Auto-unseal Vault using GCP Cloud KMS
When a Vault server is started, it starts in a sealed state and it does not know how to decrypt data. Before any operation can be performed on the Vault, it must be unsealed. Unsealing is the process of constructing the master key necessary to decrypt the data encryption key.
Challenge
Vault unseal operation requires a quorum of existing unseal keys split by Shamir's Secret sharing algorithm. This is done so that the "keys to the kingdom" won't fall into one person's hand. However, this process is manual and can become painful when you have many Vault clusters as there are now many different key holders with many different keys.
Solution
Vault supports opt-in automatic unsealing via cloud technologies: AliCloud KMS, AWS KMS, Azure Key Vault, Google Cloud KMS, and OCI KMS. This feature enables operators to delegate the unsealing process to trusted cloud providers to ease operations in the event of partial failure and to aid in the creation of new or ephemeral clusters.
This tutorial demonstrates an example of how to use Terraform to provision an instance that can utilize an encryption key from GCP Cloud KMS to unseal Vault.
Prerequisites
This tutorial assumes the following:
- Google Cloud Platform account
- Terraform v0.15.2 or later installed and basic understanding of its usage
Step 1: Provision the cloud resources
Clone the demo assets from the hashicorp/vault-guides GitHub repository to perform the steps described in this tutorial.
This repository contains supporting content for all of the Vault learn tutorials. The content specific to this tutorial can be found within a sub-directory.
Be sure to set your working directory to where the
/operations/gcp-kms-unseal
folder is located.The working directory should contain the provided Terraform files.
The
main.tf
generates the following:- Service account with Cloud KMS IAM to be used by Compute Engine instances
- Compute Engine instance with Vault installed
- (Optional) Cloud KMS key ring and crypto key
Provide necessary GCP account information in the
terraform.tfvars.example
and save it asterraform.tfvars
. Overwrite the default variable values (variables.tf
) as needed.Example:
terraform.tfvarsIt assumes that you have a Cloud KMS key ring named, "test" and a crypto key named "vault-test". If your Cloud KMS key ring (
key_ring
) and crypto key (crypto_key
) names are different, be sure to set the correct values interraform.tfvars
.Example:
terraform.tfvarsIf you do NOT have a Cloud KMS key ring and crypto key to use, un-comment the key ring and key creation block in the main.tf file (line 77 - 81 and line 84 - 88).
main.tfTerraform will create a Cloud KMS key ring named, test in the global location, and a key named, vault-test. If you wish to customize the key and key ring names, be sure to overwrite the
key_ring
andcrypto_key
values in theterraform.tfvars
.Un-comment line 92 and comment out line 93:
main.tfPerform a
terraform init
to pull down the necessary provider resources.Perform
terraform plan
to verify your changes and the resources that will be created.If all looks good, perform a
terraform apply
to provision the resources.
Step 2: Test the auto-unseal feature
SSH into the generated compute instance.
To verify that Vault has been installed, run vault status
command.
Notice that Initialized is false
.
Note
If you received an error instead, refer to the troubleshooting section.
Run the vault operator init
command to
initialize the Vault
server.
Example output:
The initialization generates recovery keys (instead of unseal
keys) when using auto-unseal. Some of the Vault operations still require
Shamir keys. For example, to regenerate a root
token, each key holder must enter their recovery
key. Similar to unseal keys, you can specify the number of recovery keys and
the threshold using the -recovery-shares
and -recovery-threshold
flags. It
is strongly recommended to initialize Vault with
PGP.
After a successful initialization, check the Vault server status.
Notice that the Vault server is already unsealed (Sealed is false
).
In the service log, you should find a trace where GCP KMS key is being fetched to unseal the Vault server.
Restart the Vault server to ensure that Vault server gets automatically unsealed.
Verify the Vault status.
Review the Vault configuration file (/test/vault/config.hcl
).
The configuration file looks as below.
Notice the Vault configuration file defines the gcpckms
stanza which
sets the GCP Cloud KMS key ring name, crypto key name, and its location as well
as your GCP project ID.
The credentials
value is not needed. This is because the Vault server running on this Compute
Engine instance has it own service account with
Cloud KMS role.
Warning
Although the listener stanza disables TLS (tls_disable = "true"
) for this
tutorial, Vault should always be used with
TLS
in production to provide secure communication between clients and the Vault
server. It requires a certificate file and key file on each Vault host.
Step 3: Rotating the unseal key
When Vault is sealed with Shamir' keys, execute the vault operator rekey
command to generate a new set of unseal keys. With Auto-unseal enabled, you can simply rotate the Cloud KMS key used to unseal Vault. One of the benefits of using Cloud KMS is its automatic key rotation feature which eliminates the need for a manual operation.
Automatic rotation
To enable automatic rotation of a key, set the rotation schedule using the gcloud
command-line tool:
Alternatively, you can manage it through GCP Console.
- From the navigation menu, select Security > Cryptographic Keys.
- Select the key ring used for Vault Auto-unseal.
- Select the key to rotate.
- Select EDIT ROTATION PERIOD.
- Select the desired rotation period, and then click SAVE.
Manual rotation
To create a new key version and make it primary using the gcloud
command-line tool:
Using the GCP Web Console, simply select ROTATE.
To learn more about Cloud KMS key rotation, refer to its online documentation.
Step 4: Clean up
Once completed, execute the terraform destroy
commands to clean up the cloud
resources.
You can delete the Terraform state files.
Troubleshooting
If vault status
command returns an error (e.g. Error checking seal status: Get http://127.0.0.1:8200/v1/sys/seal-status: dial tcp 127.0.0.1:8200: getsockopt: connection refused
), check the log.
If the log does not exist, try running the Vault server manually.
The output should describe what error has occurred. Be sure to verify that all
parameter values are set correctly in the seal
stanza of
/test/vault/config.hcl