Vault: Document the procedure to use gpg keys with vault init.

Hi,

Take a look at the output of vault init -h -- I think this will give you the information you need!

my exploration has uncovered how to do this. Documenting for others. This may not be secure use at your own risk

1. generate individual keys you will need one key for each key-share
   gpg --gen-key
   (1) RSA and RSA
   (2) 4096 keysize
   (3) 1 year # Note this can be shorter but you will need to renew the key
   (4) Real Name # eg John Doe
   (5) email address
   (6) comment # John Doe's vault signing key
   (7) Ok
   (8) Use a memorable passphrase

export the generated pubkey for use on the vault server
use gpg -K to list the keys
sec 4096R/1659DFAB 2015-10-08 [expires: 2016-10-07]
uid John Doe (Vault Signing Key) [email protected]
ssb 4096R/7C55979E 2015-10-08

gpg --export 4096R/1659DFAB > JohnDoeVaultPubKey.out

copy the JohnDoeVaultPubKey.out to the vault server

Once you have a few keys you are ready to initialize the vault. My next example is insecure because we are using a single key-share. Please follow the documentation and use 3 or more. Also I had started my vault server without https enabled. In a production server you will want https

[root@vault-dev files]# VAULT_ADDR=http://localhost:8200 vault init -key-shares=1 -key-threshold=1 -pgp-keys /tmp/JohnDoeVaultPubKey.out
Key 1: c1c14c03538a08cea61cebed01100006b38f89b531e74086f47a9e63251f4b9375990d0bf034373c3ae2769e1601282c48b56b1a7db5948b41644b2e8a438f22e498eea5b90a63b5e93231e8b2ef87ca607819bd0df
...
c29465e13c863d8d541e41c32e02fe4ac11b5719a4bb6dc5404c3b62b757affe25128d33fe19fa800
Initial Root Token: 0f70cd41-5982-a8cf-637a-93de48a2c40c

Send Key 1 back to the first user to decrypt so that it can be used to unseal the vault or seal it if necessary.

echo c1c14..... | xxd -r -p > vault.gpg

gpg -d vault.gpg # you will need the pass phrase from creating the gpg key

assuming you did everything right you should have one of your unseal keys.
f440229dd758fac734d9cbbca0404d3d2942f245f0927f84a33ef11372945305

VAULT_ADDR=http://localhost:8200 vault unseal
Key (will be hidden):
Sealed: false
Key Shares: 1
Key Threshold: 1
Unseal Progress: 0

Glad you got it sorted!

I still think this should be documented at least in a tips/tricks page for others who may not be total security experts

:+1: this would be super helpful to include in the docs

This won't be included as it's too specific to one person's methodology and needs. You can feel free to ask questions on the mailing list if you're stuck, though!

@jefferai not sure if this is a bug but I can't seem to get base64 pub keys to work:

* invalid seal configuration: Error parsing given PGP key: openpgp: invalid data: tag byte does not have MSB set

If I export my pub key as binary, everything works as expected.

using vault 0.4.1

 -pgp-keys                If provided, must be a comma-separated list of
                          files on disk containing binary- or base64-format
                          public PGP keys. The number of files must match
                          'key-shares'. The output unseal keys will encrypted
                          and hex-encoded, in order, with the given public keys.
                          If you want to use them with the 'vault unseal'
                          command, you will need to hex decode and decrypt;
                          this will be the plaintext unseal key.

@chiefy what was your procedure? Did you take the binary file and run it through b64?

@jefferai no, I used the gpg cli to export gpg --export -a mykey, my bad, should've been gpg --export mykey | base64 i'm such a n00b

I don't think that's a supported format, but I can take a look. It should
work fine if you b64 encode the binary file. That support was put in
because some people already had b64 versions and didn't want to convert to
binary to then have it go back to b64 to go across the wire.

It might have changed with the recent keybase support so it may also work
in master right now.

@chiefy I took a quick look and I was right; although the value exported by -a in gpg is b64 encoded, it's not a straight encoding of the key; it's a PEM-ish format that is an ASCII armored keychain file. I can put in some logic to handle these.

@chiefy ah, didn't see your comment, but we can easily support this anyways. The code already exists for Keybase, so I've filed the new issue to track porting it over.

@jefferai :+1: thanks!

@chiefy Support is in master. I wrote unit tests and did some manual testing, but if you don't mind testing it in your environment as well that would be great.

PGP usage should really be in the docs. It's an incredibly useful feature.

@OWSM here's a blog post I wrote based on this thread

@chiefy Thanks for sharing your post. Very helpful.