4 hours 53 minutes
to complete our tour of encryption as a service capabilities involved. We're gonna look at the H Mac capabilities and how those congee used to establish irrefutable ity. That is, knowing a message was signed by an individual and having strong confidence in that and verifying that
we're gonna then generate a secret. And the Associated H Mac, we will run the H Mac verification process on that secret. And then we're gonna try to change the secret a little bit and see, Does the H Mac verification add up? Or does it tell us this message is invalid for the provided age back?
Once again, we'll drill into the Enterprise is a service secrets engine and will use the M I six key. Let's perform some actions here. Let's do H Mac. So what is the input? What is the message that we want to tell James Bond? We want to tell him.
Return to headquarters Turnabout to, say, return to H Q
bang. Very important message. Right. Return to H Q. We're gonna base 64 code that
and then we're gonna use thes particular default hashing algorithm, which gives us this h back. And I'm gonna copy that. So if you could imagine a situation where this message is going to go to James Bond and then that being returned to H Q. And then this here
is going to be also accompanying that message and this is saying, Here's my verification signature
that using the M I six key
this message I've signed this message. It is it is authentic. It is from me. And here's exactly what it says
involved through the Web. AP I. And then, of course, the http AP I provides us with the ability to verify the different H Mac messages. So here we go. Let's let's say the again. The thing is returned to H Q. That is gonna be the message.
If we base 64 encode that
and we paste in the H Max signature that was just generated. Let's run verification.
The input is valid. Great.
But what if we were in a situation where the message got to us and said something like Return
to the safe house, right? The bad guy wants toe. Have James Bond go to the safe house, and then he can watch him, and then he learns where the local safehouses. We're gonna code that base 64. And then he just spits in the normal H. Mac
that was sent with the original message. Right? Maybe this this message was somehow intercepted,
altered, and then forward it on. So does this add up? Does the message align with the H Mac?
And sure enough, it says no. No, it doesn't. Um, we can try altering the H. Mac, and that's also not gonna work out. Right? Return to safe house. This is our altered message. Here's the original H. Mac. I'm just gonna delete a character and replace it with the number four and we'll run a verification. And again, what
got to do? A base 60 foreign coating.
Let's give it a shot. But as expected, the input is also not valid.
So if you didn't know much about H. Mac and what the whole purpose was, you definitely picked that up quickly. And also now you can see how vault can help in generating the Ace Max and verifying the H. Max and these h max taken account and are based off of the current version of the M I six key
this video Also ends are module on encryption as a service. So just a recap of module in its entirety. We exercise the capabilities of the transit secret ended right? That's the basis for encryption as a service that vault provides. We performed the encrypted decrypt operations using this case, the M I six key.
We talked about handling
in rotations of those encryption keys by creating a new version of M I six ke re wrapping existing secrets, upping the ante for the minimum version of the key that any future encryption or decrypt operations would have to use. We managed key generation and distribution with the data keys capability.
This is really valuable when the encryption itself is going to take place outside a vault.
Maybe you're handing off keys to, ah, third party and you you don't want them to persist the actual encryption keys. But you do want to give them a safe, encrypted version of those encryption keys. And then last we learned about verifying messages using H Mac
and the capabilities. We did all this through the Web interface because it was just a lot easier to exercise.
Of course, in a real world, when you're doing this programmatically you're going to be relying on the http AP I interfaces and you confined full, detailed documentation using the A P I Explorer, which you can access through the Web interface. If you recall by simply launching the command line
and just typing a P I.
And then now this will give us a nice capability here. If you wanted to look at the exercise various secrets as a service using the rest AP I say you're building out of programmatic way. And then, of course, there are the libraries to interface with the H C G p a p I power shell goal ings java C sharp.
You name it those kind of adapters as well.
So that gives you a great to review of encryption as a service. And it rounds out the three different pillars a vault that we discussed at the very beginning of this training