If I Lost My Unseal Keys...
2,791 views
Skip to first unread message
Nathan Basanese
Feb 8, 2019, 5:45:54 PM2/8/19
to Vault
X scenario:
Lost Unseal Keys, BUT, I have a running Vault Cluster, with root access on its local environment, as well as the root token and Consul backups.
The answer, here, is that you have to just use that root token to copy over whatever was important to a completely new Cluster.
Because, as it happens, rotating the master key requires the old keys:
https://www.vaultproject.io/guides/operations/rekeying-and-rotating#rekeying-vault
BUT, if you have the root token, and access to the hardware, I think you could read the master key from a memory dump, right?
https://www.vaultproject.io/guides/operations/rekeying-and-rotating#rekeying-vault
BUT, if you have the root token, and access to the hardware, I think you could read the master key from a memory dump, right?
Then could you modify rekey.go to inject that Master Key at the appropriate location, to get a new Master Key and Shamir Key Shares?
https://github.com/hashicorp/vault/blob/e9256ed4775a5cf517a3aa71f148ce4d50ef2b42/vault/rekey.go#L371
I guess this could take the master key that you had gotten from memory, and generate a new master key and Shamir key shares using it. What do you all think of this? Would you guess that it's even technically possible?
https://github.com/hashicorp/vault/blob/e9256ed4775a5cf517a3aa71f148ce4d50ef2b42/vault/rekey.go#L371
I guess this could take the master key that you had gotten from memory, and generate a new master key and Shamir key shares using it. What do you all think of this? Would you guess that it's even technically possible?
Jeff Mitchell
Feb 8, 2019, 6:59:10 PM2/8/19
to Vault
Hi,
s/root token/root account on the box/ but yes otherwise.
Vault's memory is outside its security model for exactly this reason
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/db60afbe-9e5d-4160-969f-2676ab0b64ca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Yan Michalevsky
Mar 1, 2019, 1:59:42 PM3/1/19
to Vault
Having root on a machine that's running an unsealed Vault, you don't even need the root token since you can just grab the master key from memory.
You can then regenerate Shamir shares of it either using the Go code from Vault that does it or your own implementation of Shamir secret sharing.
Reply all
Reply to author
Forward
0 new messages