Transit byok import endpoints #15414
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
schultz-is
force-pushed
the
transit-byok-import-endpoints
branch
from
a82449d
to
6633769
Compare
sgmiller
requested changes
May 13, 2022
…nvert Transit wrapping key endpoint to use shared wrapping key retrieval method. Disallow import of convergent keys to Transit via BYOK process.
…specify OAEP random oracle hash function used to wrap ephemeral AES key.
… panic in Transit import. Proactively zero out ephemeral AES key used in Transit imports.
…ral key is of the size specified byt the RFC.
…n to avoid errors on BYOK keys with allow_rotation=false.
…d Transit import unit tests. Added unit tests for Transit import_version endpoint.
… but reject with an error when the field is provided.
schultz-is
force-pushed
the
transit-byok-import-endpoints
branch
from
6633769
to
d8d310a
Compare
sgmiller
approved these changes
May 16, 2022
| AllowImportedKeyRotation: allowRotation, | ||
| } | ||
|
|
||
| switch keyType { |
There was a problem hiding this comment.
nit: since we test within parseHashFn in a case-insensitive fashion, should we do the same here?
| lm.cache.Store(req.Name, p) | ||
| } | ||
|
|
||
| lock.Unlock() |
There was a problem hiding this comment.
Shouldn't this have been written as a deferred statement after the lock.Lock() on line 466? If we error out we aren't releasing the lock correct?
There was a problem hiding this comment.
Yep, good catch. If this errored, it'd deadlock that policy.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This adds two new endpoints to the Transit backend that enable BYOK (bring your own key):
keys/:name/import, which imports an external key into a new Transit key for use within Vault.keys/:name/import_version, which imports an external key into a new version of an existing Transit key for use within Vault.The intended use cases for Transit BYOK are seamless migration to Vault from legacy HSM/KMS solutions and import of externally-generated shared keys into an organization that already uses Transit. Since the security of imported keys cannot be guaranteed, and because the import process is complicated, this feature is not recommended for use without a full understanding of security implications.