Introduction
Vault Enterprise features a mechanism to wrap values with an extra layer of encryption for supporting seals. This adds an extra layer of protection and is useful in some compliance and regulatory environments, including FIPS 140-2 environments.
Vault Secret mounts (aka engines) may also take advantage of seal wrapping. Seal wrapping can be activated when enabling a mount with the seal_wrap configuration value set to true. (This value cannot currently be changed later.)
Example of enabling a KV-v2 Secrets mount with Seal Wrap enabled:
vault secrets enable -seal-wrap kv-v2
To ascertain what mounts have Seal Wrap enabled, issue the following command:
vault secrets list -detailed
In the resultant output observe the value of true or false under the Seal Wrap heading.
Prerequisites
Seal Wrap is a Vault Enterprise feature. This feature is available in Vault Enterprise Plus and Vault Enterprise Premium.
To check if the license currently loaded on Vault includes the Seal Wrap Vault Enterprise feature, use the following command to query the license:
vault read /sys/license/status -format=json
In the resultant output, the following feature needs to be present:
"Seal Wrapping"
The Vault binary installed needs to be Enterprise+HSM.
Challenge
At the time of writing this article, AWS CloudHSM imposes a limitation of 16KB for HMAC data encryption operations.
Example reproduction of encountering this limitation:
- Vault 1.14.3_ENT+HSM
- AWS CloudHSM cluster
-
cloudhsm-pkcs11_latest_u22.04_amd64.debclient - KV-v2 secrets mount with seal-wrap enabled
Generate 18KB of data (example command):
data=$(python3 -c "import random; import string; print(''.join(random.choice(string.ascii_letters + string.digits + string.punctuation) for _ in range(18432)))")
Writing the data to KV:
$ vault kv put kv-v2/secret password=$data
Error writing data to kv-v2/data/secret: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/kv-v2/data/secret
Code: 500. Errors:
* 1 error occurred:
* error during hmac operation: pkcs11: 0x21: CKR_DATA_LEN_RANGENote the HMAC Operation in the above output.
The trace level PKCS11 logs (HSM) shows the following:
vault[24476]: 2023-11-17T13:08:09.331Z [TRACE] sealwrap: wrapping entry: key=logical/41f37fdc-0cd5-322f-c3b7-7117c7f1c68a/38f92544-0c3a-0adb-b7c8-9c360eccd049/versions/1dc/bcaa4a799e1f0f0d462d827661aa0fba9b58c2b5baeb210bd5c8f7dccc592
vault[24476]: 2023-11-17T13:08:09.389Z ERROR [24476] ThreadId(1) [cloudhsm_provider::hsm1::session::common] Data length 21872 for operation is larger than expected 16288
vault[24476]: 2023-11-17T13:08:09.390Z ERROR [24476] ThreadId(3) [cloudhsm_pkcs11::sign::hmac] The input data to a cryptographic operation has a bad length.
vault[24476]: 2023-11-17T13:08:09.390Z ERROR [24476] ThreadId(3) [cloudhsm_pkcs11::sign::C_Sign] C_Sign failed, returning 0x00000021
Workaround
In reference to this AWS CloudHSM Supported Mechanisms the noteworthy thing in this article is to use the RSA_PKCS_OAEP0x0009) mechanism that's without a data limit instead of the default HMAC / AES_CBC (0x1082) or AES_CBC_PAD (0x1085) mechanisms.
In Vault it is possible to specifically configure the PKCS11 mechanism to type RSA.
Example PKCS#11 Seal Stanza in the Vault configuration file setting the mechanism parameter :
seal "pkcs11" {
lib = "/opt/cloudhsm/lib/libcloudhsm_pkcs11.so"
slot = "1"
pin = "vault:Passwordxxxxx"
key_label = "hsm_demo"
hmac_key_label = "hsm_hmac_demo"
generate_key = "true"
mechanism = "0x0009"
}
You can check what mechanism is being used by Vault by checking the Vault Operational log, in [TRACE] level, at Vault startup:
2023-11-28T14:22:14.056Z [TRACE] seal.pkcs11: pkcs11 mechanism selected: mechanism=0x9 name=rsa-oaep
Once the mechanism parameter has been configured and implemented as per the above example there is no longer the 16KB limitation as imposed when using HMAC.
Additional Resources
- AWS Documentation: Known issues for the PKCS #11 library
- AWS Documentation: PKCS #11 Library - Supported mechanisms
- Vault Documentation: PKCS #11 Mechanism (seal stanza)
- Vault Documentation: Seal Wrap
- Vault Tutorial: HSM integration - seal wrap