Effect on Vault Auto-unseal when Azure Key Vault has Expired Key Versions

Avatar
Daniel Arlington
  • Updated

Introduction:

There is some clarity needed on the effect of Expired Key Versions in Azure Key Vault on Vault's ability to be Un-sealed. 

 

Use Case:

In case a customer needs to expire a key version in Azure Key Vault and Set Rotation Policy to auto-rotation. 

We will see the following effects:

  1. When AKV Key version expires - Effects on Auto-Unseal
  2. When AKV Key version expires - Effects on Vaults functionality when "Seal-Wrapping" is enabled. [2]
  3. When AKV Key version expires - Effects on Vaults functionality when "Seal-Wrapping" is disabled.
  4. When AKV Key version expires - A new key version is rotated.

 

Pre-requisites:

Please follow the tutorial on how to setup Auto-Unseal using Azure Key Vault here [1]

On an existing unsealed Vault using "shamir" you can add the following un-seal stanza to enable Azure Key Vault method of unsealing vault. You will still need the "Shamir" set of unseal keys and then run the operator unseal migrate command.

seal "azurekeyvault" {
  tenant_id     = "t63d9f94-0647-xxxx-xxxx-xxxxxxxxx"
  client_id     = "a29a8583-xxxx-xxxx-xxxx-xxxxxxxxx"
  client_secret = "xxxxxxxxxxxxxxxx"
  vault_name    = "learn-vault-xxxx"
  key_name      = "vault-keys-1234"
}

 

 

 

1. When AKV Key version expires - Effects on Auto-Unseal

Since an expired AKV key version allows you to decrypt Vault is able to Unseal.

- Expired Key

 

- Vault Status

 

 

 

 

 

 

 

 

 

 

 

 

 

2. When AKV Key version expires - Effects on Vaults functionality when "Seal-Wrapping" is enabled (This is the default when Auto-Unseal is used).

Since an expired AKV key version allows you to decrypt Vault is able to Unseal. However, Vault's functionality is lost as the leader information is not able to be "encrypted" with the expired key and written to storage. Vault become inoperable.

Leader information is lost as the "sealwrap: wrapping entry: key=core/leader/ad1be590-0604-be9e-16f5-91038fe98a0a" entry cannot be encrypted and written to storage due to expired keys.

 

- Vault becomes inoperable

 

 

 

 

 

 

3. When AKV Key version expires - Effects on Vaults functionality when "Seal-Wrapping" is disabled (workaround)

 

- When seal wrapping is disabled vault leader information is successfully upgraded and Vault now works. 

 

 

 

 

 

 

 

 

 

- We are able to write data and read data once Vault is Unsealed.

 

 

 

 

 

 

4. When AKV Key version expires - A new key version is rotated.

Once a new AKV Key version is rotated, Vault pickups the new key information via the metadata and then starts to use the latest Key Version.

 

 

 

 

 

 

 

We see that the new Key is picked up by Vault

 

 

 

 

 

 

 

References:

[1] https://developer.hashicorp.com/vault/tutorials/auto-unseal/autounseal-azure-keyvault

[2] https://developer.hashicorp.com/vault/docs/configuration#disable_sealwrap

[3] https://developer.hashicorp.com/vault/docs/enterprise/sealwrap#activating-seal-wrapping

Articles in this section

See more

Related articles