Hashicorp Vault – Rekey or Unseal Vault


After the Hashicorp Vault service has been restarted, the password vault is in a sealed state. This means that the encryption keys are not in memory, and the encrypted database on the disk cannot be read. More on this topic can be read here: https://www.vaultproject.io/docs/concepts/seal.html

This article will discuss the process for unsealing and re-keying the vault.

To unseal the vault

Generally to unseal the vault you will need at least two unseal keys. Whoever created the vault, or last re-keyed it, set a threshold value. You have to enter X unseal keys before the vault will decrypt where X is the threshold set. I generally set a threshold of 2. Once you have gathered sufficient participants to unseal your vault, performin the following three setup task:

  1. Open terminal
  2. type: vault unseal
  3. enter unseal key

Repeat the above process until you have entered enough keys to unseal the vault.

Manually seal the vault

At some point you might find yourself in a situation where you need to manually seal the vault due a databreach or some other event. That is a simple task. If you have already authenticated against the vault server, you just need to run the following:

vault seal

Rekey the vault

It is good to ocassionaly rotate your unseal keys. Perhaps you had an engineer leave recently. Or perhaps it is parrt of your normal security routine. Before you can rekey the vault, you have to decide how many peope should have unseal keys, and what threshold of people do you want to have for unsealing the vault.

Once you have determined how many keys you want, you will start the process by running the following command where key-shares is the number of keys you want, and key-threshold is how many keys it takes to unseal the vautl, or generate a root token:

vault rekey -init -key-shares=10 -key-threshold=2

The output from the above command will include a unique ID called a nonce. This nonce is the identifier for this rekey operation. The Nonce will be displayed during the rest of the process so you can be sure that everyone is working on the same rekey operation

After you have initilzed the process, each person with a reseal key, up to the threshold, will need to do the following:

  • Run: Vault rekey
  • Enter unseal key when prompted

After threshold is met, a list of new keys will be displayed on the screen. Distribute these keys as in a secure manner to everyone who should have them. If you want to change the theshold or number of keys, you will need to run through the whole rekey operation again.

%d bloggers like this: