hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.11k stars 4.21k forks source link

Initialize vault with user provided keys #4805

Closed raoofm closed 6 years ago

raoofm commented 6 years ago

Is your feature request related to a problem? Please describe. I was wondering why there is no option to provide your own keys to initialize vault. It helps in simplifying the task of distributing keys and auto unseal multiple clusters containing replicated data. Also to switch over if a data store is unavailable.

Describe the solution you'd like An option to provide set of keys, similar to a way we provide pgp for vault init.

khicks commented 6 years ago

Vault derives its key shares with Shamir's Secret Sharing algorithm. They aren't sets of random bytes, but instead can be used in parts to reconstruct a single master key. If you wanted to provide your own keys, they would have to be generated in this way.

To each their own, but I would recommend against using the same set of keys for multiple Vault instances, as it increases the operational burden of rekeying your vaults. If you absolutely must have the same set of keys, though, I think you could initialize a single empty storage backend, then copy the whole thing for use with other instances.

jefferai commented 6 years ago

It's not possible -- as @rotorcowboy said, we derive unseal keys using Shamir's Secret Sharing against a mster key -- and it's pretty against the whole security model of Vault to specify your own master key, so we don't plan to support it.