configure the type of encryption for the K/V secrets engine

[Selvi K]

Hi,

I am trying to figure out how to configure the type of encryption performed by the K/V secrets engine. I would like to be able to choose any configurable parameters for this encryption. Can someone point me to whether this is possible and if yes, where are these parameters listed?

Thank you!

[Matthew Irish]

Hi Selvi,

For the KV engine, values you input are stored encrypted at rest, but when you use the vault kv command or the API, those values will be decrypted and returned in plaintext.  I don't believe that the barrier encryption that Vault uses to do this encryption at rest is configurable. 

If you're looking for configurable encryption, you may want to look at the Transit engine https://www.vaultproject.io/docs/secrets/transit/index.html - you could then store the output in vault's KV store or elsewhere. 

Hope this helps!

Cheers,

Matthew 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/8fcb9693-0e34-486d-a119-dfce45f1f0a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Selvi K]

Hi Mathew,

Thank you very much for the quick reply! This is very helpful. 

My use-case has specific requirements on the type of encryption to be used. For the KV engine, from the docs, I see that this is the type of encryption that is being used and from what you've said this is not configurable. 

"The storage backends used by Vault are also untrusted by design. Vault uses a security barrier for all requests made to the backend. The security barrier automatically encrypts all data leaving Vault using a 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit nonces. The nonce is randomly generated for every encrypted object. When data is read from the security barrier the GCM authentication tag is verified during the decryption process to detect any tampering."

Is this underlying choice made by the Vault designers -  "AES-256+GCM", something that is bound to change? Could you please help point me to the code where this encryption is being done so I can look in to this? 

>> If you're looking for configurable encryption, you may want to look at the Transit engine https://www.vaultproject.io/docs/secrets/transit/index.html - you could then store the output in vault's KV store or elsewhere. 

I see, this seems workable. I would really like to use Vault both for encryption and storage. However, with this proposed method, the number of operations to Vault are now doubled. One to encrypt and another to store (and similar when being retrieved). Also the data is going to be doubly encrypted - which seems unnecessary.

Thank you again for responding to my query.

Best! 

[Jeff Mitchell]

Hi Selvi,

On Tue, Aug 28, 2018 at 4:14 PM Selvi K <selvik...@gmail.com> wrote:

Is this underlying choice made by the Vault designers -  "AES-256+GCM", something that is bound to change? Could you please help point me to the code where this encryption is being done so I can look in to this? 

 While in theory this can be swapped out (the implementation is an interface) there are no current plans to do so. What are your specific requirements and why is this scheme not sufficient?

Best,

Jeff