Commit 5736c2d0 authored by rculpepper's avatar rculpepper
Browse files

fix formatting and tweak wording

parent c4b54401
Branches unavailable
No related merge requests found
Showing with 10 additions and 8 deletions
+10 -8
......@@ -239,29 +239,31 @@ transit keys.
First, the wrapping key needs to be read from transit:
```text
$ vault read transit/wrapping_key
```
The wrapping key will be a 4096-bit RSA public key.
Then the wrapping key is used to create the ciphertext input for the `import` endpoint.
For the explanations below, the key being imported into Vault is referred to as the target
key.
Then the wrapping key is used to create the ciphertext input for the `import` endpoint,
as described below. In the below, the target key refers to the key being imported.
### HSM
If the key is being imported from an HSM that supports PKCS#11, there are
two scenarios:
two possible scenarios:
- If the HSM supports the CKM_RSA_AES_KEY_WRAP mechanism, that can be used to wrap the
target key using the wrapping key.
- Otherwise, two mechanisms can be combined to wrap the target key. First, an AES key should
be generated and then used to wrap the target key using the CKM_AES_KEY_WRAP_PAD mechanism.
Then the AES key should be encrypted under the wrapping key using the CKM_RSA_PKCS_OAEP mechanism
Then the AES key should be wrapped under the wrapping key using the CKM_RSA_PKCS_OAEP mechanism
using MGF1 and either SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512.
To create the ciphertext for input to transit's import endpoint, append the wrapped target key
to the encrypted AES key and then encode the bytes in base64.
The ciphertext is constructed by appending the wrapped target key to the wrapped AES key.
The ciphertext bytes should be base64-encoded.
### Manual Process
......@@ -272,7 +274,7 @@ the ciphertext for the input of the `import` endpoint:
- Wrap the target key using the ephemeral AES key with AES-KWP.
- Wrap the AES key under the wrapping key returned by Vault using RSAES-OAEP with MGF1 and
- Wrap the AES key under the Vault wrapping key using RSAES-OAEP with MGF1 and
either SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512.
- Delete the ephemeral AES key.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment