Clarifying Vault key decryption process

I'm trying to understand Vault workflow w.r.t. keys, e.g.: https://www.vaultproject.io/docs/concepts/seal

1

As I understand,

  • unseal (shared) keys are provided on init
  • they're used to acquire the combined key
  • combined key is then used to decrypt a root (master) key (which is apparently stored in the sealed vault)
  • root key is then used to decrypt the data encryption key (or a keyring which contains it?..)
  • the data encryption key is then used to en/decrypt the data in Vault

I get the unseal keys on init, how can I inspect the other keys? Is it impossible / are those keys just stored somewhere internally in Vault?

Unsealing is the process of obtaining the plaintext root key necessary to read the decryption key to decrypt the data, allowing access to the Vault.

Is the data encryption key / keyring also decrypted during the unseal, or is it... maybe decrypted on each Vault operation (so only the root key is stored somewhere in plaintext after the unseal)?

Is it ok that the root key is stored in plaintext after the unseal? Or is it still protected by passwords/tokens?.. Or if it's just transiently used to decrypt the data encryption key / keyring, then how are those protected? I guess it has smth to do with the lock icon on the image :)

I'm somewhat confused about how it all works.



Comments

Popular posts from this blog

Today Walkin 14th-Sept

Spring Elasticsearch Operations

Hibernate Search - Elasticsearch with JSON manipulation