mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-25 08:31:09 +02:00
Code Issues Projects Releases Wiki Activity

vault: adding barrier AddKey

Browse Source
This commit is contained in:
Armon Dadgar 2015-05-28 15:52:26 -07:00
parent 63d938def8
commit 32ccf77a61
3 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
vault/barrier.go
View File

@ -31,6 +31,18 @@ const (
// keyringPath is the location of the keyring data. This is encrypted // keyringPath is the location of the keyring data. This is encrypted
// by the master key. // by the master key.
keyringPath = "core/keyring" keyringPath = "core/keyring"
// keyringUpgradePrefix is the path used to store keyring update entries.
// When running in HA mode, the active instance will install the new key
// and re-write the keyring. For standby instances, they need an upgrade
// path from key N to N+1. They cannot just use the master key because
// in the event of a rekey, that master key can no longer decrypt the keyring.
// When key N+1 is installed, we create an entry at "prefix/N" which uses
// encryption key N to provide the N+1 key. The standby instances scan
// for this periodically and refresh their keyring. The upgrade keys
// are deleted after a few minutes, but this provides enough time for the
// standby instances to upgrade without causing any disruption.
keyringUpgradePrefix = "core/upgrade/"
) )
// SecurityBarrier is a critical component of Vault. It is used to wrap // SecurityBarrier is a critical component of Vault. It is used to wrap
@ -73,6 +85,9 @@ type SecurityBarrier interface {
// should use the new key, while old values should still be decryptable. // should use the new key, while old values should still be decryptable.
Rotate() error Rotate() error
// AddKey is used to add a new key to the keyring
AddKey(k *Key) error
// ActiveKeyInfo is used to inform details about the active key // ActiveKeyInfo is used to inform details about the active key
ActiveKeyInfo() (*KeyInfo, error) ActiveKeyInfo() (*KeyInfo, error)

14
vault/barrier_aes_gcm.go
View File

@ -335,6 +335,20 @@ func (b *AESGCMBarrier) Rotate() error {
return nil return nil
} }
// AddKey is used to add a new key to the keyring. This assumes the keyring
// has already been updated and does not persist a new keyring.
func (b *AESGCMBarrier) AddKey(k *Key) error {
b.l.Lock()
defer b.l.Unlock()
newKeyring, err := b.keyring.AddKey(k)
if err != nil {
return fmt.Errorf("failed to add new encryption key: %v", err)
}
b.keyring = newKeyring
return nil
}
// ActiveKeyInfo is used to inform details about the active key // ActiveKeyInfo is used to inform details about the active key
func (b *AESGCMBarrier) ActiveKeyInfo() (*KeyInfo, error) { func (b *AESGCMBarrier) ActiveKeyInfo() (*KeyInfo, error) {
b.l.RLock() b.l.RLock()

22
vault/barrier_test.go
View File

@ -335,6 +335,28 @@ func testBarrier_Rotate(t *testing.T, b SecurityBarrier) {
if out == nil { if out == nil {
t.Fatalf("bad: %v", out) t.Fatalf("bad: %v", out)
} }
// Attempt to do AddKey
randKey, _ := b.GenerateKey()
newKey := &Key{
Term: 3,
Version: 1,
Value: randKey,
InstallTime: time.Now(),
}
err = b.AddKey(newKey)
if err != nil {
t.Fatalf("err: %v", err)
}
// Check the key info
info, err = b.ActiveKeyInfo()
if err != nil {
t.Fatalf("err: %v", err)
}
if info.Term != 3 {
t.Fatalf("Bad term: %d", info.Term)
}
} }
func testBarrier_Rekey(t *testing.T, b SecurityBarrier) { func testBarrier_Rekey(t *testing.T, b SecurityBarrier) {