff53-4953-2883e75f75a7"[0m[1;39m,
  [0m[34;1m"lease_id"[0m[1;39m: [0m[0;32m""[0m[1;39m,
  [0m[34;1m"lease_duration"[0m[1;39m: [0m[0;39m0[0m[1;39m,
  [0m[34;1m"renewable"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
  [0m[34;1m"data"[0m[1;39m: [0m[1;39m{
    [0m[34;1m"deletion_allowed"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
    [0m[34;1m"keys"[0m[1;39m: [0m[1;39m{
      [0m[34;1m"1"[0m[1;39m: [0m[1;39m{
        [0m[34;1m"creation_time"[0m[1;39m: [0m[0;32m"2020-12-30T20:00:16.657277+08:00"[0m[1;39m,
        [0m[34;1m"public_key"[0m[1;39m: [0m[0;32m"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnd93GYWYFuZrQZucqXQc\ndcgQXuEgN4EdRxanBw188e/T6fh2TXEEBM1OM7M7SzyHdshS+K5vtnKZ1rq3elJi\nmpUYuOkJeSfD0OoJMJYIDNR3yI7lYPTKoVAS/OFbqQRIf+aP66cMxTDEmRF4UVbS\n7+qzv3xowXtS7Hv1Xv4B6qc4jzemhTts61HriRFfSEVp9LU29eCXlAerRlsuIMg4\nCm9ZJkVyHChKydOYIu2/LpyXXywS4z

### Read the second key

In [207]:
vault read keymgmt/key/rsa-2 -format=json | jq

[1;39m{
  [0m[34;1m"request_id"[0m[1;39m: [0m[0;32m"565d5924-33fa-eb95-a4f7-7e6a70285f3c"[0m[1;39m,
  [0m[34;1m"lease_id"[0m[1;39m: [0m[0;32m""[0m[1;39m,
  [0m[34;1m"lease_duration"[0m[1;39m: [0m[0;39m0[0m[1;39m,
  [0m[34;1m"renewable"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
  [0m[34;1m"data"[0m[1;39m: [0m[1;39m{
    [0m[34;1m"deletion_allowed"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
    [0m[34;1m"keys"[0m[1;39m: [0m[1;39m{
      [0m[34;1m"1"[0m[1;39m: [0m[1;39m{
        [0m[34;1m"creation_time"[0m[1;39m: [0m[0;32m"2020-12-30T20:03:11.643465+08:00"[0m[1;39m,
        [0m[34;1m"public_key"[0m[1;39m: [0m[0;32m"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1I2qToIaYMMa4Dm2BNk\ndIaBkQLx+T6uBxRdI5VApTASZo/Wh9FMhMwIDu4b0969A8Z20iqcws85KDoiG5VU\njiaUX3cWDc0yeciMqMv7E7l6yxkgkvVQXO9S2NF7i45ORvScTtQKw43mAvXsM9nV\nXiwzK/CktyJdOgkUopVEZuqCpYYtF3lWCIWkiCM+Pe0bjMtevMGLHZeJfWIevdLf\nUBcgnpjBB6ihVztZA4c9H1wnKDiDCB

### Create KMS provider
This correspons to the key vault isntance you prveiously created in Azure/AWS

[0mKey                Value
---                -----
expiration_time    2020-12-30 19:40:57.631628 +0000 UTC
metadata           map[organization:HashiCorp type:Amex][0m


[0mKey      Value
---      -----
valid    true[0m


[0mKey          Value
---          -----
tokenized    false[0m


[0mKey              Value
---              -----
decoded_value    1111-2222-3333-4444[0m


### Rotate key

In [208]:
vault write -f keymgmt/key/rsa-1/rotate

[0mSuccess! Data written to: keymgmt/key/rsa-1/rotate[0m


In [209]:
vault read -format=json keymgmt/key/rsa-1 | jq '.data.latest_version'

[0;39m2[0m


&nbsp;

---
#### Thank you.
<img src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=100 align="left">