search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.26k stars 4.23k forks source link

Unseal Vault using Android, or Iphone - Vault App #28073

Open ji-podhead opened 3 months ago

ji-podhead commented 3 months ago

Hi,

I currently have a non-HA Vault on my main machine, as I'm just building the automation of my infrastructure to make it HA. By that said, it sometimes distracts me, having the routine of getting the keys, starting the server, looking for my config, and unsealing. So, I asked myself: Why can't I just use my phone to decrypt the keys on the phone using the fingerprint (biometric authentication) as a security measure, in addition to 2FA (since you're using mobile anyway), and then make an API call from mobile to unseal the Vault?

so we have:

so you have to store your unseal keys somewhere, why not on your phone, but encrypted

cwchristerw commented 2 months ago

I would say that it would be easier and simpler to implement FIDO2 Passkeys instead of creating separate mobile app. I'm not sure if its possible to combine Shamir secrets and FIDO2 Passkeys or would it be different seal type completely. This could probably be implemented in both CLI and UI.

ji-podhead commented 2 months ago

I would say that it would be easier and simpler to implement FIDO2 Passkeys instead of creating separate mobile app.

Yes possible, but this requires an additional device as well right? For my zero trust access (teleport) I also just use 2fa via mobile. I mean sure the USB authentication is cool, but I think android can also be very secure and I don't have a ubikey at hand. So easier is relative I guess 😉. Ubikey is preventing phishing, but an android app that is not bound to email is also quite effective I guess. in the end both make use of 2fa.

cwchristerw commented 2 months ago

Android and iOS supports FIDO2 Passkeys. You could use Google Passwords in Android as your passkey, I'm using Bitwarden as my passkey provider in my Android phone. I could also use Yubikey. This would only require implementing a way to use FIDO2 Passkey in unseal process and way to add passkeys.

Alternatively: You could probably create custom code that will interact with FIDO2 Passkey and will exchange it to your unseal key in the backend. This could be done without changes to Vault itself. This would require you to add custom endpoint to reverse proxy /unsealer and it would ask you to authenticate with FIDO2 Passkey. Then when you successfully authenticated to your custom script, it would decrypt unseal key and send it to Vault via Vault API. This would require you to design encryption and decryption workflow in your script, so it would only decrypt when your passkey is valid. You would have to decide what information you would use about your security key to encrypt and decrypt unseal key.

Example https://vault.example.com/unsealer

ji-podhead commented 2 months ago

Android and iOS supports FIDO2 Passkeys. You ...

Yes very cool idea! making ubikey align with android seems to be the best solution there