Sealing and Unsealing

00:00

Welcome to the next video on vault.

00:03

In this video, we're gonna learn about the Shamir's secret sharing algorithm, how it's used involved. We're gonna go through the process of ceiling and unsealing our own local vault Instance. And then we're gonna talk about auto unseal capabilities involved.

00:16

You may recall, when we looked at the architecture in the prior lesson, we discussed the fact that data gets stored in a stores back in different storage back ends. And there's this cryptographic seal this barrier, right, like a bank vault around all the data when it's held in memory, and then when it gets stored to the back end,

00:36

it's encrypted.

00:37

In fact, it's encrypted using a 256 bit a AES encryption. Now, if you recall way back in this series, when we were talking about asymmetric encryption versus symmetric encryption, A s is a symmetric encryption protocol. So this is all this say when the vault server starts up.

00:55

If it has existing data that it needs to read, all that data is encrypted, and so it's using A S, and you need the key to decrypt that data

01:06

Well, turns out the folks at Hash Corp didn't make it so simple as to say one single key will decrypt all the data in your vault. In fact, they went ahead and used a algorithm called the Shamir's Secret Sharing Algorithm. Ultimately, it's to make it more difficult for a hacker

01:25

to decrypt the data in your vault.

01:27

In fact,

01:29

all the data itself that is encrypted all the storage data that encryption key itself is encrypted

01:37

alongside the data. And then there's a master key that's encrypting that encryption key, right? So where we've got multiple layers of encryption going on to really lock things down and keep them shape safe,

01:48

and what ends up happening is to generate that master key. It's actually been split into separate shares,

01:56

and in order to regenerate that master key, you need a certain number of those shares, right? So a quorum of key holders to get that master key. And without that master key, you can't do what's called unsealed. The vault decrypt all of that encrypted data and the keys and the secrets and so forth.

02:15

So in involved the default settings are it's gonna take that Master key is gonna create five separate key shares.

02:23

You need three of those key shares to have what's considered a quorum in other ways. Words. To reconstruct this master key, you need to have three of the five independent key shares. So this brings with it some pros and some cons. The cons are you need five key shares.

02:44

You need at least three off the five key shares

02:46

to get the vault data decrypted. The pros are any intruder. Anything bad actor also needs to find at least three of those five key shares, so just finding one isn't going to cut it. They need to find three if they're going to decrypt all the vault data as it sits at rest.

03:06

The other good thing is you can still lose two of these key shares

03:10

and bring up the master key. So you don't have to keep all five.

03:14

You should keep all five, But things can happen. You may lose him, and you only need three of the five to bring up the vault server and recreate. So if you could imagine, you could distribute these 5 to 5 different people or store them in five different locations, making it that much more difficult for a bad actor

03:31

to obtain all five or even three of the five key shares,

03:36

and at the same time you get three of them on when it turned to start up this security, circumstances and procedures really keep it checks and balances in place. It's kind of the analogy. Is the press two buttons to launch the nuke? You need multiple people to decrypt this vault data. So what we're going to do now

03:53

is walk through the process of

03:55

generating those master keys

03:59

an unsealing, a vault ceiling, the vault and unsealing a vault again. So you get a feel for in a production environment how you would actually manage the encrypted data. So let's hop over to the terminal and run through this process with a brand new server

04:16

you'll notice in my terminal window right away. I am in the vault concepts subdirectory because they're some files in that sub directory of the repository that we're gonna reference. So it's important if you're following along that you're also in that sub directory

04:32

so that those files when you run the command, they exist in the same directory that you're running the actual commands. We're going to start the vault server. Unlike paths where we said Dash, Dev, we're gonna provide it with a configuration file

04:48

and started up,

04:50

you can see is a little different A little slower, Not quite The same output is when we were doing in the dev mode.

04:57

If I hop over to my client window on their involved status,

05:02

I'm going to get an air because I need to remember to export the environment. Variable again because, like with the dead mode, the way we've set this one up is to not use TLS

05:15

and then we're involved status again.

05:19

This time it succeeds. Fortunately, but as you could see, so seal type. Now you know what Shamir means. We've run this false as before. Talked about Shamir. Well, now you know what it is. Samir Shamir's secret sharing approach initialized is false and sealed is true. So that tells us two things wanted sealed so you couldn't get to the data.

05:38

But initialized is also false.

05:41

So the whole process of creating those five different keys which are used to generate the master key that hasn't even been done.

05:48

Let's go ahead and run that process right now. Vault operator

05:56

and mitt.

05:58

He quickly runs for us in the log over here for the server, you can see some some good stuff pre sealed, tear down, complete, just kind of giving you some insight into what the server was doing. But the shortened skinny is it created an unseal key, five of them as well as a route token. I want to save this information off to the side.

06:16

You should, too, because you're going to need this

06:18

and a little bit when we actually go through the unsealing process.

06:23

Then clear out the screen

06:26

and we've initialized it. Let's run another vault command here. Both status.

06:32

Okay, initialized is now true,

06:35

but it's still sealed. And in order to unseal of all, we have to go through the process of providing three of those unseal keys. And so far it's at zero of three progress in the unseal process. So let's start that unsealed process with another vault operator Command,

06:53

I'm gonna go with

06:55

seal

06:58

Now you're gonna take which, ever one of those five keys which ever one is your favorite. You're gonna go ahead and copy and paste that into here. I don't recommend typing it out because it's a very long qi. Each one of those keys. Here we go unsealed. Progress is now one of three. So rinse and repeat sitting in

07:16

another one off the keys that you have.

07:19

So now we have two of three keys. At this point,

07:24

the vault is still sealed.

07:27

And if we were to run vault commands other vault commands, let's say fault. Secret list.

07:35

Um,

07:39

excuse me, it's secrets. Plural.

07:42

We get an air about the secrets engines. AP I press five or three years a performing, choking token Check. The vault is sealed, so we need to get through the third unseal operation to truly and fully unseal the vault.

07:59

And there we go.

08:01

Log says. Vault is unsealed. We'll look here. The vault information. It's been initialized. Yes, and sealed his false. The unsealing process was pretty manual,

08:11

and there are many times in situations where people want that vault server to come up automatically, and they don't want to have to manually go through the three steps of unsealing and importing three of the five keys.

08:26

There is a way to configure vault that I want to make sure the highlight

08:31

and have that Master Key, not Schardt id across five different key shares

08:37

but actually stored in a cloud. Vendors Key vault

08:41

is stored in an HSM or something like that. And if you look at the documentation, it's called the Seal Stanza that's put in the configuration file. We're gonna go deeper into the server configuration files and subsequent lessons, but I want to make sure you're made a prize of this and aware of it, because it is a very popular way

09:01

off managing the key vault. Here. You can see this is the

09:05

AWS seal, a tzar key vault if you're familiar with that Google and so forth.

09:11

So in certain circumstances, this could be very beneficial because starting up a server, it's up. Once it's up, the process gets up, it's running. It's gonna automatically reach out to wherever this key vote is. It's gonna pull it in, and it's gonna use the key there as the master key to unseal your vaults Data.

09:31

The downside to this is

09:35

how much do you trust that cloud key vault that has the master key? Right? It it's kind of a trade off, and you there is no single right answer you have to make that decision is an organization. Where do you feel is the weakest link? Is it that I need to be

09:50

restarting vault servers on a frequent basis? And I really want to streamline and optimize that process?

09:56

Or am I more concerned about keeping those keys five separate keys, making it that much more difficult for a hacker to find all the keys to reassemble and create the master key. So going back to the terminal here, if we had a circumstance, for whatever reason that

10:15

we felt our vault

10:16

had been compromised and you want to seal your vault without killing the actual process is running on the server. We can run the vault seal command, but in order to do that, you need to be a very high powered account typically is the root account. And so I need to make sure that I'm authenticated using my root account. So I'm gonna run the vault log in,

10:35

and I

10:37

remember way back when we started and we performed the vault and knit operation. The initial route token was also generated and provided to us, so I'm gonna go ahead. I'm gonna paste that value in here and use that as my token. And so now you can see my token policies that route. So I am a very powerful user,

10:54

and from this point I can run the vault operator Seal Command

10:58

and now the vault is sealed.

11:01

Says it down here in the logs. If we were to perform any interactions with fault, we would notice that the vault has been field. In fact, let's just for good sake. Good measure. Let's access the Web user. You I and see what it has to say. Sure enough, the vault has been sealed. If I had and wanted to enter one of those five key shares,

11:20

I could enter this key share through the Web interface.

11:22

So everything we did in the unseal process by using the command line weaken, do through the Web interface and similarly weaken do through the rest a p I. And that wraps up our lesson on vault ceiling, an unsealing. So in this lesson, we learned about the Shamir's secret sharing, which is the basis

11:43

that vote uses to mass manage its master key.

11:46

We went through the process of unsealing our local vault instance. Then we actually sealed the instance as well. And we explored the auto unseal capabilities, which are very powerful if your circumstance allows for you to store the keys in a cloud key vault or you have a physical HSM that you can connect to