mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-15 11:07:00 +02:00
Code Issues Projects Releases Wiki Activity
6,740 Commits 2,843 Branches 445 Tags 454 MiB
d3a2844a75
Commit Graph

36 Commits

Author SHA1 Message Date
Vishal Nayak
ced60dbc0c
Encrypt/Decrypt/Sign/Verify using RSA in Transit backend (#3489) 
* encrypt/decrypt/sign/verify RSA

* update path-help and doc

* Fix the bug which was breaking convergent encryption

* support both 2048 and 4096

* update doc to contain both 2048 and 4096

* Add test for encrypt, decrypt and rotate on RSA keys

* Support exporting RSA keys

* Add sign and verify test steps

* Remove 'RSA' from PEM header

* use the default salt length

* Add 'RSA' to PEM header since openssl is expecting that

* export rsa keys as signing-key as well

* Comment the reasoning behind the PEM headers

* remove comment

* update comment

* Parameterize hashing for RSA signing and verification

* Added test steps to check hash algo choice for RSA sign/verify

* fix test by using 'prehashed'
 2017-11-03 10:45:53 -04:00
Jeff Mitchell
a7d0fb7d50 Don't panic in audit logs when reading transit keys. (#2970) 2017-07-05 11:25:10 -04:00
Matthew Irish
5190b87714 add min_encryption_version to the transit key response (#2838) 2017-06-08 13:07:18 -05:00
Jeff Mitchell
a52fae256a ed25519 support in transit (#2778) 2017-06-05 15:00:39 -04:00
Chris Hoffman
43bae79d01 Adding support for exportable transit keys (#2133) 2017-01-23 11:04:43 -05:00
Matthew Irish
231f00dff2 Transit key actions (#2254) 
* add supports_* for transit key reads

* update transit docs with new supports_* fields
 2017-01-11 10:05:06 -06:00
vishalnayak
b30d5f5c57 Pulled out transit's lock manager and policy structs into a helper 2016-10-26 19:52:31 -04:00
Chris Hoffman
4406a39da2 Add ability to list keys in transit backend (#1987) 2016-10-18 10:13:01 -04:00
Jeff Mitchell
8482118ac6 Transit and audit enhancements 2016-09-21 10:49:26 -04:00
Jeff Mitchell
201cd2e1f7 Use unexported kdf const names 2016-08-31 07:19:58 -04:00
Jeff Mitchell
9a97f436ef Use hkdf for transit key derivation for new keys (#1812) 
Use hkdf for transit key derivation for new keys
 2016-08-30 16:29:09 -04:00
Jeff Mitchell
c9aa308804 Use key derivation for convergent nonce. (#1794) 
Use key derivation for convergent nonce.

Fixes #1792
 2016-08-26 14:11:03 -04:00
Jeff Mitchell
84cd3c20b3 Remove context-as-nonce, add docs, and properly support datakey 2016-08-07 15:53:40 -04:00
Jeff Mitchell
c7bf73f924 Refactor convergent encryption to make specifying a nonce in addition to context possible 2016-08-05 17:52:44 -04:00
Jeff Mitchell
1c15a56726 Add convergent encryption option to transit. 
Fixes #1537
 2016-06-20 13:17:48 -04:00
Jeff Mitchell
027d570f7f Massively simplify lock handling based on feedback 2016-05-02 23:47:18 -04:00
Jeff Mitchell
c598a12ab9 Switch to lockManager 2016-05-02 22:36:44 -04:00
Jeff Mitchell
634cea72d7 Fix up commenting and some minor tidbits 2016-05-02 22:36:44 -04:00
Jeff Mitchell
32601f4424 Make a non-caching but still locking variant of transit for when caches are disabled 2016-05-02 22:36:44 -04:00
Jeff Mitchell
42905b6a73 Update error return strings 2016-01-29 14:40:13 -05:00
Jeff Mitchell
ce44ccf68e Address final review feedback 2016-01-29 14:33:51 -05:00
Jeff Mitchell
46514e01fa Implement locking in the transit backend. 
This ensures that we can safely rotate and modify configuration
parameters with multiple requests in flight.

As a side effect we also get a cache, which should provide a nice
speedup since we don't need to decrypt/deserialize constantly, which
would happen even with the physical LRU.
 2016-01-27 17:03:21 -05:00
Jeff Mitchell
e6b2d45c03 Move archive location; also detect first load of a policy after archive 
is added and cause the keys to be copied to the archive.
 2016-01-27 13:41:37 -05:00
Jeff Mitchell
625e8091a5 Address review feedback 2016-01-27 13:41:37 -05:00
Jeff Mitchell
9f2310c15c Fix logic bug when restoring keys 2016-01-27 13:41:37 -05:00
Jeff Mitchell
45e32756ea WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell
08a81a3364 Update transit backend documentation, and also return the min decryption 
value in a read operation on the key.
 2015-09-21 16:13:43 -04:00
Jeff Mitchell
82d1f28fb6 Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-18 14:41:05 -04:00
Jeff Mitchell
46073e4470 Enhance transit backend: 
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
 2015-09-18 14:41:05 -04:00
vishalnayak
41678f18ae Vault: Fix wild card paths for all backends 2015-08-21 00:56:13 -07:00
Armon Dadgar
c062345146 secret/transit: address PR feedback 2015-07-05 19:58:31 -06:00
Armon Dadgar
1ef4049f17 secret/transit: support key derivation in encrypt/decrypt 2015-07-05 14:19:24 -07:00
Armon Dadgar
0a7fe56e0a secret/transit: support derived keys 2015-07-05 14:11:02 -07:00
Armon Dadgar
96119946f3 secret/transit: allow policies to be upserted 2015-06-17 18:51:05 -07:00
Armon Dadgar
9238c6def3 secret/transit: Use special endpoint to get underlying keys. Fixes #219 2015-06-17 18:42:23 -07:00
Armon Dadgar
d425ca22df secret/transit: rename policy to keys 2015-04-27 13:52:47 -07:00