Generate same HMAC encoding with Vault transit secret engine using BYOK HMAC key type

Avatar
Owen Zhang
  • Updated

 

Generating identical HMAC encodings is a fundamental requirement for ensuring the security, integrity, and authenticity of data and messages in cryptographic applications.  Vault 1.11 introduce the feature of importing externally-generated or a existing Vault internal keys into transit secrets engine managed encryption key. This enabled Vault able to create same HMAC encoding with 2 separated transit keys. Here are the steps on how to achieve this:

$ vault secrets enable transit

$ vault read -field=public_key transit/wrapping_key > wrapping_public_key

###create a key, set type to hmac and key_size to your desired value
$ vault write -f transit/keys/test-source exportable=true type=hmac key_size=512

$ vault write transit/keys/wrapper/import public_key="$(cat wrapping_public_key)" type=rsa-4096

$ vault read transit/byok-export/wrapper/test-source > byok.out
  •  Get the newly created HMAC key test-source value j1b1VDIPTiPAKCB8..., later this value will be used on importing HMAC key test-source into the new HMAC key named test 
$ vault read transit/export/hmac-key/test-source
Key     Value
---     -----
keys    map[1:j1b1VDIPTiPAKCB8dOqMaIzkjCHBTKdxhix/I9kvsY1G0VcdRck2p7f7ilsbkoNyjhWt8sHOFthsQkcjTCE2Pqs1F1gHwYbJJ5L4hDOdlm42K7WnBmxIkfHvSg9+j1PA5kVY8cBA/5+QSTPWloKwPCCf71pSPEwg0BZzYgROh/Uu9wUn+jWxw+F+lbA8MH9jmsEvijcg6Krfw9Vr9Siqyq8/LSLaU95ntWLXG7k9R/eX8Fidloc8Ixsibuyi8j8Xu5Il1asq7l9Y5tqavmh/MBqEEEMN4rF1XpuL75J1z4tN92Ld3sCLs2VKfbELdN4L21sFqjRgn9LfsqIaxGYqhbK0w+Am9T2gZFuIad+tioUu2N1H7gMpeQg2myxdX4KwiI5H+97t0Kco5PPhakWWu1VG3GRBae0SJSLwetP1J3MYLm285D2EISTe+15GvU1kopgkCIM5wj6X/q9eCTb0rh4fkaaZZzv84eeebEUL+hwQQDGhjiTSj1X6ZXH1UlzD1genPstDwgSwca8MsL4BHoKlUhDNtscWAC6I+MqTX58irSqIfzXv+5JKC3OXafpXQE6mQC9qwpNASucJ48rXmP4AbW0JO14r36VwLiy3hmprh9qAGYXHL/ivPHImRRbBLCVX4Q0NK1uOmBkKc7EbtdTjk6X50taLUH1Ul3MR8nY=]
name    test-source
type    hmac
  •  For simplicity, there is a Go based tool called transit-byok for purpose of fetching the wrapping key, generating an ephemeral key, wrapping the source key with the ephemeral key, encrypting the ephemeral key with the wrapping key, and finally calling the import or import_version transit endpoints. transit/keys/test will be new key and its type need to be hmac 
$ ./transit-byok import transit/keys/test j1b1VDIPTiPAKCB8dOqMaIzkjCHBTKdxhix/I9kvsY1G0VcdRck2p7f7ilsbkoNyjhWt8sHOFthsQkcjTCE2Pqs1F1gHwYbJJ5L4hDOdlm42K7WnBmxIkfHvSg9+j1PA5kVY8cBA/5+QSTPWloKwPCCf71pSPEwg0BZzYgROh/Uu9wUn+jWxw+F+lbA8MH9jmsEvijcg6Krfw9Vr9Siqyq8/LSLaU95ntWLXG7k9R/eX8Fidloc8Ixsibuyi8j8Xu5Il1asq7l9Y5tqavmh/MBqEEEMN4rF1XpuL75J1z4tN92Ld3sCLs2VKfbELdN4L21sFqjRgn9LfsqIaxGYqhbK0w+Am9T2gZFuIad+tioUu2N1H7gMpeQg2myxdX4KwiI5H+97t0Kco5PPhakWWu1VG3GRBae0SJSLwetP1J3MYLm285D2EISTe+15GvU1kopgkCIM5wj6X/q9eCTb0rh4fkaaZZzv84eeebEUL+hwQQDGhjiTSj1X6ZXH1UlzD1genPstDwgSwca8MsL4BHoKlUhDNtscWAC6I+MqTX58irSqIfzXv+5JKC3OXafpXQE6mQC9qwpNASucJ48rXmP4AbW0JO14r36VwLiy3hmprh9qAGYXHL/ivPHImRRbBLCVX4Q0NK1uOmBkKc7EbtdTjk6X50taLUH1Ul3MR8nY= \ 
type="hmac"  \
exportable="true"

Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
Success!
  •  Validate the import result on key test value is same as test-source 
$ vault read transit/export/hmac-key/test
Key     Value
---     -----
keys    map[1:j1b1VDIPTiPAKCB8dOqMaIzkjCHBTKdxhix/I9kvsY1G0VcdRck2p7f7ilsbkoNyjhWt8sHOFthsQkcjTCE2Pqs1F1gHwYbJJ5L4hDOdlm42K7WnBmxIkfHvSg9+j1PA5kVY8cBA/5+QSTPWloKwPCCf71pSPEwg0BZzYgROh/Uu9wUn+jWxw+F+lbA8MH9jmsEvijcg6Krfw9Vr9Siqyq8/LSLaU95ntWLXG7k9R/eX8Fidloc8Ixsibuyi8j8Xu5Il1asq7l9Y5tqavmh/MBqEEEMN4rF1XpuL75J1z4tN92Ld3sCLs2VKfbELdN4L21sFqjRgn9LfsqIaxGYqhbK0w+Am9T2gZFuIad+tioUu2N1H7gMpeQg2myxdX4KwiI5H+97t0Kco5PPhakWWu1VG3GRBae0SJSLwetP1J3MYLm285D2EISTe+15GvU1kopgkCIM5wj6X/q9eCTb0rh4fkaaZZzv84eeebEUL+hwQQDGhjiTSj1X6ZXH1UlzD1genPstDwgSwca8MsL4BHoKlUhDNtscWAC6I+MqTX58irSqIfzXv+5JKC3OXafpXQE6mQC9qwpNASucJ48rXmP4AbW0JO14r36VwLiy3hmprh9qAGYXHL/ivPHImRRbBLCVX4Q0NK1uOmBkKc7EbtdTjk6X50taLUH1Ul3MR8nY=]
name    test
type    hmac
  •  Validate the final HMAC encoding results of two HMAC transit keys on the same plaintext. 
$ vault write -f transit/hmac/test-source input="$(echo "abc12345" | base64)"
Key     Value
---     -----
hmac    vault:v1:2x2Rn/CDJu7Nh2EP30haxyAXefdVFd/qpb9Z7EnNuAo=

$ vault write -f transit/hmac/test input="$(echo "abc12345" | base64)"
Key     Value
---     -----
hmac    vault:v1:2x2Rn/CDJu7Nh2EP30haxyAXefdVFd/qpb9Z7EnNuAo=

 

Reference:

Vault 1.11 Release Note

Transit secrets engine (API)

Vault Transit Bring your own key (BYOK)

transit-byok

 

Articles in this section

See more

Related articles