Is cipher mode configurable in Vault
201 views
Skip to first unread message
Niks
May 20, 2016, 10:52:37 AM5/20/16
to Vault
Hi,
I am trying to figure out if cipher mode can be set somewhere in Vault or it is always "aes-gcm" and cannot be modified?
I am looking for to either
1) Set is for entire vault server or
2) if /transit/keys/<keyname>/config can be used to set cipher_mode
When I send a Get request at http://127.0.0.1:8200/v1/transit/keys/<keyName>, I can see "cipher_mode": "aes-gcm",
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"cipher_mode": "aes-gcm",
"deletion_allowed": true,
"derived": false,
"keys": {
"1": 1463752410,
"2": 1463752479
},
"latest_version": 2,
"min_decryption_version": 1,
"name": "myKey"
},
"warnings": null,
"auth": null
}
Thanks.
Jeff Mitchell
May 20, 2016, 11:07:07 AM5/20/16
to vault...@googlegroups.com
Hi Niks,
AES-GCM is the only currently supported mode, although you can also
use derived keys with it.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/a9e003f7-9751-47f2-b8e3-38478644a4c1%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
AES-GCM is the only currently supported mode, although you can also
use derived keys with it.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/a9e003f7-9751-47f2-b8e3-38478644a4c1%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Niks
May 23, 2016, 4:34:51 AM5/23/16
to Vault
Thanks Jeff.
I read about key derivation at
- "derived optional Boolean flag indicating if key derivation MUST be used. If enabled, all encrypt/decrypt requests to this named key must provide a context which is used for key derivation. Defaults to false."
- 1) I could not understand what is key derivation and how can we set it. Can you please give an example of key derivation.
- 2) With below http request I am able to configure my key, but how do I set key derivation context in request?
- http://127.0.0.1:8200/v1/transit/keys/encryptKey/config
Request body:
{
"deletion_allowed": true
}
3) Would be very very helpful if you can tell me how I can associate a lease with this key. Setting renewable": true from config end point has no effect
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"cipher_mode": "aes-gcm",
"deletion_allowed": true,
"derived": false,
"keys": {
"1": 1463752210,
"2": 1463752379
},
"latest_version": 2,
"min_decryption_version": 1,
"name": "encryptKey"
},
"warnings": null,
"auth": null
}
Thank you.
Niks
Niks
May 23, 2016, 4:47:07 AM5/23/16
to Vault
Hi Jeff,
Ignore my 3rd question.You already replied in another thread. Please respond to 1 and 2.
Thanks.
Niks
On Friday, May 20, 2016 at 3:52:37 PM UTC+1, Niks wrote:
On Friday, May 20, 2016 at 3:52:37 PM UTC+1, Niks wrote:
Jeff Mitchell
May 23, 2016, 2:16:22 PM5/23/16
to vault...@googlegroups.com
On Mon, May 23, 2016 at 4:34 AM, Niks <niharik...@gmail.com> wrote:
> Thanks Jeff.
>
> I read about key derivation at
> https://www.vaultproject.io/docs/secrets/transit/
>
> "derived optional Boolean flag indicating if key derivation MUST be used. If
> enabled, all encrypt/decrypt requests to this named key must provide a
> context which is used for key derivation. Defaults to false."
> 1) I could not understand what is key derivation and how can we set it. Can
> you please give an example of key derivation.
Key derivation allows you to use the same transit key with some extra
> Thanks Jeff.
>
> I read about key derivation at
> https://www.vaultproject.io/docs/secrets/transit/
>
> "derived optional Boolean flag indicating if key derivation MUST be used. If
> enabled, all encrypt/decrypt requests to this named key must provide a
> context which is used for key derivation. Defaults to false."
> 1) I could not understand what is key derivation and how can we set it. Can
> you please give an example of key derivation.
private information that allows, essentially, subkeys.
The reason this is useful is that it eases management burden if you
want to have a high degree of separation between sets of encrypted
data.
As a very contrived example, let's say you want to encrypt a table in
a database. Suppose you have a second table that contains a set of
random bytes (the context), one for each row in the first table. On
lookup, you look up the context for the row you want to decrypt and
pass it to transit along with the encrypted data.
This ends up acting similarly to a salt: if someone finds out the
context for row A (but only row A), they may be able to decrypt row A
but will be unable to decrypt row B, even if the same key within the
transit backend is being used.
> 2) With below http request I am able to configure my key, but how do I set
> key derivation context in request?
> http://127.0.0.1:8200/v1/transit/keys/encryptKey/config
on or off after-the-fact.
Best,
Jeff
Niks
May 24, 2016, 5:48:35 AM5/24/16
to Vault
Thanks Jeff.
On Friday, May 20, 2016 at 3:52:37 PM UTC+1, Niks wrote:
Niks
Jun 17, 2016, 8:38:23 AM6/17/16
to Vault
Hi Jeff / group members,
I am trying to figure out how to create a key with a context (in transit backend)
I sent a post request at http://127.0.0.1:8200/v1/transit/keys/encryptKey1
with request body
{"derived": "true"}
I know I am missing to send context. Also get an error while encrypt
{
"errors": [
"missing 'context' for key deriviation. The key was created using a derived key, which means additional, per-request information must be included in order to encrypt or decrypt information"
]
}
Can you please give me the syntax of sending context in request?
https://www.vaultproject.io/docs/secrets/transit/ just mentions
- derived optional Boolean flag indicating if key derivation MUST be used. If enabled, all encrypt/decrypt requests to this named key must provide a context which is used for key derivation. Defaults to false.
Exact syntax will be great help. Thanks !!!
Niks
On Friday, May 20, 2016 at 3:52:37 PM UTC+1, Niks wrote:
Jeff Mitchell
Jun 17, 2016, 9:41:50 AM6/17/16
to vault...@googlegroups.com
Niks,
Take a look at the parameters in that document for encrypt/decrypt/rewrap.
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/befbc053-98ac-4d2c-a098-336a4764f2d9%40googlegroups.com.
Niks
Jun 17, 2016, 10:43:04 AM6/17/16
to Vault
Thanks Jeff.
I am sorry if it's too basic, But I can't get it right.
Tried below as request body while sending request at http://127.0.0.1:8200/v1/transit/keys/encryptKey
1) {
"derived": "true",
"context":"dGVzdA=="
}
2)
{
"derived": "true",
"context": {
"company": "dGVzdA=="
}
}
3)
{
"derived": "true",
"company": "dGVzdA=="
}
None works.
I may be totally wrong. Trying to understand what a context is. Basically trying to set a context along with a key (this value, company=xyz may be coming dynamically from a table or request), which is kind of a subkey which makes this encryption more secure, Is this correct?
Thanks.
Niks
On Friday, May 20, 2016 at 3:52:37 PM UTC+1, Niks wrote:
Jeff Mitchell
Jun 18, 2016, 4:36:16 AM6/18/16
to vault...@googlegroups.com
Hi Niks,
If you are actually using the URL
http://127.0.0.1:8200/v1/transit/keys/encryptKey then you're probably
just hitting the fact that that's not a valid endpoint :-)
The endpoint is http://127.0.0.1:8200/v1/transit/keys/encrypt/<key>
where <key> is the name of the key you want to use. You don't need to
set 'derived' -- that's only at key creation time. For the encrypt
endpoint, you just need 'context' and 'plaintext'.
Best,
Jeff
If you are actually using the URL
http://127.0.0.1:8200/v1/transit/keys/encryptKey then you're probably
just hitting the fact that that's not a valid endpoint :-)
The endpoint is http://127.0.0.1:8200/v1/transit/keys/encrypt/<key>
where <key> is the name of the key you want to use. You don't need to
set 'derived' -- that's only at key creation time. For the encrypt
endpoint, you just need 'context' and 'plaintext'.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/2c2bfb8b-90f9-4960-b8c0-48bff7393960%40googlegroups.com.
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
Niks
Jun 18, 2016, 6:43:39 PM6/18/16
to Vault
Hi Jeff.
Thanks.I think I was not clear enough
1) I was using end point http://127.0.0.1:8200/v1/transit/keys/<key> to generate my encryption key.
Here I am not clear on how to set the key derivation context (syntax).
Documentation at https://www.vaultproject.io/docs/secrets/transit/ does not provide enough information.
/transit/keys/<name>
- Parameters
- derived optional Boolean flag indicating if key derivation MUST be used. If enabled, all encrypt/decrypt requests to this named key must provide a context which is used for key derivation. Defaults to false.
2) I was using below end point for encryption
Without just plaintext it works fine.
I am a confused now, whether context should be set during key generation or during encryption?
Can you please elaborate on how and when exactly context is set? Also syntax for the same.
Thanks a lot.
Niks
On Friday, May 20, 2016 at 3:52:37 PM UTC+1, Niks wrote:
Jeff Mitchell
Jun 18, 2016, 11:59:11 PM6/18/16
to vault...@googlegroups.com
Hi Niks,
On Sun, Jun 19, 2016 at 12:43 AM, Niks <niharik...@gmail.com> wrote:
> 1) I was using end point http://127.0.0.1:8200/v1/transit/keys/<key> to
> generate my encryption key.
>
> Here I am not clear on how to set the key derivation context (syntax).
>
> Documentation at https://www.vaultproject.io/docs/secrets/transit/ does not
> provide enough information.
> /transit/keys/<name>
>
> Parameters
>
> derived optional Boolean flag indicating if key derivation MUST be used. If
> enabled, all encrypt/decrypt requests to this named key must provide a
> context which is used for key derivation. Defaults to false.
This means, when using key derivation, you must set the 'derived=true'
flag during creation of the encryption key. Once you do that...
> 2) I was using below end point for encryption
>
> http://127.0.0.1:8200/v1/transit/keys/encrypt/<key>
...you will have to send a 'context' value to the encrypt endpoint,
which the documentation notes is a base64-encoded value of your
choosing. In the proposed method of operation where this value is also
used as the nonce, you would be required to ensure that the value is
12 bytes (96 bits).
Best,
Jeff
On Sun, Jun 19, 2016 at 12:43 AM, Niks <niharik...@gmail.com> wrote:
> 1) I was using end point http://127.0.0.1:8200/v1/transit/keys/<key> to
> generate my encryption key.
>
> Here I am not clear on how to set the key derivation context (syntax).
>
> Documentation at https://www.vaultproject.io/docs/secrets/transit/ does not
> provide enough information.
> /transit/keys/<name>
>
> Parameters
>
> derived optional Boolean flag indicating if key derivation MUST be used. If
> enabled, all encrypt/decrypt requests to this named key must provide a
> context which is used for key derivation. Defaults to false.
flag during creation of the encryption key. Once you do that...
> 2) I was using below end point for encryption
>
> http://127.0.0.1:8200/v1/transit/keys/encrypt/<key>
which the documentation notes is a base64-encoded value of your
choosing. In the proposed method of operation where this value is also
used as the nonce, you would be required to ensure that the value is
12 bytes (96 bits).
Best,
Jeff
Message has been deleted
Niks
Jun 20, 2016, 10:29:58 AM6/20/16
to Vault
Thanks Jeff. Tried encryption decryption with context. Works fine as per your input.
Niks
On Friday, May 20, 2016 at 3:52:37 PM UTC+1, Niks wrote:
Reply all
Reply to author
Forward
0 new messages