Vault init with Keybase
717 views
Skip to first unread message
james....@made.com
Jan 20, 2017, 11:46:12 AM1/20/17
to Vault
Hi,
We are using v0.6.0 and trying to use the keybase pgp encrypt when initialising
I have followed the guidelines on https://www.vaultproject.io/docs/concepts/pgp-gpg-keybase.html
The info below is from our test setup
[root@ip-10-160-237-116 james.morgan]# vault init -address=http://10.160.237.116:8200 -key-shares=3 -key-threshold=2 -pgp-keys="keybase:jamesdmorgan,keybase:pathogenix,keybase:egidijus"
Unseal Key 1: c1c04c03d195f65f064db4c201080008719d56485295b195bca87b2333ccc31dfca492c3d679a59db98e69778682778af5c6b412bd93ea9a2d1eb28aefc3bad7d0a513ae054a4eb69be6b452e2f8b5d5e23c62d89c86ab6a2bf5b0b6d85277c5c33ac4098241792473596968af1e57fce6afdd164e08fba3b6322b241af9967d73c996420c3a577df4c622745d9e41d6dda53fe337910885485e8a7e4ed16d47d95716c870b8b60807e271dcc38c323acf9b4046508f4094cb723c4a8dc095c8c5b2ba16167725507c14d6291f2e41296738f09a4685a697a42d3bdf107a6115c1ac6e4294172611834950640ca3baca0281567401813217415c3455386d1a926db1c62e9b41a69ba7051bb29bb08dd2e001e4087ea8b23f1ad81ea31b9278101e8a76e1e647e065e08ee17277e084e293cb7d73e0c5e637373eb8bfc87a730f8b861ad2d55968e4c1dbc5328d08b258dbcc5539bf8edf0e080e0eb13b15237b78cfc6e399460817b02934c10a9aa59de0cb64984d2839e052e1c26be065e4937bb17928b303d628ea5258655a41b4e23f8e0e30e1df0b00
Unseal Key 2: c1c04c034ca2ef050706fdfa0108002a3e82deeaa736b2d426839a5429670a5a28fbb4f9467bf298424ca1fda3c27d1fd28a6a5a0d5f44d3cb67a6283a2e9f7101575827bcc2d2c3cb397f878674f7b9f104de4edf62171c44ce211d4b2b49a9713b6578e162e24020f6c1021234816917de44d8e6252229cf33afe60c6949396c3a6129501a7b029e63a729a3351c27a67c176a59ec06a4fc11841876ed73f6faf6e69a3f04e9a1aabf1eed3e476e42572507e1ec560b36c6d0f898b9340cf4cb76ef9915bc70cca6dc24b464a61f9a0b374748c07c2e3d012a57c6688259793c1a3932f722b5aa822b9f1571c15bfcb08b35814f22c63d7d8fe8db0ff97639bccd6a2ba123d4672e71e6c8a7255ed2e001e43ceca6110c487b61fe8d047f774add9fe12165e06de0e1e1323ce008e2b59bfc79e07ee63d62d8620799b30ea59cf4514695d4ca562029fc6c24fcf482495be8d9e0647d02b540f29df4028422563c30fbbe44368c82ec0b0a65be6120e79bc4577a290ce0cce16320e06be483e6d6a6e1e4cfcb25ca8a833b4a384de225b16e39e1f3fd00
Unseal Key 3: c1c04c03642c7f882783bd2501080072f73ee860653fdc160d3ff7b80f12ebb77e93387c99ebf7bbec198351bcf56b41e02c843b83ebcb0cf6bb381489878428fe3e39e0e736d52956f277d5e6e897377ce74db90592b5f371189bf0d1f70bf9e68e8c8d9ad27b78e657e1c1d903a1ec9e1971cbe8b9942ed15e397366730b0df53a5aed98ca49cabe9d5d966dd94ed59af2427c4832b7934508ce6c022a03068c7d75621186908bfd7fd0450bad2581a4072e28c21f549cfffc5d1450469f62c57a8f44ce7c05700dd09c0153df17edc173ca6e6ca356a150f0b637dd1ff709f9451d23996cc4db398748a68162292c30260e17fe617a52825e65634bfe04b3ea7de804dc99ee00d22a44f96197bfd2e001e47db3ea7341fe361e3cf76ec5899ebba5e1c171e050e077e12d90e073e299ba0fd9e010e6ed4b44ac5df74081169de1c1a042cc13a436c2f6f8406efcf5d73b826c39f7f7edbb35888bc2e1e97d8c5e0fc8e13bac33a84777c173c29c73ffd782e36dd0a3e0fee1d257e094e4dc9ff6246ec825a5cbeb9d9907124d7be25bb3c2cde1feb500
Initial Root Token: 7736ef9f-151c-88e7-32ca-036f660d64c8
Vault initialized with 3 keys and a key threshold of 2. Please
securely distribute the above keys. When the Vault is re-sealed,
restarted, or stopped, you must provide at least 2 of these keys
to unseal it again.
Vault does not store the master key. Without at least 2 keys,
your Vault will remain permanently sealed.
When trying to decrypt the keys to pass to unseal I get
$ echo c1c04c03d195f65f064db4c201080008719d56485295b195bca87b2333ccc31dfca492c3d679a59db98e69778682778af5c6b412bd93ea9a2d1eb28aefc3bad7d0a513ae054a4eb69be6b452e2f8b5d5e23c62d89c86ab6a2bf5b0b6d85277c5c33ac4098241792473596968af1e57fce6afdd164e08fba3b6322b241af9967d73c996420c3a577df4c622745d9e41d6dda53fe337910885485e8a7e4ed16d47d95716c870b8b60807e271dcc38c323acf9b4046508f4094cb723c4a8dc095c8c5b2ba16167725507c14d6291f2e41296738f09a4685a697a42d3bdf107a6115c1ac6e4294172611834950640ca3baca0281567401813217415c3455386d1a926db1c62e9b41a69ba7051bb29bb08dd2e001e4087ea8b23f1ad81ea31b9278101e8a76e1e647e065e08ee17277e084e293cb7d73e0c5e637373eb8bfc87a730f8b861ad2d55968e4c1dbc5328d08b258dbcc5539bf8edf0e080e0eb13b15237b78cfc6e399460817b02934c10a9aa59de0cb64984d2839e052e1c26be065e4937bb17928b303d628ea5258655a41b4e23f8e0e30e1df0b00 |base64 -D| keybase pgp decrypt
▶ ERROR unknown stream format
Has anybody come across this? Or have any idea what I could be doing wrong. Just using vault init and the default worked but it would be nice to use keybase to handle the pgp work.
Any help greatly appreciated
Jeff Mitchell
Jan 20, 2017, 12:03:30 PM1/20/17
to vault...@googlegroups.com
Hi James,
That's hex, not base64, which is why the decoding is failing. Later
versions of Vault (0.6.2+) also return base64 values.
Is there any reason you're starting with 0.6.0 at this point? I'd
strongly recommend, if you're just starting now, with 0.6.4, both for
security and bug fix reasons (not to mention features).
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/bdf6e662-b23f-4e1d-846f-e5630af9969d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
That's hex, not base64, which is why the decoding is failing. Later
versions of Vault (0.6.2+) also return base64 values.
Is there any reason you're starting with 0.6.0 at this point? I'd
strongly recommend, if you're just starting now, with 0.6.4, both for
security and bug fix reasons (not to mention features).
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/bdf6e662-b23f-4e1d-846f-e5630af9969d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
james....@made.com
Jan 20, 2017, 6:17:17 PM1/20/17
to Vault
Hi,
Of course, should have spotted that. Cheers
0.6.0 was installed some months back and just getting to look at it again properly.
I'll move to 0.6.4
Looking forward to where this will take us
Thanks
James
james....@made.com
Jan 24, 2017, 12:44:18 PM1/24/17
to Vault
Hi,
I've upgraded to 0.6.4 and it works if I use the vault client. It's now correctly base64
[root@ip-10-160-225-122 james.morgan]# vault --version
Vault v0.6.4 ('f4adc7fa960ed8e828f94bc6785bcdbae8d1b263')
My plan is to initialise the server using the python hvac module and Ansible. I'll then distribute the pgp encrypted key shares to our slack.
I am having a problem with hvac in that it I get following
invalid seal configuration: Error decoding given PGP key: illegal base64 data at input byte
To rule out hvac I emulated it with curl
[root@ip-10-160-225-122 james.morgan]# curl \-H "Content-Type: application/json" \-X PUT \-d '{"pgp_keys": ["keybase:jamesdmorgan", "keybase:pathogenix", "keybase:egidijus"],"secret_shares": 3,"secret_threshold": 3}' \"errors":["invalid seal configuration: Error decoding given PGP key: illegal base64 data at input byte 7"]}
I get exactly the same error as with hvac. Is there a different endpoint that I need to hit? It looks like its not correctly detecting keybase
I noticed that /sys/init docs don't mention keybase https://www.vaultproject.io/docs/http/sys-init.html
- pgp_keys optional An array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as
secret_shares.
Any help greatly appreciated.
James
james....@made.com
Jan 24, 2017, 12:45:37 PM1/24/17
to Vault
I meant to clarify that it works using the vault client
vault init -address=http://10.160.225.122:8200 -key-shares=3 -key-threshold=2 -pgp-keys="keybase:jamesdmorgan,keybase:pathogenix,keybase:egidijus"
Jeff Mitchell
Jan 24, 2017, 2:08:09 PM1/24/17
to vault...@googlegroups.com
Hi James,
Currently the keybase fetching is implemented in the client, which is
why the docs for the HTTP API don't mention it -- the HTTP API doesn't
support it.
The original reasons for doing so are not necessarily valid anymore,
but one does remain: the current implementation means that at the HTTP
layer, it's explicit which key should be used, as opposed to having
the Vault server fetch the key from Keybase, in which case you think
you know what key will be used but it could have been changed and you
may not actually be okay with that. It's a minor point since most
people might use the CLI client for init anyways, and there are only a
couple of scenarios in which this is really a potential attack vector,
and those can be documented away.
So, I'm amenable to changing it, but the team is pretty swamped, and a
third-party PR that brings the functionality in from the CLI into the
server is going to get that added much faster.
Best,
Jeff
Currently the keybase fetching is implemented in the client, which is
why the docs for the HTTP API don't mention it -- the HTTP API doesn't
support it.
The original reasons for doing so are not necessarily valid anymore,
but one does remain: the current implementation means that at the HTTP
layer, it's explicit which key should be used, as opposed to having
the Vault server fetch the key from Keybase, in which case you think
you know what key will be used but it could have been changed and you
may not actually be okay with that. It's a minor point since most
people might use the CLI client for init anyways, and there are only a
couple of scenarios in which this is really a potential attack vector,
and those can be documented away.
So, I'm amenable to changing it, but the team is pretty swamped, and a
third-party PR that brings the functionality in from the CLI into the
server is going to get that added much faster.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/d30d1102-2571-4e24-9ff7-89f5d48db40f%40googlegroups.com.
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
james....@made.com
Jan 24, 2017, 5:25:23 PM1/24/17
to Vault
Hi Jeff,
Thanks for the response and would explain things.
I'll have a deeper look into the code.
In the mean time I can just use the CLI. I'll keep a checkup on the changelog to see if it does make it in at some point
Thanks
James
Reply all
Reply to author
Forward
0 new messages