4 hours 53 minutes
in this video, we're going to understand the rewrap capability that the transit secret engine has.
We're going to do this by encrypting a secret using the current version of the M I six key.
Then we're gonna update that encryption key that the original encryption was using. We're gonna just exercise the decryption process. Just make sure that that still works because it was scripted with an old key. And then we're gonna re encrypt the secret using a new version of the key. Specifically, we're gonna be using the rewrap capabilities
starting out with the Web interface. Let's jump into the encryption as a service area and drive into the M I six key. Let's perform a few key actions. So we want to encrypt a particular message. Let's say, um,
Agent Q has a new laser beam,
and we're going to base 64 code that and go through the encryption. And let's copy this off as well.
Now, of course, we could do the decrypt operation, and we know that's gonna work out. But it's going to be a common situation within your company, just like you wrote. Take passwords, rotating the underlying encryption keys. Maybe you have a policy. You want to do it once 1/4 once a month, once a week, one today, whatever sort of frequency
it really is a good practice to be rotating these things. And that's a running theme is we've explored Baltin. Really? What are the fundamental tenants around?
How does it make things more secure, right? Rotating and changing passwords. So of course, we want to continue that even when we're using vault. And we want to rotate the underlying encryption key that the encryption, as a service is using. So this m I six encryption keys. So let's drill into that and look at the versions capability,
and we're gonna rotate. The encryption key
rotated all key actions using the latest version of the key. Great.
So now here's the current minimum version two. And so now we've created a new version of the encryption key.
So let's come back and to perform a few key actions, namely, let's train decrypt and we're gonna paste in the encrypted message that we just created. So one thing to note on this message is there's some texts pre pendant to it, and it's always gonna be there. It's a vault colon that's telling us Hey, this this is cipher text and it was encrypted
It doesn't specifically say he this was encrypted using the m I six key. That's something that you need to keep track of. But what it does tell us is this was encrypted using V one, the version one off the M I six key in our particular case. So let's perform the decrypt operation using this message which was encrypted using version one
even though version two of the key exists.
And sure enough, it does decrypt because in the actual message itself, vault parses that and it recognizes. Okay, this is done using version one. I'm going to use the version one of the key to do the decryption,
and that's great for backwards compatibility. But there may be circumstances where maybe version one. That key somehow got out. It escaped, and we have great audit logs and balt and we figured out that somebody pulled it out of the system and they really shouldn't have. So then what are we going to do in this situation?
Well, eventually, what we need to do is is re encrypt
everything that was encrypted with the version one key with the version two key. And in order to do that,
we can either decrypt every single message that was encrypted with version one and then come back and re encrypt those with version two. Or we can use the rewrapped capability that vault itself provides. So in this case,
here's the version one encrypted information, and we're going to use the rewrap capability, and it's gonna re encrypt this using version two. So I go rewrap. And sure enough, here is the same key. Same message. But it's been encrypted using version two of the key. So if you come back and do a little decrypt
Okay, let's do that. And
hey, Agent Q has a new laser beam. So
why is this important and valuable this rewrap capability?
Well, by using this capability, the whole process of decrypting the message using version one of the key,
having it in a decrypted format and then re encrypting it using the version two key over the version three keer, whatever the latest key is, all of those actions take place on the vault server. So the decrypted version of this message doesn't need to transition back and forth over the wire. It doesn't need to be
provided in an unencrypted format to any sort of an application,
and that's very handy to really keep things on, lock down and just reduce the amount of time that this information is exposed in plain text.
So we're not totally done with this fictitious scenario because the key, his leaked version one of the keys leaked. That's why we're going through this whole rewrapped process. And once we're done updating the different data that was encoded with the version one of the key, there's a few different actions we can take.
It's drill into the key
edit encryption key. We can enable the deletion capability. And then, of course, we could delete that version of the key alternately if we want to keep version one around because the bad guy did get it. But we want to keep it around just in case we set the minimum decryption to Version two,
and we can enable some additional auditing capabilities
that will alert us if somebody attempts to decrypt the data using version one of the key and that way we can still go back and go through some other specific actions if we want to decrypt that data using version one of the key. But we will be alerted because from our perspective, version one of the key leaked and
that information is all suspects. So we re encrypted it with version two.
And just to recap, what did we learn in this whole lesson? We talked about the key rotation and handling situations where you want to change the key that's used by the encryption as a service and the various capabilities to do re wrapping and updating those things that were encrypted with the latest and greatest version of that key.