Using Vault to Sign Data using an imported private key

[Punit Gupta]

Hi,

I have a use case similar to this:

1. I own a public-private key pair. Private Key is meant to sign some data and generate a signature. Public Key is meant to be distributed to third parties that they can use to validate the said signature.
2. I would like to store the said Private Key in Vault.
3. And I would like to use something similar to "Sign Data" functionality of 'Transit Engine' to sign any data, but do that using the Private-Key that I mentioned above.
4. 'Sign Data' functionality of Vault is described here https://www.vaultproject.io/api/secret/transit/index.html#sign-data but looks like it can only be used with a key that was generated by Vault itself (rather than using a key that I provide).

So my question is, is there any way that I can use Vault to sign data using a private key that I import into the vault?

Thanks for the help!!

[Nick Cabatoff]

Hi Punit,

No, sorry.  You could store the private key in a kv secret engine, but there's currently no way to get Vault to sign things for you with it.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ea094712-d670-48d1-b1c6-33e26423e8de%40googlegroups.com.

[Punit Gupta]

Hi Nick,

Thanks for the quick response.

If not 'transit secret engine', would you know if there is any other engine in Vault that provides 'Data Signing' functionality using an 'imported' key?

Also, adding 'import-key' option in transit-secret-engine (in addition to 'create-key' option that's already present) -- is it something that's perhaps being considered?

Thanks again!!

To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.

[Nick Cabatoff]

Hi Punit,

I've been informed by a colleague that it is actually possible to do this using transit, though it's not documented very well and it's not obvious.  You can use the backup endpoint for an existing key, then take the result, un-base64 to get the json, edit the json to replace the backed-up key with the key you want to import, then re-encode with base64 and send that to the restore endpoint.  I haven't tried this but I'm told it works.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ea2f1794-45dd-48c8-84bd-36fd8fecc116%40googlegroups.com.

[Punit Gupta]

Hi Nick,

I tried the steps you've mentioned below. When I call backup-endpoint on a rsa-2048-key that I created, I am returned an output whose base64-decoded version is shown below. Could you please provide any pointers on which parts of the below JSON would need to be modified to inject the key that I want (before I call restore-endpoint on modified data).

{"policy":{"name":"new_key2","keys":{"1":{"key":null,"hmac_key":"dsG5HUpVxpS/xsLXUEp7PWuApz8QH0jtpnpAI9S0UNo=","time":"2019-08-28T18:14:16.1309618Z","ec_x":null,"ec_y":null,"ec_d":null,"rsa_key":{"N":25278209865752883414628363584287565623544490960212251053533843790645626720097015375331303714113726137862196798530797815037570933890305839968695158048374124366896259857587903734627558819840026373757505799169744800146106915064385802051933963369770080693789904354663310100537231847726578861412207722006665811951293506510184137815054600442295440018102604158808824597755407558390802133094373741505237740311790669349797556858074498549749708204563525468997733232729334943040506151562042790634416706539892121288429434928277443955342066503099440563363776574105505936151776844120612958756256117742041464493378661063688744312579,"E":65537,"D":20532060783584196559615134203866452435609203088240513726318164894084990182098727779111585200874343802290011138431594813465370339698929772086204444103804742180731826368907934321096391520785575841553008967474920353409182039194766086559173424753949691555790228246752785804534811262617776919155509734315864847365217983988880029437711687893726291463350514993972703195255999089985495186183300079346093321483137495353274702631345679196725142976595067340606010418795957688377782090530756558801230248976661212529757093512523635352820426956900181947729265829587379535316814988337476087355336761397833782037120293887838264360833,"Primes":[148678207003862583630209360168654014653289699687079651687900291033208252913258442230287128551786920390684932118236346522697825357502625170969842305246534768269882687691863137336509920076379830048205033282832342810575136538549904288930630870954383037575416339886506426652231788328956721205743197704271222611199,170019603916101627965740468001072830290261611962347416245362460467388777669563276053863333242563449271564454722733745325898897889570839276437567347368758263453845870183784391159414397915581612596500877495868502667952376284913843001433204038857688637115996364418334621655296020656512896027214049538271287642621],"Precomputed":{"Dp":4589407705095045648777233251769032327442590635319928214056522098359404544662127174449102965657032515225836057115707600522112710350303045926301035804411856450706817175040650729080665399919379834101633921771973534122610147206714624967677285379872696110823920160983909869500662340196826937443253260841062046515,"Dq":155159718794240234783450137337323418936329962461754987537099400309657985620930313830439478430573223331598920800646696891781546056080417569990302660768391335869982874556692565281496188793094292808400155364914464746136742194858050201759593822726696365370258427445506742551255011664332816553880175913369050194813,"Qinv":65819843747570771032848170754490915864254533743117575969666609126462995421595040857841533137697882316882363034583015899229585900853406048466746891507119930981993416802477742588024884128924711138264279618122608263868951693392406894074526843109365543191778438975554645967035714497553757661044150922212820763612,"CRTValues":[]}},"public_key":"","convergent_version":0,"creation_time":1567016056}},"derived":false,"kdf":0,"convergent_encryption":false,"exportable":true,"min_decryption_version":1,"min_encryption_version":0,"latest_version":1,"archive_version":1,"archive_min_version":0,"min_available_version":0,"deletion_allowed":false,"convergent_version":0,"type":3,"backup_info":{"time":"2019-08-28T18:15:19.127922Z","version":1},"restore_info":null,"allow_plaintext_backup":true,"version_template":"","storage_prefix":""},"archived_keys":{"keys":[{"key":null,"hmac_key":null,"time":"0001-01-01T00:00:00Z","ec_x":null,"ec_y":null,"ec_d":null,"rsa_key":null,"public_key":"","convergent_version":0,"creation_time":0},{"key":null,"hmac_key":"dsG5HUpVxpS/xsLXUEp7PWuApz8QH0jtpnpAI9S0UNo=","time":"2019-08-28T18:14:16.1309618Z","ec_x":null,"ec_y":null,"ec_d":null,"rsa_key":{"N":25278209865752883414628363584287565623544490960212251053533843790645626720097015375331303714113726137862196798530797815037570933890305839968695158048374124366896259857587903734627558819840026373757505799169744800146106915064385802051933963369770080693789904354663310100537231847726578861412207722006665811951293506510184137815054600442295440018102604158808824597755407558390802133094373741505237740311790669349797556858074498549749708204563525468997733232729334943040506151562042790634416706539892121288429434928277443955342066503099440563363776574105505936151776844120612958756256117742041464493378661063688744312579,"E":65537,"D":20532060783584196559615134203866452435609203088240513726318164894084990182098727779111585200874343802290011138431594813465370339698929772086204444103804742180731826368907934321096391520785575841553008967474920353409182039194766086559173424753949691555790228246752785804534811262617776919155509734315864847365217983988880029437711687893726291463350514993972703195255999089985495186183300079346093321483137495353274702631345679196725142976595067340606010418795957688377782090530756558801230248976661212529757093512523635352820426956900181947729265829587379535316814988337476087355336761397833782037120293887838264360833,"Primes":[148678207003862583630209360168654014653289699687079651687900291033208252913258442230287128551786920390684932118236346522697825357502625170969842305246534768269882687691863137336509920076379830048205033282832342810575136538549904288930630870954383037575416339886506426652231788328956721205743197704271222611199,170019603916101627965740468001072830290261611962347416245362460467388777669563276053863333242563449271564454722733745325898897889570839276437567347368758263453845870183784391159414397915581612596500877495868502667952376284913843001433204038857688637115996364418334621655296020656512896027214049538271287642621],"Precomputed":{"Dp":4589407705095045648777233251769032327442590635319928214056522098359404544662127174449102965657032515225836057115707600522112710350303045926301035804411856450706817175040650729080665399919379834101633921771973534122610147206714624967677285379872696110823920160983909869500662340196826937443253260841062046515,"Dq":155159718794240234783450137337323418936329962461754987537099400309657985620930313830439478430573223331598920800646696891781546056080417569990302660768391335869982874556692565281496188793094292808400155364914464746136742194858050201759593822726696365370258427445506742551255011664332816553880175913369050194813,"Qinv":65819843747570771032848170754490915864254533743117575969666609126462995421595040857841533137697882316882363034583015899229585900853406048466746891507119930981993416802477742588024884128924711138264279618122608263868951693392406894074526843109365543191778438975554645967035714497553757661044150922212820763612,"CRTValues":[]}},"public_key":"","convergent_version":0,"creation_time":1567016056}]}}

Thanks,

Punit

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ea2f1794-45dd-48c8-84bd-36fd8fecc116%40googlegroups.com.

[Nick Cabatoff]

Sorry, like I say I've never tried it myself.  Anything I said would be guessing.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/5882eac7-e61c-4459-a29c-0a4d52867d47%40googlegroups.com.