search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
30.03k stars 4.12k forks source link

Different key shares to unseal and to generate root. #13129

Closed Djaler closed 2 years ago

Djaler commented 2 years ago

Is your feature request related to a problem? Please describe. We want to share keys between quorum of people and on some servers. Scripts on this servers will automatically unseal vault after restart. But this key parts still can be used to generate root. We need a way to restrict so only people's keys can be used to generate root token.

Describe the solution you'd like Add additional command to generate key parts that can only be used to unseal vault.

hsimon-hashicorp commented 2 years ago

Are you using Shamir, or AutoUnseal? Can you provide more details about your use case? Thanks!

Djaler commented 2 years ago

We are using shamir, because we have vault installed on virtual server, without any cloud infrasturcture

maxb commented 2 years ago

I think it might be impossible to securely implement this request - here's why:

A quorum of unseal keys allows Vault to reconstruct the master key so the Vault program itself can read the encrypted secrets on disk. This is something that's actually enforced by the properties of the Shamir's Secret Sharing cryptographic algorithm, not just the Vault program.

No matter what you do, there's no getting away from the fact that unseal keys need to allow Vault to decrypt its own data - and so any hypothetical "unseal-only" keys must allow this. And if they allow this, there's no cryptographic protection against a malicious attacker building their own version of the Vault program which pretends that "unseal-only" keys are "root-token-capable" keys.

Ultimately, if you possess a quorum of unseal keys, you can decrypt your Vault. I've always assumed that this is why a quorum of unseal keys are allowed to create a root token - because they already possess the cryptographic secrets to allow reading the secrets out of the raw data in the storage backend, so permitting the generation of a root token is not any further compromise of security.

hsimon-hashicorp commented 2 years ago

@maxb Sincere thanks for explaining it so well. I'm going to go ahead and close this request now, but please let me know if you need resources to help with managing seal/unseal and "Secret Zero". There's a bunch of great resources - our own Rob Barnes and Rosemary Wang have done some extensive tutorials around exactly this kind of scenario. Thanks again!