You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bugs should be filed for issues encountered whilst operating bank-vaults.
You should first attempt to resolve your issues through the community support
channels, e.g. Slack, in order to rule out individual configuration errors.
Please provide as much detail as possible.
Describe the bug:
As an engineer, I want to make sure vault installation is secure.
when autounseal stanza is present, vault-root and vault-recovery keys are available as plaintext for any user that have access to s3 bucket. As well as for users without access to KMS.
Turns out, it is possible to configure both kmsid and s3sse options, which will lead to vault-* objects not encrypted.
If I remove s3sse option from config, vault-* objects are uploaded encrypted.
Expected behavior:
It is expected to vault-root, vault-recover-xx be encrypted KMS cipher texts when KMS key is specified. Or throw error when both kmsid and s3sse options are provided. I'm not sure what s3sse option supposed to do. I've expected it enables S3 sse.
Steps to reproduce the bug:
Create vault with awskms autounseal. Try to download vault-root from autounseal s3 bucket
Additional context:
Add any other context about the problem here.
Environment details:
Kubernetes version : v1.21
Cloud-provider/provisioner: EKS
bank-vaults version: : 1.15.3
Install method (e.g. helm or static manifests): terraform + helm for operator, terraform k8s manifest for vault crd
Logs from the misbehaving component (and any other relevant logs): n/a
Resource definition (possibly in YAML format) that caused the issue, without sensitive data:
The text was updated successfully, but these errors were encountered:
maratsh
changed the title
vault-root and vault-recovery keys are available as plaintext when using unseal feature
docs issue: vault-root and vault-recovery keys are available as plaintext when using unseal feature in certain config
Jul 22, 2022
maratsh
changed the title
docs issue: vault-root and vault-recovery keys are available as plaintext when using unseal feature in certain config
config security issue: vault-root and vault-recovery keys are available as plaintext when using unseal feature in certain config
Jul 22, 2022
Describe the bug:
As an engineer, I want to make sure vault installation is secure.
when autounseal stanza is present, vault-root and vault-recovery keys are available as plaintext for any user that have access to s3 bucket. As well as for users without access to KMS.
Turns out, it is possible to configure both kmsid and s3sse options, which will lead to
vault-*
objects not encrypted.If I remove s3sse option from config,
vault-*
objects are uploaded encrypted.Expected behavior:
It is expected to vault-root, vault-recover-xx be encrypted KMS cipher texts when KMS key is specified. Or throw error when both kmsid and s3sse options are provided. I'm not sure what s3sse option supposed to do. I've expected it enables S3 sse.
Steps to reproduce the bug:
Create vault with awskms autounseal. Try to download vault-root from autounseal s3 bucket
Additional context:
Add any other context about the problem here.
Environment details:
/kind bug
The text was updated successfully, but these errors were encountered: