* Docs- Update info on key rotation
Added a sentence about needing to seal-rewrap if you want to disable or delete old key.
* rectified the url for seal-rewrap
rectified the url for seal-rewrap
* fixed some grammar
* Update website/content/docs/configuration/seal/pkcs11.mdx
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Add a configuration flag for enabling multiseal (Seal HA), CE side
* imports
* no quotes
* get rid of dep on ent config
* Abstract enableMultiSeal for a build time switch
* license headers
* wip
* gate physical seal gen fetch by a param
* docs tweak, remove core flag
* updates from the ent pr
* update stub
* update test fixtures for enable_multiseal
* use accessor
* add a test fixture for non-multiseal diagnose
* remove debugging crtuch
* Do handle phys seal gen info even if multiseal is off, in order to facilitate enable/disable safeties
* more enabled flag handling
* Accept seal gen info if we were previously disabled, and persist it
* update unit test
* Validation happens postUnseal, so this test is invalid
* Dont continue setting conf if seal loading fails during SIGHUP
* Update website/content/docs/configuration/seal/seal-ha.mdx
Thanks, that does sound much clearer
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* use validation if previous gen was enabled
* unit test update
* stub SetMultisealEnabled
* bring over more changes from ent
* this was an unfix
---------
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Do not refresh seal-wrapped values when there are unhealthy seals.
Modify Access.IsUpToDate() to consider entries as being up-to-date when one or
more encryption wrappers fail to encrypt the test value, since re-wrapping the
value would result in the loss of the ciphertext for the unhealthy wrappers.
In addition, make Access.IsUpToDate() return true is the key set ID has not been
populated and the caller has not forced key ID refresh.
Make Access.Encrypt() return an error for any encryption wrapper that is skipped
due to being unhealthy.
* Update Seal HA documentation.
Mention that the barrier key and the recovery keys cannot be rotated while there
are unhealthy seals.
Document environment variable VAULT_SEAL_REWRAP_SAFETY.
* Seal HA documentation updates
* anchor
* rel link
* remove beta
* try again on internal link
* still trying to get this internal redirect to work
* try without path
* wip
* Initial draft of Seal HA docs
* nav data
* Fix env var name
* title
* Note partially wrapped values and disabled seal participation
* Update website/data/docs-nav-data.json
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* correct initial upgrade limitation
* Add note about shamir seals and migration
* fix nav json
* snapshot note
* availability note
* seal-backend-status
* Add a couple more clarifying statements
* header typo
* correct initial upgrade wording
* Update website/content/docs/configuration/seal/seal-ha.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update website/content/docs/concepts/seal.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Clarify subject of this w.r.t. TLS configuration
Thanks to @aphorise for pointing this out internally.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify vague this in secrets/gcp docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify vague this in secrets/aws docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify vague this in secrets/database/oracle.mdx
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify vague this in seal/pkcs11 docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify vague this in agent/autoauth docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Document new force_rw_session parameter within pkcs11 seals
* documentation for key_id and hmac_key_id fields
* Apply suggestions from code review
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/configuration/seal/pkcs11.mdx
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: rculpepper <rculpepper@hashicorp.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update to hashicorp/go-kms-wrapping@v0.6.8
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation around Managed HSM KeyVault
This introduces the "resource" config parameter and the
AZURE_AD_RESOURCE environment variable from the updated go-kms-wrapping
dependency.
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry for g-k-w changes
Includes changes from @stevendpclark.
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
* Docs: Seal pkcs11 updated example with actual hex slot reference and notes related to decimal conversion. Minor correction to **Note** area in 'lib' parameter above 'slot'.
* Docs: Seal pkcs11 slot note correction.
