Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vault: add support for transit-encrypted K/V #404

Merged
merged 3 commits into from
Oct 24, 2023
Merged

vault: add support for transit-encrypted K/V #404

merged 3 commits into from
Oct 24, 2023

Conversation

aead
Copy link
Member

@aead aead commented Oct 23, 2023

This commit adds support for encrypting K/V entries with a specific transit engine key.

Transit Engine

The transit engine is Hashicorp Vault's en/decryption engine. Among others, it allows to send a plaintext to an encrypt API endpoint and receive a ciphertext and vice versa.
Ref: https://developer.hashicorp.com/vault/api-docs/secret/transit

Now, users can specify a transit key name in the KES config file. KES will use this key to en/decrypt its key values before storing them on the K/V backend.
However, this does, in general, not improve security since Vault encrypts all data stored on the K/V engine with internally managed keys. Users may specify a transit key if the want/have to control which key is used to encrypt the K/V data.

@aead aead requested review from cniackz and shtripat October 23, 2023 14:06
@aead
vault: add support for transit-encrypted K/V
785b657 
This commit adds support for encrypting K/V entries with a
specific transit engine key.

**Transit Engine**

The transit engine is Hashicorp Vault's en/decryption engine.
Among others, it allows to send a plaintext to an encrypt API
endpoint and receive a ciphertext and vice versa.
Ref: https://developer.hashicorp.com/vault/api-docs/secret/transit

Now, users can specify a transit key name in the KES config
file. KES will use this key to en/decrypt its key values
before storing them on the K/V backend.
However, this does, in general, not improve security since
Vault encrypts all data stored on the K/V engine with internally
managed keys. Users may specify a transit key if the want/have to
control which key is used to encrypt the K/V data.

Signed-off-by: Andreas Auernhammer <[email protected]>
aead added 2 commits October 23, 2023 17:33
@aead
review: fix broken config test
9123d01 
Signed-off-by: Andreas Auernhammer <[email protected]>
@aead
review: improve error message for auth methods
e884dea 
Signed-off-by: Andreas Auernhammer <[email protected]>
@aead aead requested a review from shtripat October 23, 2023 15:54
@aead aead self-assigned this Oct 23, 2023
shtripat
shtripat approved these changes Oct 24, 2023
View reviewed changes
Copy link
Contributor

@shtripat shtripat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@aead aead merged commit 0244caf into master Oct 24, 2023
9 checks passed
@aead aead deleted the vault-transit branch October 24, 2023 07:35
@djwfyi djwfyi mentioned this pull request Oct 25, 2023
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shtripat shtripat shtripat approved these changes

@cniackz cniackz Awaiting requested review from cniackz

Assignees

@aead aead

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aead @shtripat