Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
小 白蛋
Vault
Commits
5736c2d0
Commit
5736c2d0
authored
3 years ago
by
rculpepper
Browse files
Options
Download
Email Patches
Plain Diff
fix formatting and tweak wording
parent
c4b54401
Branches unavailable
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
website/content/docs/secrets/transit.mdx
+10
-8
website/content/docs/secrets/transit.mdx
with
10 additions
and
8 deletions
+10
-8
website/content/docs/secrets/transit.mdx
+
10
-
8
View file @
5736c2d0
...
...
@@ -239,29 +239,31 @@ transit keys.
First, the wrapping key needs to be read from transit:
```text
$ vault read transit/wrapping_key
```
The wrapping key will be a 4096-bit RSA public key.
Then the wrapping key is used to create the ciphertext input for the `import` endpoint.
For the explanations below, the key being imported into Vault is referred to as the target
key.
Then the wrapping key is used to create the ciphertext input for the `import` endpoint,
as described below. In the below, the target key refers to the key being imported.
### HSM
If the key is being imported from an HSM that supports PKCS#11, there are
two scenarios:
two
possible
scenarios:
- If the HSM supports the CKM_RSA_AES_KEY_WRAP mechanism, that can be used to wrap the
target key using the wrapping key.
- Otherwise, two mechanisms can be combined to wrap the target key. First, an AES key should
be generated and then used to wrap the target key using the CKM_AES_KEY_WRAP_PAD mechanism.
Then the AES key should be
encrypt
ed under the wrapping key using the CKM_RSA_PKCS_OAEP mechanism
Then the AES key should be
wrapp
ed under the wrapping key using the CKM_RSA_PKCS_OAEP mechanism
using MGF1 and either SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512.
To create the ciphertext for input to transit's import endpoint, append the wrapped target key
to the encrypted AES key and then encode the bytes in base64.
The ciphertext is constructed by appending the wrapped target key to the wrapped AES key.
The ciphertext bytes should be base64-encoded.
### Manual Process
...
...
@@ -272,7 +274,7 @@ the ciphertext for the input of the `import` endpoint:
- Wrap the target key using the ephemeral AES key with AES-KWP.
- Wrap the AES key under the wrapping key
returned by Vault
using RSAES-OAEP with MGF1 and
- Wrap the AES key under the
Vault
wrapping key using RSAES-OAEP with MGF1 and
either SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512.
- Delete the ephemeral AES key.
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
Menu
Projects
Groups
Snippets
Help