Document how to use the ECDH encryption functions of vault agent

[arianvp]

The documentation mentions tokens retrieved by the vault agent can be written encrypted to disk using an ECDH scheme to derive an AES-GCM session key. https://www.vaultproject.io/docs/agent/autoauth/index.html#dh_type

However, some important things seem to be missing from the docs, which are hard to figure out by trial and error:

• In what kind of format should the Ed25519 public key be provided, the docs do not specify this.

  • PEM, DER, base16, base64, binary blob?

• What is the on-disk format of the encrypted token, and how do I parse it to get the public key and nonce out, to figure out the shared secret?

• Is there perhaps some helper library / example of decrypting tokens, given the nonce and the public key?

[jefferai]

I need to get to this eventually, but for the moment, look at the two structs at https://godoc.org/github.com/hashicorp/vault/helper/dhutil#Envelope

[jefferai]

Note that that library is internal to Vault, so its interfaces may change. I don't expect the data structures to change but they may. This is sort of advanced usage and is in early days for it.

[vishalnayak]

Issues that are not reproducible and/or have not had any interaction for a long time are stale issues. Sometimes even the valid issues remain stale lacking traction either by the maintainers or the community. In order to provide faster responses and better engagement with the community, we strive to keep the issue tracker clean and the issue count low. In this regard, our current policy is to close stale issues after 30 days. If a feature request is being closed, it means that it is not on the product roadmap. Closed issues will still be indexed and available for future viewers. If users feel that the issue is still relevant but is wrongly closed, we encourage reopening them.

Please refer to our contributing guidelines for details on issue lifecycle.

[hsimon-hashicorp]

Pinging @schavis with docs help!