Sunday, 18 October 2020

Vault Initialization, seal and unseal

 Step 1: Define vault.conf file.

vault.conf

storage "inmem" {
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}

disable_mlock = true

 

Step 2: Start the server using the conf file.

vault server -config vault.conf

$vault server -config vault.conf
==> Vault server configuration:

                     Cgo: disabled
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: false, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.4.2
             Version Sha: 18f1c494be8b06788c2fdda1a4296eb3c4b174ce+CHANGES

==> Vault server started! Log data will stream in below:

2020-06-02T09:30:20.917+0530 [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2020-06-02T09:30:20.918+0530 [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2020-06-02T09:30:29.809+0530 [INFO]  core: seal configuration missing, not initialized

Start the server by executing below command.

vault server -dev

 

Step 3: Open other terminal and export VAULT_ADDR.

 

export VAULT_ADDR='http://127.0.0.1:8200'

 

Step 4: Execute the command ‘vault status’ to check whether vault is initialized or not.

$vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            n/a
HA Enabled         false


As you see the output, the key Initialized is set to false and sealed is set to true.

 

Step 5: Initialize the vault by executing below command.

vault operator init

$vault operator init
Unseal Key 1: Hazjnt8jQ2ARhPWSJQ+UX7GAsrq5RdqyG/D1cTXa2VMV
Unseal Key 2: h9S3kfH9uPTDZr66NFTuCU6GLW27of0S6TR8Sa9QTw9b
Unseal Key 3: MgGicTA7gFTNQK50IpFmhXYf57sW4iKIYA4hZwYUnoKC
Unseal Key 4: PsTL4klX83KzsWDEdOlGpf2uAXxPsxTuMClf2NnADJwi
Unseal Key 5: FrnmtcOLJrT9+2rQRRKSSiZiWE1VbTn8/o64OGW+drX1

Initial Root Token: s.W7iU3dsR23fNkj8KeChblCaC

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.


As you see the output, by default vault is initialized with 5 key shares with a key threshold of 3. That means at any time, we require minimum 3 distinct key shares to unseal vault.

 

‘Initial Root Token’ is used to authenticate with Vault.

 

Step 6: Let’s execute ‘vault status’ command again.

$vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    0/3
Unseal Nonce       n/a
Version            1.4.2
HA Enabled         false

 

As you see the output, vault is initialized but it is still in sealed state.

 

Vault seal and unseal

When a Vault server is started, it starts in sealed state. In this state, vault doesn’t know how to decrypt the data. If you are in sealed state, almost no operation is possible. To work with vault you need to unseal it first.

 

What is Unsealing?

It is a process of obtaining a plain text master key which is used to read the ‘Encryption Key’ to decrypt the data and allow access to vault. Master key stored in-memory, it never stored on persistent storage.

 

What is sealing?

Vault discard the master key and require another unseal to perform operations with vault. By default, Vault start in sealed state. At any time, you can seal vault using the API, CLI command or UI.

 

Once I unseal Vault, Why would I seal the vault again?

a.   If the Shamir key shares are exposed, you can seal the vault to resolve data breach.

b.   Any network attacks or malware attacks on Vault node.

 

How to unseal Vault?

There are 3 possible ways to unseal the Vault.

a.   Using Shamir Key Shares or Shards

b.   Unsealing Vault with Auto Unseal (The auto-unseal feature delegates the unsealing process to a Key Management Service such as AWS KMS or GCP KMS.)

c.    Unsealing with Transit Auto Unseal (The Transit seal configures Vault to use Vault's Transit Secret Engine as the autoseal mechanism.)

 

In this post, I am going to show unsealing process using Shamir key shares.

 

Why this unsealing required?

Data in vault is encrypted before storing. In order to decrypt this data vault needs an ‘Encryption Key’. This ‘Encryption Key’ is also stored with the data (possibly in a keyring file), but encrypted with other encryption key known as ‘Master key’.

 

So to read the data in vault, we need a ‘Master key’ which is used to decrypt the ‘Encryption Key’ and this decrypted ‘Encryption key’ is used to decrypt actual data. Unsealing is a process of getting Master Key.

 

Shamir Secret Sharing Algorithm

Vault uses Sahmir Secret Sharing Algorithm to split the master key into shares. Some minimum number of these shares are used to form a master key.

 

Shamir Secret Sharing Algorithm used to secure a secret in distributed way. In this algorithm a secret is divided into multiple parts called shares. Each unique shares is divided across multiple participants. These shares are used to reconstruct the original secret.

 

How to unlock a secret?

To unlock a secret, you need minimum number of shares. This minimum number is called the threshold.

 

How the algorithm works?

Divide the secret ‘S’ into ‘n’ pieces {S1, S2…Sn} such that

a.   We can compute the secret ‘S’ with the knowledge of any k or more pieces or shares .

b.   We can’t compute the secret ‘S’ with the knowledge of k-1 or fewer pieces.

 

This algorithm works based on the principle ‘to build a polynomial with the degree (K – 1) such that the constant term is the secret code and the remaining numbers are random and this constant term can be found by using any K points out of N points generated from this polynomial by using Legrange’s Basis Polynomial’.

 


Unseal Vault using Shamir Key shares or Shards

Step 1: Execute the command ‘vault status’.

$vault status Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 0/3 Unseal Nonce n/a Version 1.4.2 HA Enabled false


As you see the output, seal type is ‘shamir’ and master key is broken into 5 shares, we require minimum 3 shares to get master key.

 

‘Unseal Progress’ set to 0/3 which means we are not provided any share key to unseal the vault.

 

Let’s provide one key share to unseal the key

Command to be used

vault operator unseal {unseal_key_share}

 

You can get ‘unseal_key_share’ from the output of ‘vault operator init’ command.

 

$vault operator unseal MgGicTA7gFTNQK50IpFmhXYf57sW4iKIYA4hZwYUnoKC
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    1/3
Unseal Nonce       d55e228e-0eaa-4cc1-32e9-288f5d851373
Version            1.4.2
HA Enabled         false

 

As you see ‘Unseal Progress’ it is 1/3 which means one key share is provided to unseal vault. 2 more keys need to be supplied.

 

Let’s provide 2nd key share to unseal.

$vault operator unseal Hazjnt8jQ2ARhPWSJQ+UX7GAsrq5RdqyG/D1cTXa2VMV
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    2/3
Unseal Nonce       d55e228e-0eaa-4cc1-32e9-288f5d851373
Version            1.4.2
HA Enabled         false

Let’s provide 3rd key to unseal.

$vault operator unseal FrnmtcOLJrT9+2rQRRKSSiZiWE1VbTn8/o64OGW+drX1
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.4.2
Cluster Name    vault-cluster-dc5259cb
Cluster ID      f4e684ba-1ce4-4376-5327-e97035a73786
HA Enabled      false


As you see the output, ‘sealed’ key is set to false, that means Vault is unsealed and ready to use.

 

Note

a. You can explicitly specify number of keyshares and key thresholds.

vault operator init -key-shares=5 -key-threshold=2

 

That’s it you are done for the day!!!!!

 

Previous                                                    Next                                                    Home

No comments:

Post a Comment