/learn-vault-transit-rewrap

Supporting configuration and code for rewrap secrets with Transit lab

Primary LanguageC#Mozilla Public License 2.0MPL-2.0

Vault Transit rewrap record after key rotation example

These assets are provided to perform the tasks described in the Transit secrets re-wrapping tutorial.

Demo script guide

The following files are provided as demo scripts:

  • demo_setup.sh performs Step 1 through 3 in the guide
    • Pull and run mysql server 5.7 docker container
    • Enable transit secret engine
    • Create my_app_key encryption key
    • Create rewrap_example policy
    • Generate a token to be used by the app
  • run_app.sh performs Step 4 in the guide
    • Runs the example app
    • Prints out the commends to explore the MySQL DB
  • rewrap_example.sh performs Step 5 in the guide
    • Read the my_app_key details BEFORE the key rotation
    • Rotate the my_app_key encryption key
    • Read the my_app_key details AFTER the key rotation
    • Prints out the command to set the min_decryption_version
  • cleanup.sh re-set your environment

Demo workflow

NOTE: This lab demo requires .NET Core and Docker to run the sample app.

  1. Run demo_setup.sh

  2. Run run_app.sh

  • Open another terminal
  • Copy and paste the suggested commands to explorer the user_data table in mysql

  1. Run rewrap_example.sh a couple of times and review the key version

  2. Run run_app.sh again

  • See the data in the user_data table are now rewrapped with the latest encryption key version

To show the minimum key version restriction feature, repeat #3 and then run the commands suggested in the output (vault write transit/keys/my_app_key/config min_decryption_version=3). And then, repeat #4.

Finally, run cleanup.sh to re-set your environment so that you can repeat the demo as necessary.

WARNING: The cleanup.sh disables the transit secret engine. All encryption keys will be deleted. If you are working against a shared Vault server, you might want to manually clean up the environment instead.