Skip to content

Latest commit

 

History

History
168 lines (144 loc) · 6.41 KB

README.md

File metadata and controls

168 lines (144 loc) · 6.41 KB

Vault recovery key decrypter

This tool will decrypt your recovery keys. Commonly used when you lost them and want to recreate a root token.

Download the binary from releases

Disclaimer

This is not an official HashiCorp tool

Use it at your own risk

Usage

Usage of ./vault-recover-key:
  -enc-key string
    	Path to the encrypted recovery keys from the storage, found at core/_recovery-key (default "key.enc")
  -env string
    	Environment that hosts the KMS: gcpckms,azurekeyvault,transit,awskms (default "gcpckms")
  -shamir-shares int
    	Number of shamir shares to divide the key into (default 1)
  -shamir-threshold int
    	Threshold number of keys needed for shamir creation (default 1)
  -storageType string
        Storage type: file or dynamodb

Limitations

Currently only support GCP, Azure KMS and AWS KMS.

It needs access to the KMS service which your Vault was configured with.

Environmental variables for GCP

Example, if your KMS setup is: projects/rodrigo-support/locations/global/keyRings/name-of-keyring-goes-here/cryptoKeys/name-of-vault-unseal-key-from-keyring-goes-here/cryptoKeyVersions/1

$ export "GOOGLE_CREDENTIALS" = "service-account.json"
$ export "GOOGLE_PROJECT" = "project-id-goes-here"
$ export "GOOGLE_REGION" = "global"
$ export "GCPCKMS_WRAPPER_KEY_RING" = "name-of-keyring-goes-here"
$ export "GCPCKMS_WRAPPER_CRYPTO_KEY" = "name-of-vault-unseal-key-from-keyring-goes-here"

An important note: the relevant KMS environment variables are GCPCKMS_... not GCPKMS_.... This is a potential cause of the panic issue listed below.

Environmental variables for AZURE

If your Vault configuration is:

seal "azurekeyvault" {
  client_id      = "YOUR-APP-ID"
  client_secret  = "YOUR-APP-PASSWORD"
  tenant_id      = "YOUR-AZURE-TENANT-ID"
  vault_name     = "rodrigo-key-vault"
  key_name       = "generated-key"
}
$ export "AZURE_TENANT_ID" = "YOUR-AZURE-TENANT-ID"
$ export "AZURE_CLIENT_ID" = "YOUR-APP-ID"
$ export "AZURE_CLIENT_SECRET" = "YOUR-APP-PASSWORD"
$ export "VAULT_AZUREKEYVAULT_VAULT_NAME" = "rodrigo-key-vault"
$ export "VAULT_AZUREKEYVAULT_KEY_NAME" = "generated-key"

Environmental variables for AWS KMS

export AWS_ACCESS_KEY_ID = "YOUR_ACCESS_KEY_ID_HERE"
export AWS_SECRET_ACCESS_KEY = "YOUR_SECRET_ID_HERE"
export AWS_SESSION_TOKEN = "YOUR_SESSION_TOKEN_HERE" (this one is optional, if STS creds are used)
export AWSKMS_WRAPPER_KEY_ID = "YOUR_KMS_KEY_ID_HERE" (the KMS used in the Vault HCL config)

Encrypted recovery keys dump

From a file storage:

$ cat core/_recovery-key  | jq -r .Value | base64 -d > key.enc

From Consul

$ consul kv get -base64 vault/core/recovery-key  | base64 -d >  consul.key

Decryption

$ ./vault-recover-key -enc-key key.enc -env azurekeyvault -shamir-shares 5 -shamir-threshold 3
INFO[0000] Starting version 0.2
INFO[0000] Starting with environment azurekeyvault
INFO[0000] Setting up for azurekeyvault
DEBU[0000] blobInfo={
	"ciphertext": "sVi/u3CiFwcfiKajC0qK0+pS/St7/mReTN3mGHXN8l3TyDm/BEtGlL8ZapY+flS8",
	"iv": "09CjA+ImIFBw7yYd",
	"key_info": {
		"KeyID": "3d035268cfd34001b34d739c704ceb1f",
		"WrappedKey": "ZzRYVTNraXctLUx2ZzE2Ny1MbG9nanRvY3g5c3ZzcnBQTlNJeVdxdnFYYkJjVHR6UW14d1ZsaFBpdUVKbFliZW9qQk9UYmY5Q1hNQWpmVlAzVllsUDhtNThreW1qZl9IaFllZzAzNXdidmp3ZGZ2R1ZLV1YtSTZiOHJlVU9PdElsYTZTRmFRa3N2a0Y0cFBITGtwUVFoRG1tRVBHQ0huOXlXcUw0Q01XZWE1SDh6N2lRaGRham10cWgxRXZBS05zSWZwazVFaE9LemxWc1U1cXBQWHNhVmU5OVJiRVE1cV93aE11Y01HbzlQcU1ISGlPWmRzWGp3M25YWUc1RDNxUHRLQ3pmT2s5ZkFPUGhxNTktXzBuZm1LNVZqemtoQWpnMmNyT0F0VjVCemhNb3FNU2NhMXNXdXNpeDlId1FHVGNGTmw0SkdnRXRHb0VjMmhRUEp3MGpn"
	}
}
DEBU[0000] HEX=0X53F336750B4D68C62BCB82CA3D9689D9C4F4261C21968BBCD6803979670C29CC
INFO[0000] Recovery keys
Nemi6Ry62LDhaGqguPxYGTZpvbmueYF+8kgsv4smSXzd
wsxCRl/LixFihsxFUyZkwcuzHFNDVkgTGdghA3Y9kQWk
i7LU05v5yr5+WBD22AAvPFikKF12n24xdl4ge+n9LKKf
D5wepAo7kl9tfrQJAO5ORfCFGduW94GJWknn3sr6hOQU
oQx5/uLfVE7m3B8PhSv+aVYKYxSG0cos2EO8ZOpJwKAc

AWS KMS example:

 ./vault-recovery-key -enc-key ../key.enc -env awskms
INFO[0000] Starting version 0.2
INFO[0000] Starting with environment awskms
INFO[0000] Setting up for awskms
DEBU[0000] blobInfo={
	"ciphertext": "ESGKIwFd/uGtnCJJV86/gwE3oCz6Yx74DMVNRTjSE4U+kVL90jiNLYvPJqh7T8pK",
	"iv": "RcvcMe4xZvI15/Gb",
	"key_info": {
		"Mechanism": 1,
		"KeyID": "arn:aws:kms:us-east-1:ACCOUNT_ID_HERE:key/KMS_KEY_ID_HERE",
		"WrappedKey": "AQICAHjy4AAl3/<<<SNIP>>>GLVdp6dcF/ih+NDDnnJastg=="
	}
}
DEBU[0000] HEX=0X4124F68E<<<SNIP>>>291DE7114A89B
Recovery key
QST2jpzI44gf/mvssOsBT//FjMIFjOuxKOKR3nEUqJs=%

Troubleshooting

This page lists solutions to problems you might encounter with vault-recovery-key

Issue

Application crash during runtime when using gcpckms:

./vault-recovery-key -enc-key enc.key -env gcpckms -shamir-shares 5 -shamir-threshold 3
INFO[0000] Starting version 0.2
INFO[0000] Starting with environment gcpckms
INFO[0000] Setting up for gcpckms
DEBU[0000] blobInfo={
  "ciphertext": "rWUAXlSnzRTYlA5MxQ8Cdoz32yRD9Bk6BF00oodgukmFjUmP0tR1EhZd6IvP4KkI",
  "iv": "e1YE0TZ0Z0Yfnwdj",
  "key_info": {
  	"Mechanism": 1,
  	"KeyID": "projects/hc-5d80c603dabb4a669f42e6354a1/locations/global/keyRings/vault-keyring/cryptoKeys/vault-key/cryptoKeyVersions/1",
  	"WrappedKey": "CiQA2AIm8C9WyKu9/uUiNUYyng5nK2fKfX0ZDfR2JPupygg3P50SSAB3Uh/JATR2KCPMmXS3e6gkE3UwBXnFr3Bky06Z83lKS/7QOp4bmJXhcckML17F5MdIFyZXmrFLoi1tN44mEROYiE9TQGcUvA=="
  }
}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x56f834]

goroutine 1 [running]:
main.main()
  /home/ubuntu/vault-recovery-key/main.go:108 +0x6b4

Solution

Check the following variables and their values. Check that the service account has been granted access to the keyring and key. Ensure that you've set the proper environment variables, most notably the key ring and crypto key variables (these env variables start with GCPCKMS, not GCPKMS). Ensure that you've set the GCP project ID and not the name of the project.

$ export "GOOGLE_CREDENTIALS" = "service-account.json"
$ export "GOOGLE_PROJECT" = "project-id-goes-here"
$ export "GOOGLE_REGION" = "global"
$ export "GCPCKMS_WRAPPER_KEY_RING" = "name-of-keyring-goes-here"
$ export "GCPCKMS_WRAPPER_CRYPTO_KEY" = "name-of-vault-unseal-key-from-keyring-goes-here"

Additional information

Tested and verified to work against Vault 1.8.1 and 1.9.3 using gcpckms Auto-Unseal.