Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clean up stored barrier keys after migration to shamir #5671

Merged
merged 1 commit into from
Nov 5, 2018
Merged

Clean up stored barrier keys after migration to shamir #5671

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 16 additions & 6 deletions command/seal_migration_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ func TestSealMigration(t *testing.T) {
NumCores: 1,
}

ctx := context.Background()
var keys []string
var rootToken string

Expand Down Expand Up @@ -111,7 +112,7 @@ func TestSealMigration(t *testing.T) {
newSeal := vault.NewAutoSeal(seal.NewTestSeal(logger))
newSeal.SetCore(core)
autoSeal = newSeal
if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, newSeal, &server.Config{
if err := adjustCoreForSealMigration(ctx, core, coreConfig, newSeal, &server.Config{
Seal: &server.Seal{
Type: "test-auto",
},
Expand Down Expand Up @@ -159,7 +160,7 @@ func TestSealMigration(t *testing.T) {
client := cluster.Cores[0].Client
client.SetToken(rootToken)

if err := core.UnsealWithStoredKeys(context.Background()); err != nil {
if err := core.UnsealWithStoredKeys(ctx); err != nil {
t.Fatal(err)
}
resp, err := client.Sys().SealStatus()
Expand All @@ -186,14 +187,19 @@ func TestSealMigration(t *testing.T) {
t.Fatal(err)
}
sealAccess := core.SealAccess()
if err := sealAccess.VerifyRecoveryKey(context.Background(), recoveredKey); err != nil {
if err := sealAccess.VerifyRecoveryKey(ctx, recoveredKey); err != nil {
t.Fatal(err)
}

cluster.Cleanup()
cluster.Cores = nil
}

// We should see stored barrier keys; after the next stanza, we shouldn't
if entry, err := phys.Get(ctx, vault.StoredBarrierKeysPath); err != nil || entry == nil {
t.Fatalf("expected nil error and non-nil entry, got error %#v and entry %#v", err, entry)
}

// Fifth: create an autoseal and activate migration. Verify it doesn't work
// if disabled isn't set.
{
Expand All @@ -210,11 +216,11 @@ func TestSealMigration(t *testing.T) {
},
}

if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, shamirSeal, serverConf); err == nil {
if err := adjustCoreForSealMigration(ctx, core, coreConfig, shamirSeal, serverConf); err == nil {
t.Fatal("expected error since disabled isn't set true")
}
serverConf.Seal.Disabled = true
if err := adjustCoreForSealMigration(context.Background(), core, coreConfig, shamirSeal, serverConf); err != nil {
if err := adjustCoreForSealMigration(ctx, core, coreConfig, shamirSeal, serverConf); err != nil {
t.Fatal(err)
}

Expand Down Expand Up @@ -247,6 +253,10 @@ func TestSealMigration(t *testing.T) {
cluster.Cores = nil
}

if entry, err := phys.Get(ctx, vault.StoredBarrierKeysPath); err != nil || entry != nil {
t.Fatalf("expected nil error and nil entry, got error %#v and entry %#v", err, entry)
}

// Sixth: verify autoseal is off and the expected key shares work
{
coreConfig.Seal = shamirSeal
Expand All @@ -258,7 +268,7 @@ func TestSealMigration(t *testing.T) {
client := cluster.Cores[0].Client
client.SetToken(rootToken)

if err := core.UnsealWithStoredKeys(context.Background()); err != nil {
if err := core.UnsealWithStoredKeys(ctx); err != nil {
t.Fatal(err)
}
resp, err := client.Sys().SealStatus()
Expand Down
5 changes: 5 additions & 0 deletions vault/core.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -953,6 +953,11 @@ func (c *Core) unsealPart(ctx context.Context, seal Seal, key []byte, useRecover
return nil, errwrap.Wrapf("error rekeying barrier during migration: {{err}}", err)
}

if err := c.barrier.Delete(ctx, StoredBarrierKeysPath); err != nil {
// Don't actually exit here as successful deletion isn't critical
c.logger.Error("error deleting stored barrier keys after migration; continuing anyways", "error", err)
}

masterKey = recoveryKey
}

Expand Down
4 changes: 2 additions & 2 deletions vault/seal.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,8 @@ const (
// recoveryKeyPath is the path to the recovery key
recoveryKeyPath = "core/recovery-key"

// storedBarrierKeysPath is the path used for storing HSM-encrypted unseal keys
storedBarrierKeysPath = "core/hsm/barrier-unseal-keys"
// StoredBarrierKeysPath is the path used for storing HSM-encrypted unseal keys
StoredBarrierKeysPath = "core/hsm/barrier-unseal-keys"

// hsmStoredIVPath is the path to the initialization vector for stored keys
hsmStoredIVPath = "core/hsm/iv"
Expand Down
4 changes: 2 additions & 2 deletions vault/seal_autoseal.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ func (d *autoSeal) SetStoredKeys(ctx context.Context, keys [][]byte) error {

// Store the seal configuration.
pe := &physical.Entry{
Key: storedBarrierKeysPath,
Key: StoredBarrierKeysPath,
Value: value,
}

Expand All @@ -113,7 +113,7 @@ func (d *autoSeal) SetStoredKeys(ctx context.Context, keys [][]byte) error {
// GetStoredKeys retrieves the key shares by unwrapping the encrypted key using the
// autoseal.
func (d *autoSeal) GetStoredKeys(ctx context.Context) ([][]byte, error) {
pe, err := d.core.physical.Get(ctx, storedBarrierKeysPath)
pe, err := d.core.physical.Get(ctx, StoredBarrierKeysPath)
if err != nil {
return nil, errwrap.Wrapf("failed to fetch stored keys: {{err}}", err)
}
Expand Down