Automatic encryption key rotation and generation

[Lloyd Cabancla]

Hi,

I am currently looking for an encryption key management system to be used in one of our projects.

The requirement is for it to automatically generate encryption keys (based on a particular algorithm), store them securely and rotate them after some time (similar to Amazon KMS).

The keys should be accessible via https.  

I have come across Vault and found it very interesting. 

http://www.marketwired.com/press-release/hashicorp-launches-key-secret-manager-improve-simplify-modern-enterprise-security-2014196.htm

According to the above article:

"Vault dynamically generates secrets as they are requested, leases them for a period of time, and then can automatically renew access with a new key"

In our case, the secrets are encryption keys and we would like to automatically generate and replace these keys regularly (the client should just read and get the new key)

After looking at the documentation it seems that this type of secret generation and rotation is not supported as new keys have to be written after the lease expires.

Can you please confirm?

Thanks,

Lloyd

[Armon Dadgar]

Hey Lloyd,

This is one of the use cases for Vault, and also happens to be something we use it for

extensively at HashiCorp. We’ve talked about how we use it on our blog:

https://hashicorp.com/blog/how-atlas-uses-vault-for-managing-secrets.html

There are more docs available on the `transit` backend which powers this on

the Vault site itself: https://vaultproject.io/docs/secrets/transit/index.html

Basically that backend allows Vault to operate like an HSM. It stores and

manages named encryption keys, and allows clients to perform cryptographic

operations on them without knowing the key directly.

It sounds like this is the use case you are trying to solve, so I hope that helps!

Best Regards,

Armon Dadgar

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9a3c549d-27e4-4513-b04a-86a49ba2c261%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Lloyd Cabancla]

Resending my reply with google groups..

Hi Armon,

Thanks for your reply.

Indeed the transit backend fulfils our requirements, except one - automatic key rotation.

My understanding is that it does not support automatic encryption key rotation right now. 

Is this correct?

Thanks,

Lloyd

[Lloyd Cabancla]

Updating question list:

1. My understanding is that the transit backend does not support automatic encryption key rotation right now. Is this correct?

2. If automatic encryption key rotation is not supported, is there a way to replace the value of an existing key in the transit backend in a single operation? I see that a key can be deleted then recreated but a single operation would be preferable to reduce the key 'downtime'.

Thanks.

[Armon Dadgar]

Hey Lloyd,

The goal is actually to support a new endpoint like “transit/rotate/my-key” which just installs a new encryption key.

The way we do it today, the plaintext that is returned prefixes the key term that was used, so that you can do rotation

online and without losing the ability to decrypt data decrypted by previous keys.

This isn’t quite automatic, but that could be an incremental improvement as well, to simply invoke “rotate” on a

schedule like every 30 days.

All of these fit as future enhancements to transit which is the good news!

[Lloyd Cabancla]

Thanks Armon. I have created issue 417 to track this.

Thanks,

Lloyd

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool...@googlegroups.com.