Tuesday, 29 September 2020

Vault seal/unseal

 

When a Vault server is started, it starts in sealed state. In this state, vault doesn’t know how to decrypt the data. If you are in sealed state, almost no operation is possible. To work with vault you need to unseal it first.

 

What is Unsealing?

It is a process of obtaining a plain text master key which is used to read the ‘Encryption Key’ to decrypt the data and allow access to vault.

 

Why this unsealing required?

Data in vault is encrypted before storing. In order to decrypt this data vault needs an ‘Encryption Key’. This ‘Encryption Key’ is also stored with the data (possibly in a keyring file), but encrypted with other encryption key known as ‘Master key’.

 

So to read the data in vault, we need a ‘Master key’ which is used to decrypt the ‘Encryption Key’ and this decrypted ‘Encryption key’ is used to decrypt actual data. Unsealing is a process of getting Master Key.

 

Shamir Secret Sharing Algorithm

Vault uses Sahmir Secret Sharing Algorithm to split the unsealed keys to shares. Some minimum number of these shares are used to form a unsealed key. This unsealed key is used to decrypt the master key.

 

In Shamir Secret Sharing Algorithm used to secure a secret in distributed way. In this algorithm a secret is divided into multiple parts called shares. Each unique shares is divided across multiple participants. These shares are used to reconstruct the original secret.

 

How to unlock a secret?

To unlock a secret, you need minimum number of shares. This minimum number is called the threshold.

 

How the algorithm works?

Divide the secret ‘S’ into ‘n’ pieces {S1, S2…Sn} such that

a.   We can compute the secret ‘S’ with the knowledge of any k or more pieces or shares .

b.   We can’t compute the secret ‘S’ with the knowledge of k-1 or fewer pieces.

 

This algorithm works based on the principle ‘to build a polynomial with the degree (K – 1) such that the constant term is the secret code and the remaining numbers are random and this constant term can be found by using any K points out of N points generated from this polynomial by using Legrange’s Basis Polynomial’.

 

Process looks like below.

a. Create key-shares using certain key-threshold

$vault operator init -key-shares=5 -key-threshold=2
Unseal Key 1: SjtWQ+s+30GmiXfGqz/CWTmVs5or3yCVF8wcYMhJJj/E
Unseal Key 2: zH2n8A4H+3MyG5hD0WQsAHyv4wSJyju2nl2cbx7L2DSw
Unseal Key 3: dHEuNdy6jX6x+OrLMKNO50AilCdHgZCw1o5En9EzoYSx
Unseal Key 4: TuK5YEUmYjpxzHSLsUMPoqnErOCSUBd0ZcCKFtNYv1xm
Unseal Key 5: ex2DgsSYZhtGQiVvmAYReYerdgejpBSG6J8GrjxKPcO4

Initial Root Token: s.E3BRk50CvwMf7nWA0of9qsQB

b. Unseal Vault by providing minimum 'key-threshold' key shares (Unseal keys) generated in step 1. In this process, valut generate unsealed key using the key shares. Once unsealed key generated, it use this to get Master Key. Once Master key generated, it is used to get 'Encryption Key.'

$vault operator unseal ex2DgsSYZhtGQiVvmAYReYerdgejpBSG6J8GrjxKPcO4
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          2
Unseal Progress    1/2
Unseal Nonce       04a05ef6-1d8c-971b-dbad-684ab3efdf78
Version            1.4.2
HA Enabled         false

$vault operator unseal zH2n8A4H+3MyG5hD0WQsAHyv4wSJyju2nl2cbx7L2DSw
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       2
Version         1.4.2
Cluster Name    vault-cluster-5d1876f0
Cluster ID      86774adb-7768-ac51-d7e2-a7ec1cfde4c4
HA Enabled      false


How long a vault is in unsealed state?

Once a vault is unsealed, it remains in unsealed state until one of the below things occur.

a.   Vault is resealed via the API

b.   The server is restarted.

c.    Vault's storage layer encounters an unrecoverable error.



 

 

Previous                                                    Next                                                    Home

No comments:

Post a Comment