Key Length After Rekey

Introduction

When a rekey is initialized using PGP keys, Vault will generate the unseal keys (or recovery keys), then immediately encrypt them using the given users' public PGP keys. This value is then decrypted by the owner of the corresponding private key to reveal the plain-text unseal key (or recovery key).

However, the length of the plain-text keys can vary based on a few factors.

Providing a Single PGP Key

When the rekey initiated with a single PGP key as follows:

vault operator rekey init -key-shares=1 -key-threshold=1\ 
-pgp-keys="keybase:jefferai"

The resulting decrypted final key is 64 characters.

Providing Multiple PGP Keys

When the rekey initiated with multiple PGP key as follows:

vault operator rekey init -key-shares=3 -key-threshold=2\ 
-pgp-keys="keybase:jefferai,keybase:vishalnayak,keybase:sethvargo"

The resulting decrypted final key is 66 characters.

Tools used for Encoding and Decoding

Depending on which tool is being used, the keys can get characters added to them. For example, the encode64 method in Ruby complies with RFC 2045 and line feeds are added to every 60 encoded characters.

Additional Information

• https://www.vaultproject.io/docs/commands/operator/rekey 

• https://ruby-doc.org/stdlib-3.1.2/libdoc/base64/rdoc/Base64.html

• https://support.hashicorp.com/hc/en-us/articles/4404364271763-How-to-rekey-vault-recovery-keys-when-using-auto-unseal