You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
As it currently stands, once Bao is configured to use an auto-unseal mechanism, that mechanism is the only way to unseal Bao. If the unsealing backend is unavailable, then not only can Bao not be unsealed but backups become completely useless.
"Recovery keys" are poorly named since they don't let you recover the data - they only let you perform admin-quorum tasks such as generating a new root token.
Describe the solution you'd like
Allow Bao to be unsealed with recovery keys.
Vault almost had a solution for this in hashicorp/vault#18683 but then reverted the change because it was incompatible with enterprise seal-wrap. Since Bao doesn't have that feature, perhaps this could be brought in as-is?
Describe alternatives you've considered
I currently use a homebrewed auto-unseal solution.
Hashicorp recently implemented the ability to have multiple auto-unseal sections in the configuration, but only for enterprise customers (hashicorp/vault#6046)
The text was updated successfully, but these errors were encountered:
@AdrianAbraham If you're open to implementing this, I'd be happy to review a RFC around this. However, I likely cannot work on this feature as I'm too close to the original code. :-)
I'd also be amenable to other names for the recovery keys, if we come up with some. :-)
I don't know if we can bring in the original implementation as-is; this would be a question for @naphelps and the TSC legal. Likely not, since it was authored by Scott while employed by HashiCorp and thus HCP would likely own the code. Further, we may want to go a different route on the implementation, anyways. :-)
I will say though, that I think that the problem space is much more tractable here, without Seal Wrapping of Vault Enterprise.
As you said, I'm hopeful that without seal wrapping this can move forward, whether or not Bao can use the original PR. Given that the PR was made well before the BSL came into being, I'm hoping it would be fair game, but legal stuff is way out of my depth.
Either way, I'll pass on the actual implementation side. This is is a request I tracked on the Vault side for years, so I just wanted to make sure it was brought over here too :)
Is your feature request related to a problem? Please describe.
As it currently stands, once Bao is configured to use an auto-unseal mechanism, that mechanism is the only way to unseal Bao. If the unsealing backend is unavailable, then not only can Bao not be unsealed but backups become completely useless.
"Recovery keys" are poorly named since they don't let you recover the data - they only let you perform admin-quorum tasks such as generating a new root token.
Also see hashicorp/vault#15490 for the original Vault issue.
Describe the solution you'd like
Allow Bao to be unsealed with recovery keys.
Vault almost had a solution for this in hashicorp/vault#18683 but then reverted the change because it was incompatible with enterprise seal-wrap. Since Bao doesn't have that feature, perhaps this could be brought in as-is?
Describe alternatives you've considered
I currently use a homebrewed auto-unseal solution.
Hashicorp recently implemented the ability to have multiple auto-unseal sections in the configuration, but only for enterprise customers (hashicorp/vault#6046)
The text was updated successfully, but these errors were encountered: