decrypt GPG session key with vault
124 views
Skip to first unread message
Jiri
Feb 15, 2018, 3:07:38 PM2/15/18
to Vault
I would like to
1. encrypt a large file with GPG
2. let the vault decrypt the RSA session key of that encrypted file
3. use this decrypted session key to decrypt the file
basically very similar thing what this guy is doing (in his case purely with GPG) https://serverfault.com/questions/751552/encrypted-offsite-backup-using-gpg-with-private-key-never-on-backup-server
the goal is for the private key to never leave the vault
did anybody have any success doing this?
1. encrypt a large file with GPG
2. let the vault decrypt the RSA session key of that encrypted file
3. use this decrypted session key to decrypt the file
basically very similar thing what this guy is doing (in his case purely with GPG) https://serverfault.com/questions/751552/encrypted-offsite-backup-using-gpg-with-private-key-never-on-backup-server
the goal is for the private key to never leave the vault
did anybody have any success doing this?
Jeff Mitchell
Feb 15, 2018, 3:37:01 PM2/15/18
to Vault
Hi Jiri,
You could use transit's RSA key support to take a session key and encrypt it, then have an authorized person decrypt the session key later. The RSA private key would stay on Vault. However, there is no support to give arbitrary session keys to Vault for decryption of data.Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/0ed11cfd-f21e-4da0-b778-3d042f69b911%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jiri
Feb 15, 2018, 6:09:08 PM2/15/18
to Vault
GPG encrypted file uses hybrid encryption, the encrypted file itslef has 2 parts
1. session key - it is random AES secret encrypted with RSA-2048 public key
2. the actual content is encrypted with AES secret
1. session key - it is random AES secret encrypted with RSA-2048 public key
2. the actual content is encrypted with AES secret
On Thursday, February 15, 2018 at 12:37:01 PM UTC-8, Jeff Mitchell wrote:
Hi Jiri,You could use transit's RSA key support to take a session key and encrypt it, then have an authorized person decrypt the session key later. The RSA private key would stay on Vault. However, there is no support to give arbitrary session keys to Vault for decryption of data.Best,Jeff
On Thu, Feb 15, 2018 at 3:07 PM, 'Jiri' via Vault <vault...@googlegroups.com> wrote:
I would like to
1. encrypt a large file with GPG
2. let the vault decrypt the RSA session key of that encrypted file
3. use this decrypted session key to decrypt the file
basically very similar thing what this guy is doing (in his case purely with GPG) https://serverfault.com/questions/751552/encrypted-offsite-backup-using-gpg-with-private-key-never-on-backup-server
the goal is for the private key to never leave the vault
did anybody have any success doing this?
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages