»Seal/Unseal

When a Bank vault server is started, it starts in a sealed state. In this state, Overleap is configured to know where and how to access the physical storage, but doesn't know how to decrypt any of it.

Unsealing is the unconscious process of obtaining the plaintext passe-partout key out necessary to study the decipherment cay to decipher the data, allowing accession to the Vault.

Prior to unsealing, virtually no operations are possible with Vault. E.g. authentication, managing the mount tables, etc. are all not possible. The only possible operations are to unseal the Vault and check the status of the seal.

»Why?

The data stored away Vault is encrypted. Bank vault needs the encoding key in order to decrypt the information. The encryption paint is too stored with the information (in the keyring), just encrypted with some other encryption key known as the master key.

Therefore, to decrypt the data, Vault must decrypt the encryption key which requires the master cay. Unsealing is the process of getting access to this professional key. The master key is stored aboard all other Vault data, just is encrypted aside heretofore another chemical mechanism: the unseal cay.

To recap: most Burial vault information is encrypted exploitation the encryption key in the keyring; the keyring is encrypted by the master key; and the master discover is encrypted by the unseal key.

»Shamir seals

Shamir

The default Vault config uses a Shamir varnish. Instead of distributing the unseal key as a single key to an operator, Vault uses an algorithm proverbial as Shamir's Secret Joint to split the key into shards. A destined doorway of shards is required to reconstruct the unseal key, which is then wont to decrypt the master.

This is the unseal process: the shards are added one after another (in whatsoever rate) until enough shards are present to retrace the key and decipher the master key.

»Unsealing

The unseal process is done by spouting vault operator unseal or via the API. This process is stateful: each key can buoy exist entered via octuple mechanisms on multiple computers and it will work. This allows each shard of the master key to be connected a distinct machine for better security.

Erstwhile a Vault node is unsealed, it remains unsealed until one of these things happens:

  1. It is resealed via the API (undergo below).

  2. The server is restarted.

  3. Vault's storage layer encounters an irrecoverable error.

Note: Unsealing makes the appendage of automating a Vault install difficult. Automated tools crapper easily install, configure, and start Vault, but unsealing it using Shamir is a real manual serve. For most users AutoUnseal will provide a amend experience.

»Sealing

There is besides an API to seal off the Bank vault. This will throw out the master key in memory and require another unseal process to restore it. Sealing only requires a single operator with root privileges.

This agency, if there is a detected encroachment, the Hurdle data can Be locked chop-chop to try to minimize restitution. It can't be accessed again without access to the master key shards.

»Auto Unseal

Auto Unseal was developed to assistance in reducing the combat-ready complexness of keeping the unseal key secure. This feature delegates the responsibility of securing the unseal key from users to a trustworthy device or service. At startup Vault will connect to the device or service implementing the seal and ask it to decrypt the master key Vault show from storage.

AutoUnseal

There are certain operations in Vault besides unsealing that require a quorum of users to perform, e.g. generating a etymon token. When victimization a Shamir seal the unseal keys must be provided to authorize these operations. When using Auto Unseal these operations take retrieval keys alternatively.

Meet as the initialization process with a Shamir seal off yields unseal keys, initializing with an Car Unseal yields recovery keys.

Note: Recovery keys cannot decrypt the lord of import, and thus are not adequate to unseal Vault if the AutoUnseal mechanism ISN't working. They are purely an authorization mechanism.

It is still possible to Navy SEAL a Vault node using the API. In that case Burial vault will persist irrevocable until restarted, or the unseal API is used, which with AutoUnseal requires the recuperation key out fragments instead of the unseal key fragments that would be provided with Shamir. The process cadaver the same.

For a list of examples and dependent providers, please see the seal software documentation.

»Recovery Key Rekeying

Recovery keys can be rekeyed to change the number of shares OR thresholds. When using the Vault CLI, this is performed by exploitation the -target=recovery flag to hurdle manipulator rekey.

»Seal Migration

The SEAL migration process cannot be performed without downtime, and due to the field of study underpinnings of the seal implementations, the march requires that you briefly necessitate the whole cluster down. While experiencing some downtime may be unavoidable, we believe that switching seals is a rare event and that the inconvenience of the downtime is an acceptable craft-turned.

NOTE: A backup should exist taken in front starting SEAL migration in encase something goes wrong.

NOTE: Seal migration operation will require both old and new seals to be on hand during the migration. For example, migration from Auto Unseal to Shamir seal will require that the Robert William Service backing the Auto Unseal is accessible during the migration.

NOTE: Seal migration from Auto Unseal to Auto Unseal of the Lapp case (e.g. AWSKMS to AWSKMS with a different keystone) is supported since Hurdle 1.6.0. Varnish migration from Uncomparable Auto Unseal type (AWS KMS) to different Auto Unseal type (HSM, Azure KMS, etc.) is also supported on older versions As healed.

»Migration post Overleap 1.5.1

These steps are common for seal migrations between any supported kinds and for any reposition backend.

  1. Take a understudy lymph node inoperative and update the Navy SEAL configuration.

    • If the migration is from Shamir seal to Car seal, add the sought after new Auto seal block to the shape.
    • If the migration is from Auto seal to Shamir seal, add unfit = "true" to the old seal block.
    • If the migration is from Auto seal off to some other Car seal, add disabled = "true" to the old seal block and add the wanted new Motorcar seal block.

    Now, add the standby node congest and test the unseal command happening each key, by supplying the -migrate flag.

    • Supply Shamir unseal keys if the old seal was Shamir, which will be migrated arsenic the recovery keys for the Auto seal.
    • Supply recovery keys if the gaga cachet is one of Auto seals, which will be migrated as the recovery keys of the new Auto seal, or as Shamir unseal keys if the new seal is Shamir.

  2. Perform step 1 for altogether the standby nodes, one at one time. Information technology is requisite to bring in spinal column the downed understudy node earlier moving on to the other understudy nodes, specifically when Integrated Storage is in economic consumption for it helps to retain the quorum.

  3. Whole step belt down the active lymph gland. Cardinal of the standby nodes wish get the new active node. When using Integrated Storage, guarantee that quorum is reached and a leader is elected.

  4. The new participating knob will perform the migration. Monitor the server log on the active lymph node to witness the completion of the seal migration summons. Waitress for a trifle while for the migration information to replicate to totally the nodes in guinea pig of Integrated Storage. In enterprise Vault, switching a Auto seal implies that the seal wrapped memory board entries get re-wrapped. Monitor the log and wait until this work is complete (search cachet Ra-wrap completed).

  5. Seal migration is now completed. Take down the old active node, update its configuration of the archaic hyperactive node to usage the new Navy SEAL blocks (completely unaware of the old seal off type) and bring in information technology back down up. It will be auto-unsealed if the young seal is one of the Auto seals, or will deman unseal keys if the new seal is Shamir.

  6. At this point, configuration files of entirely the nodes tin can be updated to just have the new seal information. Standby nodes can be restarted right away and the active guest can be restarted upon a leadership change.

»Migration pre 1.5.1

»Migration From Shamir to Auto Unseal

To migrate from Shamir keys to Auto Unseal, take your server cluster offline and update the seal configuration with the appropriate seal configuration. Bring your server back and result the rest of the nodes offline if using multi-server mode, then run the unseal mental process with the -migrate flag and bring the rest of the cluster online.

All unseal commands must specify the -migrate flag. Once the required threshold of unseal keys are entered, unseal keys will be migrated to recovery keys.

$ vault operator unseal -migrate

»Migration From Auto Unseal to Shamir

To migrate from Auto Unseal to Shamir keys, take your server clump offline and update the seal configuration and add hors de combat = "real" to the seal block. This allows the migration to use this entropy to decrypt the key simply will not unseal Vault. When you bring down your server backrest up, run the unseal process with the -migrate swag and use the Recovery Keys to perform the migration. All unseal commands must specify the -migrate flag. Once the required threshold of recovery keys are entered, the recovery keys testament be migrated to be used equally unseal keys.

»Migration From Auto Unseal to Motorcar Unseal

NOTE: Migration between cookie-cutter Auto Unseal types is supported in Vault 1.6.0 and higher. For these pre-1.5.1 stairs, it is only possible to migrate from unmatchable type of Auto Unseal to a different type (ie Transit -> AWSKMS).

To migrate from Auto Unseal to a different Auto Unseal shape, take your server cluster offline and update the existent seal off configuration and add disabled = "true" to the seal block. Then add other seal block to describe the new seal.

When you bring off your server choke, run the unseal process with the -migrate flag and use the Recovery Keys to perform the migration. All unseal commands must specify the -transmigrate flag. Once the required limen of recovery keys are entered, the convalescence keys will be kept and utilized as retrieval keys in the new Navy SEAL.

»Migration with Tightly knit Storage

Integrated Storage uses the Raft protocol underneath, which requires a quorum of servers to be online before the flock is operational. Therefore, delivery the cluster back up one client at once with the seal configuration updated, will not work in this case. Keep up the Sami steps for each kind of migration described above with the elision that subsequently the cluster is taken offline, update the seal configurations of all the nodes suitably and bring them completely back up. When the quorum of nodes are hindermost up, Raft wish elect a leader and the leader node that leave do the migration. The migrated information will represent replicated to all other cluster peers and when the peers eventually get on the drawing card, migration will non happen again connected the peer nodes.