Service Assurance/Management: November 2020

$ cat create_transit_secrets_payload.json
{
        "type": "aes128-gcm96",
        "convergent_encryption": true,
        "derived": true,
        "exportable": true,
        "allow_plaintext_backup": true
}

$ vault write transit/keys/orders @create_transit_secrets_payload.json
Success! Data written to: transit/keys/orders
$

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/keys/orders | jq -r
{
"request_id": "edc0df98-95a4-463a-e6eb-25ad4cadebc8",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "allow_plaintext_backup": true,
    "convergent_encryption": true,
    "convergent_encryption_version": -1,
    "deletion_allowed": false,
    "derived": true,
    "exportable": true,
    "kdf": "hkdf_sha256",
    "keys": {
      "1": 1605112467
    },
    "latest_version": 1,
    "min_available_version": 0,
    "min_decryption_version": 1,
    "min_encryption_version": 0,
    "name": "orders",
    "supports_decryption": true,
    "supports_derivation": true,
    "supports_encryption": true,
    "supports_signing": false,
    "type": "aes256-gcm96"
},
"wrap_info": null,
"warnings": null,
"auth": null
}

$ curl --header "X-Vault-Token: root" --request LIST http://127.0.0.1:8200/v1/transit/keys | jq -r{
"request_id": "2cc35698-5da9-6f02-ea11-13682e04346b",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "keys": [
      "orders"
    ]
},
"wrap_info": null,
"warnings": null,
"auth": null
}

# -- create another key name called payments.
$ curl --header "X-Vault-Token: root" --request POST --data @create-named-key-payload.json http://127.0.0.1:8200/v1/transit/keys/payments

$ curl --header "X-Vault-Token: root" --request LIST http://127.0.0.1:8200/v1/transit/keys | jq -r
{
"request_id": "a85727cb-0f91-9d42-3e12-1e6d78261b1f",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "keys": [
      "orders",
      "payments"
    ]
},
"wrap_info": null,
"warnings": null,
"auth": null
}

$ curl --header "X-Vault-Token: root" --request DELETE http://127.0.0.1:8200/v1/transit/keys/payments | jq -r

{
"errors": [
"error deleting policy payments: deletion is not allowed for this key"
]
}

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/export/encryption-key/orders | jq -r
{
"request_id": "90038666-54e9-c805-0490-1e04197cdb39",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "keys": {
      "1": "g1ldyMgMewn655RpWUjV7rbbfLu6ZXAMc0efU2r7k6Y="
    },
    "name": "orders",
    "type": "aes256-gcm96"
},
"wrap_info": null,
"warnings": null,
"auth": null
}

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/export/encryption-key/orders/1 | jq -r
{
"request_id": "8be6c9e3-1f55-3684-d02b-5a739791c540",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "keys": {
      "1": "g1ldyMgMewn655RpWUjV7rbbfLu6ZXAMc0efU2r7k6Y="
    },
    "name": "orders",
    "type": "aes256-gcm96"
},
"wrap_info": null,
"warnings": null,
"auth": null
}

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/export/encryption-key/orders/2 | jq -r
{
"errors": [
"version does not exist or cannot be found"
]
}

# -- rotate the key, want to see two keys for orders.
$ curl --header "X-Vault-Token: root" --request POST http://127.0.0.1:8200/v1/transit/keys/orders/rotate | jq -r
% Total    % Received % Xferd Average Speed   Time    Time     Time Current
                                 Dload Upload   Total   Spent    Left Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/export/encryption-key/orders | jq -r
{
"request_id": "56b149c9-7ab0-5482-0e0e-73662a389c41",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "keys": {
      "1": "g1ldyMgMewn655RpWUjV7rbbfLu6ZXAMc0efU2r7k6Y=",
      "2": "7nd4jACin+ji0SJ2qTPcd8KovmI3FsFgxVi1+RK+f2k="
    },
    "name": "orders",
    "type": "aes256-gcm96"
},
"wrap_info": null,
"warnings": null,
"auth": null
}

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/export/encryption-key/orders/2 | jq -r
{
"request_id": "97ed6070-c693-fd04-6395-2746b6ed2013",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "keys": {
      "2": "7nd4jACin+ji0SJ2qTPcd8KovmI3FsFgxVi1+RK+f2k="
    },
    "name": "orders",
    "type": "aes256-gcm96"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
$

## -- fetch the keys

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/export/encryption-key/orders | jq -r '.data.keys'

{
"1": "GYPfzE+HTBxa5YCvVsr3jQ==",
"2": "AErMLLRvnne0MGi1joTmGA=="
}

## -- below we will encrypt the text, have to pass a context parameter for convergent encryption. You will see the encrypted string is the same for every transaction.

$ vault write -format=json transit/encrypt/orders plaintext=$(base64 <<< "credit-card-number") context=$(base64 <<< "cc-field") | jq -r ".data.ciphertext" > cipher.txt
$ cat cipher.txt
vault:v2:KDdEwZcgYbLfHfJ101pT5nozygwlrvhfSy+mvsZWEkX3RcEO9OnXI4mDxEbxPjs=

$ vault write -format=json transit/encrypt/orders plaintext=$(base64 <<< "credit-card-number") context=$(base64 <<< "cc-field") | jq -r ".data.ciphertext" > cipher.txt.1
$ cat cipher.txt.1vault:v2:KDdEwZcgYbLfHfJ101pT5nozygwlrvhfSy+mvsZWEkX3RcEO9OnXI4mDxEbxPjs=
$

$ vault write -format=json transit/encrypt/orders plaintext=$(base64 <<< "credit-card-number") context=$(base64 <<< "cc-field-2") | jq -r ".data.ciphertext" > cipher.txt.2
$ cat cipher.txt.2
vault:v2:4PgP9YEqB23kR4UpzRbq/M7k6fWTZwXzFH9xcopSdejM5JeVByXoUmbgxJpaiWA=
$

## -- Decrypt

$ vault write -format=json transit/decrypt/orders ciphertext=$(cat cipher.txt) context=$(base64 <<< "cc-field") | jq -r ".data.plaintext"
Y3JlZGl0LWNhcmQtbnVtYmVyCg==

$ base64 -d <<< Y3JlZGl0LWNhcmQtbnVtYmVyCg==
credit-card-number
$

$ vault write -format=json transit/decrypt/orders ciphertext=$(cat cipher.txt.1) context=$(base64 <<< "cc-field") | jq -r ".data.plaintext"
Y3JlZGl0LWNhcmQtbnVtYmVyCg==

## -- what happens if wrong context is sent.. it fails

$ vault write -format=json transit/decrypt/orders ciphertext=$(cat cipher.txt.2) context=$(base64 <<< "cc-field") | jq -r ".data.plaintext"
Error writing data to transit/decrypt/orders: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/transit/decrypt/orders
Code: 400. Errors:

* invalid ciphertext: unable to decrypt
$

## -- export or backup the key

$ vault read transit/backup/orders -format=json
{
"request_id": "49cf6800-8488-a925-b897-8800b9e5410c",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"backup": "eyJwb2xpY3kiOnsibmFtZSI6Im9yZGVycyIsImtleXMiOnsiMSI6eyJrZXkiOiJHWVBmekUrSFRCeGE1WUN2VnNyM2pRPT0iLCJobWFjX2tleSI6IkI3andqdWpkMXdxRiswK3h5MVRWbUpLYUdQTUR5c0pyQkRYK00weFIveU09IiwidGltZSI6IjIwMjAtMTEtMTFUMTg6MjM6MDcuMTAwMzA4NTY3WiIsImVjX3giOm51bGwsImVjX3kiOm51bGwsImVjX2QiOm51bGwsInJzYV9rZXkiOm51bGwsInB1YmxpY19rZXkiOiIiLCJjb252ZXJnZW50X3ZlcnNpb24iOjMsImNyZWF0aW9uX3RpbWUiOjE2MDUxMTg5ODd9LCIyIjp7ImtleSI6IkFFck1MTFJ2bm5lME1HaTFqb1RtR0E9PSIsImhtYWNfa2V5IjoiWjFBYTZ3VktBaUVFZmFjQ2YwVEZkc1czUTZsckFIaDRwVThaMm1yMFNKMD0iLCJ0aW1lIjoiMjAyMC0xMS0xMVQxODozMTozMy4xNjY3MjMwNDhaIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicHVibGljX2tleSI6IiIsImNvbnZlcmdlbnRfdmVyc2lvbiI6MywiY3JlYXRpb25fdGltZSI6MTYwNTExOTQ5M319LCJkZXJpdmVkIjp0cnVlLCJrZGYiOjEsImNvbnZlcmdlbnRfZW5jcnlwdGlvbiI6dHJ1ZSwiZXhwb3J0YWJsZSI6dHJ1ZSwibWluX2RlY3J5cHRpb25fdmVyc2lvbiI6MSwibWluX2VuY3J5cHRpb25fdmVyc2lvbiI6MCwibGF0ZXN0X3ZlcnNpb24iOjIsImFyY2hpdmVfdmVyc2lvbiI6MiwiYXJjaGl2ZV9taW5fdmVyc2lvbiI6MCwibWluX2F2YWlsYWJsZV92ZXJzaW9uIjowLCJkZWxldGlvbl9hbGxvd2VkIjpmYWxzZSwiY29udmVyZ2VudF92ZXJzaW9uIjotMSwidHlwZSI6OCwiYmFja3VwX2luZm8iOnsidGltZSI6IjIwMjAtMTEtMTFUMTg6NTQ6MDIuODA4MzU5Njc5WiIsInZlcnNpb24iOjJ9LCJyZXN0b3JlX2luZm8iOm51bGwsImFsbG93X3BsYWludGV4dF9iYWNrdXAiOnRydWUsInZlcnNpb25fdGVtcGxhdGUiOiIiLCJzdG9yYWdlX3ByZWZpeCI6IiJ9LCJhcmNoaXZlZF9rZXlzIjp7ImtleXMiOlt7ImtleSI6bnVsbCwiaG1hY19rZXkiOm51bGwsInRpbWUiOiIwMDAxLTAxLTAxVDAwOjAwOjAwWiIsImVjX3giOm51bGwsImVjX3kiOm51bGwsImVjX2QiOm51bGwsInJzYV9rZXkiOm51bGwsInB1YmxpY19rZXkiOiIiLCJjb252ZXJnZW50X3ZlcnNpb24iOjAsImNyZWF0aW9uX3RpbWUiOjB9LHsia2V5IjoiR1lQZnpFK0hUQnhhNVlDdlZzcjNqUT09IiwiaG1hY19rZXkiOiJCN2p3anVqZDF3cUYrMCt4eTFUVm1KS2FHUE1EeXNKckJEWCtNMHhSL3lNPSIsInRpbWUiOiIyMDIwLTExLTExVDE4OjIzOjA3LjEwMDMwODU2N1oiLCJlY194IjpudWxsLCJlY195IjpudWxsLCJlY19kIjpudWxsLCJyc2Ffa2V5IjpudWxsLCJwdWJsaWNfa2V5IjoiIiwiY29udmVyZ2VudF92ZXJzaW9uIjozLCJjcmVhdGlvbl90aW1lIjoxNjA1MTE4OTg3fSx7ImtleSI6IkFFck1MTFJ2bm5lME1HaTFqb1RtR0E9PSIsImhtYWNfa2V5IjoiWjFBYTZ3VktBaUVFZmFjQ2YwVEZkc1czUTZsckFIaDRwVThaMm1yMFNKMD0iLCJ0aW1lIjoiMjAyMC0xMS0xMVQxODozMTozMy4xNjY3MjMwNDhaIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicHVibGljX2tleSI6IiIsImNvbnZlcmdlbnRfdmVyc2lvbiI6MywiY3JlYXRpb25fdGltZSI6MTYwNTExOTQ5M31dfX0K"
},
"warnings": null
}

Service Assurance/Management

Wednesday, November 11, 2020

Convergent Encryption using Transit Secrets Engine.