Usage of encrypted private key TCP listener of vault

Avatar
Shashank Shekhar
  • Updated

Overview

Vault allows making use of encrypted private keys in tls_key_file of listener stanza. This article details about the nuances based on private key encryption standard and best practises.

Summary:

Vault supports encrypted PKCS#1 private keys (with headers like -----BEGIN RSA PRIVATE KEY-----) and allows passphrase input at startup, but fails to handle encrypted PKCS#8 keys (-----BEGIN ENCRYPTED PRIVATE KEY-----) .  

 

Details:

Use case 1 : PKCS#1 private keys 

While making use of encrypted private key, it is required to have the passphrase of the key which can be used by vault process.

For interactive service startup, provide the certificate when prompted. Example snippet:

/usr/local/bin/vault server -config=/home/ec2-user/vault/vault-config.hcl
WARNING: Request Limiter configuration is no longer supported; overriding server configuration to disable

Enter passphrase for /home/ec2-user/certs/shell.key:
==> Vault server configuration:

Administrative Namespace:
             Api Address: https://my-vault.com
                     Cgo: disabled
         Cluster Address: https://54.67.32.87:8201

In case of service file, add a StandardInput parameter like below in the service file:

cat /etc/systemd/system/vault.service
[Unit]
Description="HashiCorp Vault"
Documentation="https://developer.hashicorp.com/vault/docs"
ConditionFileNotEmpty="/home/ec2-user/vault/vault-config.hcl"[Service]
User=ec2-user
Group=ec2-user
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/home/ec2-user/vault/vault-config.hcl
StandardInput=file:/home/ec2-user/certs/passphrase1.txt
ExecReload=/bin/kill --signal HUP
KillMode=process
KillSignal=SIGINT
Environment=AZURE_SDK_GO_LOGGING=all[Install]
WantedBy=multi-user.target

 

Use case 2 : PKCS#8 private keys 

Encrypted private keys (example highlighted below) can not be used directly. This is due to limitations in Go's native crypto libraries. This limitation is stemming from Go's lack of support for parsing encrypted PKCS#8 keys.

How to decrypt:

openssl rsa -in encrypted.key -out unencrypted.key

 

References:

tls_key_file

listener

Articles in this section

See more