Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow "recovery keys" to unseal a Vault configured for auto-unseal #299

Open
AdrianAbraham opened this issue Apr 17, 2024 · 2 comments
Open

Allow "recovery keys" to unseal a Vault configured for auto-unseal #299

AdrianAbraham opened this issue Apr 17, 2024 · 2 comments
Labels
feature

Comments

@AdrianAbraham
Copy link

Is your feature request related to a problem? Please describe.
As it currently stands, once Bao is configured to use an auto-unseal mechanism, that mechanism is the only way to unseal Bao. If the unsealing backend is unavailable, then not only can Bao not be unsealed but backups become completely useless.

"Recovery keys" are poorly named since they don't let you recover the data - they only let you perform admin-quorum tasks such as generating a new root token.

Also see hashicorp/vault#15490 for the original Vault issue.

Describe the solution you'd like
Allow Bao to be unsealed with recovery keys.

Vault almost had a solution for this in hashicorp/vault#18683 but then reverted the change because it was incompatible with enterprise seal-wrap. Since Bao doesn't have that feature, perhaps this could be brought in as-is?

Describe alternatives you've considered
I currently use a homebrewed auto-unseal solution.

Hashicorp recently implemented the ability to have multiple auto-unseal sections in the configuration, but only for enterprise customers (hashicorp/vault#6046)
@cipherboy
Copy link
Contributor

@AdrianAbraham If you're open to implementing this, I'd be happy to review a RFC around this. However, I likely cannot work on this feature as I'm too close to the original code. :-)

I'd also be amenable to other names for the recovery keys, if we come up with some. :-)

I don't know if we can bring in the original implementation as-is; this would be a question for @naphelps and the TSC legal. Likely not, since it was authored by Scott while employed by HashiCorp and thus HCP would likely own the code. Further, we may want to go a different route on the implementation, anyways. :-)

I will say though, that I think that the problem space is much more tractable here, without Seal Wrapping of Vault Enterprise.

@AdrianAbraham
Copy link
Author

As you said, I'm hopeful that without seal wrapping this can move forward, whether or not Bao can use the original PR. Given that the PR was made well before the BSL came into being, I'm hoping it would be fair game, but legal stuff is way out of my depth.

Either way, I'll pass on the actual implementation side. This is is a request I tracked on the Vault side for years, so I just wanted to make sure it was brought over here too :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cipherboy @AdrianAbraham