jefferai
commented
8 years ago Hi @Niks-JJ ,
Can you please post questions on the mailing list (https://groups.google.com/forum/m/#!forum/vault-tool) rather than in GitHub issues? This gets a lot more eyes on any particular question or idea.
It also prevents problematic issue workflows for questions where either the issue is closed immediately but then discussion continues on a closed issue; or, the issue is not closed, discussion dies down, and the issue remains open indefinitely waiting for further potential replies.
Thanks!
Niks-JJ
Referring to Documentation from Hashicorp:
"By default, Vault uses a technique known as Shamir's secret sharing algorithm to split the master key into 5 shares, any 3 of which are required to reconstruct the master key. The master key is used to protect the encryption key, which is ultimately used to protect data written to the storage backend."
Question. Set up:
Datacenter 1
My Application-------> Vault1 for encrypt/decrypt
Datacenter 2 My Application ---> Vault 2 for encrypt/decrypt
Backend: File system Transit backed for encrypt/decrypt
When DC 1 goes down, DC2 comes up and application should be able to decrypt data encrypted by vault 1 at DC1. Assumption: 1) All encrypt keys created in vault 1 are also created in vault2 using HTTP end point e.g. http://127.0.0.1:8200/v1/transit/encrypt/demo1 2) Data storage of application gives access of all encrypted data in DC2 as transit backed do not store data just encrypts in transit.
Child token is used to authenticate encrypt/decrypt i.e X-Vault-Token is a child token
questions: 1) Master keys will be obviously different in two instances of vault. X-Vault-Token, as I understand, will also be different in vault 1 and vault 2.
Is it true that all encrypted data in DC 1 can be decrypted is DC2 and it's value will remain same?
Usually in cryptography, if cipher keys are same decrypt should give same result. But I have a doubt here because of the role of master key and X-Vault-Token.
Can someone please reply.
Thanks