After the Hashicorp Vault service has been restarted, the password vault is in a sealed state. This means that the encryption keys are not in memory, and the encrypted database on the disk cannot be read. More on this topic can be read here: https://www.vaultproject.io/docs/concepts/seal.html
This article will discuss the process for unsealing and re-keying the vault.
To unseal the vault
Generally to unseal the vault you will need at least two unseal keys. Whoever created the vault, or last re-keyed it, set a threshold value. You have to enter X unseal keys before the vault will decrypt where X is the threshold set. I generally set a threshold of 2. Once you have gathered sufficient participants to unseal your vault, performing the following three setup task:
- Open terminal
- type: vault unseal
- enter unseal key
Repeat the above process until you have entered enough keys to unseal the vault.
Manually seal the vault
At some point, you might find yourself in a situation where you need to manually seal the vault due to a data breach or some other event. That is a simple task. If you have already authenticated against the vault server, you just need to run the following:
Rekey the vault
It is good to occasionally rotate your unseal keys. Perhaps you had an engineer leave recently. Or perhaps it is part of your normal security routine. Before you can rekey the vault, you have to decide how many people should have unseal keys, and what threshold of people do you want to have for unsealing the vault.
Once you have determined how many keys you want, you will start the process by running the following command where key-shares is the number of keys you want, and key-threshold is how many keys it takes to unseal the vault or generate a root token:
vault rekey -init -key-shares=10 -key-threshold=2
The output from the above command will include a unique ID called a nonce. This nonce is the identifier for this rekey operation. The Nonce will be displayed during the rest of the process so you can be sure that everyone is working on the same rekey operation
After you have initialized the process, each person with a reseal key, up to the threshold, will need to do the following:
- Run: Vault rekey
- Enter unseal key when prompted
After the threshold is met, a list of new keys will be displayed on the screen. Distribute these keys as in a secure manner to everyone who should have them. If you want to change the threshold or number of keys, you will need to run through the whole rekey operation again.