OSS portion of wrapper-v2 (#16811)

* OSS portion of wrapper-v2

* Prefetch barrier type to avoid encountering an error in the simple BarrierType() getter

* Rename the OveriddenType to WrapperType and use it for the barrier type prefetch

* Fix unit test

command/agent.go

@@ -593,7 +593,7 @@ func (c *AgentCommand) Run(args []string) int {
 					c.UI.Warn(fmt.Sprintf("Failed to close persistent cache file after getting retrieval token: %s", err))
 				}
 
-				km, err := keymanager.NewPassthroughKeyManager(token)
+				km, err := keymanager.NewPassthroughKeyManager(ctx, token)
 				if err != nil {
 					c.UI.Error(fmt.Sprintf("failed to configure persistence encryption for cache: %s", err))
 					return 1
@@ -657,7 +657,7 @@ func (c *AgentCommand) Run(args []string) int {
 					}
 				}
 			} else {
-				km, err := keymanager.NewPassthroughKeyManager(nil)
+				km, err := keymanager.NewPassthroughKeyManager(ctx, nil)
 				if err != nil {
 					c.UI.Error(fmt.Sprintf("failed to configure persistence encryption for cache: %s", err))
 					return 1
@@ -675,7 +675,7 @@ func (c *AgentCommand) Run(args []string) int {
 				cacheLogger.Info("configured persistent storage", "path", config.Cache.Persist.Path)
 
 				// Stash the key material in bolt
-				token, err := km.RetrievalToken()
+				token, err := km.RetrievalToken(ctx)
 				if err != nil {
 					c.UI.Error(fmt.Sprintf("Error getting persistent key: %s", err))
 					return 1

command/agent/cache/cacheboltdb/bolt.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/golang/protobuf/proto"
 	"github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/go-multierror"
 	bolt "go.etcd.io/bbolt"
 )
@@ -228,7 +228,7 @@ func autoIncrementedLeaseKey(tx *bolt.Tx, id string) ([]byte, error) {
 
 // Set an index (token or lease) in bolt storage
 func (b *BoltStorage) Set(ctx context.Context, id string, plaintext []byte, indexType string) error {
-	blob, err := b.wrapper.Encrypt(ctx, plaintext, []byte(b.aad))
+	blob, err := b.wrapper.Encrypt(ctx, plaintext, wrapping.WithAad([]byte(b.aad)))
 	if err != nil {
 		return fmt.Errorf("error encrypting %s index: %w", indexType, err)
 	}
@@ -296,12 +296,12 @@ func (b *BoltStorage) Delete(id string, indexType string) error {
 }
 
 func (b *BoltStorage) decrypt(ctx context.Context, ciphertext []byte) ([]byte, error) {
-	var blob wrapping.EncryptedBlobInfo
+	var blob wrapping.BlobInfo
 	if err := proto.Unmarshal(ciphertext, &blob); err != nil {
 		return nil, err
 	}
 
-	return b.wrapper.Decrypt(ctx, &blob, []byte(b.aad))
+	return b.wrapper.Decrypt(ctx, &blob, wrapping.WithAad([]byte(b.aad)))
 }
 
 // GetByType returns a list of stored items of the specified type

command/agent/cache/cacheboltdb/bolt_test.go

@@ -22,7 +22,7 @@ import (
 func getTestKeyManager(t *testing.T) keymanager.KeyManager {
 	t.Helper()
 
-	km, err := keymanager.NewPassthroughKeyManager(nil)
+	km, err := keymanager.NewPassthroughKeyManager(context.Background(), nil)
 	require.NoError(t, err)
 
 	return km
@@ -286,7 +286,7 @@ func TestBolt_MigrateFromV1ToV2Schema(t *testing.T) {
 
 	// Manually insert some items into the v1 schema.
 	err = db.Update(func(tx *bolt.Tx) error {
-		blob, err := b.wrapper.Encrypt(ctx, []byte("ignored-contents"), []byte(""))
+		blob, err := b.wrapper.Encrypt(ctx, []byte("ignored-contents"))
 		if err != nil {
 			return fmt.Errorf("error encrypting contents: %w", err)
 		}

command/agent/cache/keymanager/manager.go

@@ -1,6 +1,10 @@
 package keymanager
 
-import wrapping "github.com/hashicorp/go-kms-wrapping"
+import (
+	"context"
+
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+)
 
 const (
 	KeyID = "root"
@@ -12,5 +16,5 @@ type KeyManager interface {
 	// RetrievalToken is the material returned which can be used to source back the
 	// encryption key. Depending on the implementation, the token can be the
 	// encryption key itself or a token/identifier used to exchange the token.
-	RetrievalToken() ([]byte, error)
+	RetrievalToken(ctx context.Context) ([]byte, error)
 }

command/agent/cache/keymanager/passthrough.go

@@ -1,11 +1,12 @@
 package keymanager
 
 import (
+	"context"
 	"crypto/rand"
 	"fmt"
 
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
-	"github.com/hashicorp/go-kms-wrapping/wrappers/aead"
+	"github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
 )
 
 var _ KeyManager = (*PassthroughKeyManager)(nil)
@@ -17,7 +18,7 @@ type PassthroughKeyManager struct {
 // NewPassthroughKeyManager returns a new instance of the Kube encryption key.
 // If a key is provided, it will be used as the encryption key for the wrapper,
 // otherwise one will be generated.
-func NewPassthroughKeyManager(key []byte) (*PassthroughKeyManager, error) {
+func NewPassthroughKeyManager(ctx context.Context, key []byte) (*PassthroughKeyManager, error) {
 	var rootKey []byte = nil
 	switch len(key) {
 	case 0:
@@ -33,13 +34,13 @@ func NewPassthroughKeyManager(key []byte) (*PassthroughKeyManager, error) {
 		return nil, fmt.Errorf("invalid key size, should be 32, got %d", len(key))
 	}
 
-	wrapper := aead.NewWrapper(nil)
+	wrapper := aead.NewWrapper()
 
-	if _, err := wrapper.SetConfig(map[string]string{"key_id": KeyID}); err != nil {
+	if _, err := wrapper.SetConfig(ctx, wrapping.WithConfigMap(map[string]string{"key_id": KeyID})); err != nil {
 		return nil, err
 	}
 
-	if err := wrapper.SetAESGCMKeyBytes(rootKey); err != nil {
+	if err := wrapper.SetAesGcmKeyBytes(rootKey); err != nil {
 		return nil, err
 	}
 
@@ -58,10 +59,10 @@ func (w *PassthroughKeyManager) Wrapper() wrapping.Wrapper {
 // RetrievalToken returns the key that was used on the wrapper since this key
 // manager is simply a passthrough and does not provide a mechanism to abstract
 // this key.
-func (w *PassthroughKeyManager) RetrievalToken() ([]byte, error) {
+func (w *PassthroughKeyManager) RetrievalToken(ctx context.Context) ([]byte, error) {
 	if w.wrapper == nil {
 		return nil, fmt.Errorf("unable to get wrapper for token retrieval")
 	}
 
-	return w.wrapper.GetKeyBytes(), nil
+	return w.wrapper.KeyBytes(ctx)
 }

command/agent/cache/keymanager/passthrough_test.go

@@ -2,6 +2,7 @@ package keymanager
 
 import (
 	"bytes"
+	"context"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -30,9 +31,10 @@ func TestKeyManager_PassthrougKeyManager(t *testing.T) {
 		},
 	}
 
+	ctx := context.Background()
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			m, err := NewPassthroughKeyManager(tc.key)
+			m, err := NewPassthroughKeyManager(ctx, tc.key)
 			if tc.wantErr {
 				require.Error(t, err)
 				return
@@ -43,7 +45,7 @@ func TestKeyManager_PassthrougKeyManager(t *testing.T) {
 				t.Fatalf("expected non-nil wrapper from the key manager")
 			}
 
-			token, err := m.RetrievalToken()
+			token, err := m.RetrievalToken(ctx)
 			if err != nil {
 				t.Fatalf("unable to retrieve token: %s", err)
 			}

command/agent/cache/lease_cache_test.go

@@ -699,7 +699,7 @@ func TestLeaseCache_Concurrent_Cacheable(t *testing.T) {
 func setupBoltStorage(t *testing.T) (tempCacheDir string, boltStorage *cacheboltdb.BoltStorage) {
 	t.Helper()
 
-	km, err := keymanager.NewPassthroughKeyManager(nil)
+	km, err := keymanager.NewPassthroughKeyManager(context.Background(), nil)
 	require.NoError(t, err)
 
 	tempCacheDir, err = ioutil.TempDir("", "agent-cache-test")

command/operator_diagnose.go

@@ -13,7 +13,7 @@ import (
 
 	"golang.org/x/term"
 
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 
 	"github.com/docker/docker/pkg/ioutils"
 	"github.com/hashicorp/consul/api"
@@ -455,7 +455,7 @@ func (c *OperatorDiagnoseCommand) offlineDiagnostics(ctx context.Context) error
 			}
 			// Ensure that the seal finalizer is called, even if using verify-only
 			defer func(seal *vault.Seal) {
-				sealType := diagnose.CapitalizeFirstLetter((*seal).BarrierType())
+				sealType := diagnose.CapitalizeFirstLetter((*seal).BarrierType().String())
 				finalizeSealContext, finalizeSealSpan := diagnose.StartSpan(ctx, "Finalize "+sealType+" Seal")
 				err = (*seal).Finalize(finalizeSealContext)
 				if err != nil {
@@ -675,7 +675,7 @@ SEALFAIL:
 		if barrierSeal == nil {
 			return fmt.Errorf("Diagnose could not create a barrier seal object.")
 		}
-		if barrierSeal.BarrierType() == wrapping.Shamir {
+		if barrierSeal.BarrierType() == wrapping.WrapperTypeShamir {
 			diagnose.Skipped(ctx, "Skipping barrier encryption test. Only supported for auto-unseal.")
 			return nil
 		}

command/server.go

@@ -24,8 +24,8 @@ import (
 	systemd "github.com/coreos/go-systemd/daemon"
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
-	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
+	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/go-secure-stdlib/gatedwriter"
 	"github.com/hashicorp/go-secure-stdlib/mlock"
@@ -556,7 +556,7 @@ func (c *ServerCommand) runRecoveryMode() int {
 	var wrapper wrapping.Wrapper
 
 	if len(config.Seals) == 0 {
-		config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.Shamir})
+		config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()})
 	}
 
 	if len(config.Seals) > 1 {
@@ -565,7 +565,7 @@ func (c *ServerCommand) runRecoveryMode() int {
 	}
 
 	configSeal := config.Seals[0]
-	sealType := wrapping.Shamir
+	sealType := wrapping.WrapperTypeShamir.String()
 	if !configSeal.Disabled && os.Getenv("VAULT_SEAL_TYPE") != "" {
 		sealType = os.Getenv("VAULT_SEAL_TYPE")
 		configSeal.Type = sealType
@@ -578,9 +578,7 @@ func (c *ServerCommand) runRecoveryMode() int {
 
 	var seal vault.Seal
 	defaultSeal := vault.NewDefaultSeal(&vaultseal.Access{
-		Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
+		Wrapper: aeadwrapper.NewShamirWrapper(),
-			Logger: c.logger.Named("shamir"),
-		}),
 	})
 	sealLogger := c.logger.ResetNamed(fmt.Sprintf("seal.%s", sealType))
 	wrapper, sealConfigError = configutil.ConfigureWrapper(configSeal, &infoKeys, &info, sealLogger)
@@ -594,9 +592,12 @@ func (c *ServerCommand) runRecoveryMode() int {
 	if wrapper == nil {
 		seal = defaultSeal
 	} else {
-		seal = vault.NewAutoSeal(&vaultseal.Access{
+		seal, err = vault.NewAutoSeal(&vaultseal.Access{
 			Wrapper: wrapper,
 		})
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("error creating auto seal: %v", err))
+		}
 	}
 	barrierSeal = seal
 
@@ -2350,24 +2351,28 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 	var wrapper wrapping.Wrapper
 	var barrierWrapper wrapping.Wrapper
 	if c.flagDevAutoSeal {
-		barrierSeal = vault.NewAutoSeal(vaultseal.NewTestSeal(nil))
+		var err error
+		barrierSeal, err = vault.NewAutoSeal(vaultseal.NewTestSeal(nil))
+		if err != nil {
+			return nil, nil, nil, nil, nil, err
+		}
 		return barrierSeal, nil, nil, nil, nil, nil
 	}
 
 	// Handle the case where no seal is provided
 	switch len(config.Seals) {
 	case 0:
-		config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.Shamir})
+		config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()})
 	case 1:
 		// If there's only one seal and it's disabled assume they want to
 		// migrate to a shamir seal and simply didn't provide it
 		if config.Seals[0].Disabled {
-			config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.Shamir})
+			config.Seals = append(config.Seals, &configutil.KMS{Type: wrapping.WrapperTypeShamir.String()})
 		}
 	}
 	var createdSeals []vault.Seal = make([]vault.Seal, len(config.Seals))
 	for _, configSeal := range config.Seals {
-		sealType := wrapping.Shamir
+		sealType := wrapping.WrapperTypeShamir.String()
 		if !configSeal.Disabled && os.Getenv("VAULT_SEAL_TYPE") != "" {
 			sealType = os.Getenv("VAULT_SEAL_TYPE")
 			configSeal.Type = sealType
@@ -2379,9 +2384,7 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 		sealLogger := c.logger.ResetNamed(fmt.Sprintf("seal.%s", sealType))
 		c.allLoggers = append(c.allLoggers, sealLogger)
 		defaultSeal := vault.NewDefaultSeal(&vaultseal.Access{
-			Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
+			Wrapper: aeadwrapper.NewShamirWrapper(),
-				Logger: c.logger.Named("shamir"),
-			}),
 		})
 		var sealInfoKeys []string
 		sealInfoMap := map[string]string{}
@@ -2395,9 +2398,13 @@ func setSeal(c *ServerCommand, config *server.Config, infoKeys []string, info ma
 		if wrapper == nil {
 			seal = defaultSeal
 		} else {
-			seal = vault.NewAutoSeal(&vaultseal.Access{
+			var err error
+			seal, err = vault.NewAutoSeal(&vaultseal.Access{
 				Wrapper: wrapper,
 			})
+			if err != nil {
+				return nil, nil, nil, nil, nil, err
+			}
 		}
 		infoPrefix := ""
 		if configSeal.Disabled {

command/server/server_seal_transit_acc_test.go

@@ -26,7 +26,7 @@ func TestTransitWrapper_Lifecycle(t *testing.T) {
 		"key_name":   config.keyName,
 	}
 
-	kms, _, err := configutil.GetTransitKMSFunc(nil, &configutil.KMS{Config: wrapperConfig})
+	kms, _, err := configutil.GetTransitKMSFunc(&configutil.KMS{Config: wrapperConfig})
 	if err != nil {
 		t.Fatalf("error setting wrapper config: %v", err)
 	}
@@ -72,7 +72,7 @@ func TestTransitSeal_TokenRenewal(t *testing.T) {
 		"mount_path": config.mountPath,
 		"key_name":   config.keyName,
 	}
-	kms, _, err := configutil.GetTransitKMSFunc(nil, &configutil.KMS{Config: wrapperConfig})
+	kms, _, err := configutil.GetTransitKMSFunc(&configutil.KMS{Config: wrapperConfig})
 	if err != nil {
 		t.Fatalf("error setting wrapper config: %v", err)
 	}

go.mod

@@ -25,13 +25,13 @@ require (
 	github.com/SAP/go-hdb v0.14.1
 	github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a
 	github.com/aerospike/aerospike-client-go/v5 v5.6.0
-	github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190620160927-9418d7b0cd0f
+	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1499
 	github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5
 	github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2
 	github.com/armon/go-metrics v0.4.0
 	github.com/armon/go-radix v1.0.0
 	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
-	github.com/aws/aws-sdk-go v1.43.4
+	github.com/aws/aws-sdk-go v1.43.8
 	github.com/axiomhq/hyperloglog v0.0.0-20220105174342-98591331716a
 	github.com/cenkalti/backoff/v3 v3.2.2
 	github.com/chrismalek/oktasdk-go v0.0.0-20181212195951-3430665dfaa0
@@ -66,7 +66,15 @@ require (
 	github.com/hashicorp/go-discover v0.0.0-20210818145131-c573d69da192
 	github.com/hashicorp/go-gcp-common v0.8.0
 	github.com/hashicorp/go-hclog v1.2.2
-	github.com/hashicorp/go-kms-wrapping v0.7.0
+	github.com/hashicorp/go-kms-wrapping v0.7.1
+	github.com/hashicorp/go-kms-wrapping/v2 v2.0.6-0.20220722192355-a843f53fa48d
+	github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.4
+	github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1
+	github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.0
+	github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1
+	github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.0
+	github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0
+	github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1
 	github.com/hashicorp/go-memdb v1.3.3
 	github.com/hashicorp/go-msgpack v1.1.5
 	github.com/hashicorp/go-multierror v1.1.1
@@ -203,7 +211,7 @@ require (
 	cloud.google.com/go/kms v1.4.0 // indirect
 	code.cloudfoundry.org/gofileutils v0.0.0-20170111115228-4d0c80011a0f // indirect
 	github.com/Azure/azure-pipeline-go v0.2.3 // indirect
-	github.com/Azure/azure-sdk-for-go v61.4.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go v62.0.0+incompatible // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
@@ -341,6 +349,7 @@ require (
 	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/opencontainers/runc v1.0.2 // indirect
 	github.com/openlyinc/pointy v1.1.2 // indirect
+	github.com/oracle/oci-go-sdk/v60 v60.0.0 // indirect
 	github.com/packethost/packngo v0.1.1-0.20180711074735-b9cb5096f54c // indirect
 	github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
 	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
@@ -356,6 +365,7 @@ require (
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/snowflakedb/gosnowflake v1.6.3 // indirect
 	github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d // indirect
+	github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/objx v0.4.0 // indirect
 	github.com/tencentcloud/tencentcloud-sdk-go v1.0.162 // indirect
@@ -387,7 +397,7 @@ require (
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220602131408-e326c6e8e9c8 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/ini.v1 v1.62.0 // indirect
+	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/jcmturner/goidentity.v3 v3.0.0 // indirect
 	gopkg.in/resty.v1 v1.12.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

go.sum

@@ -75,8 +75,8 @@ github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9mo
 github.com/Azure/azure-sdk-for-go v36.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go v44.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go v58.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go v61.4.0+incompatible h1:BF2Pm3aQWIa6q9KmxyF1JYKYXtVw67vtvu2Wd54NGuY=
+github.com/Azure/azure-sdk-for-go v62.0.0+incompatible h1:8N2k27SYtc12qj5nTsuFMFJPZn5CGmgMWqTy4y9I7Jw=
-github.com/Azure/azure-sdk-for-go v61.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
+github.com/Azure/azure-sdk-for-go v62.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0=
 github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8=
@@ -212,8 +212,9 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
-github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190620160927-9418d7b0cd0f h1:oRD16bhpKNAanfcDDVU+J0NXqsgHIvGbbe/sy+r6Rs0=
 github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190620160927-9418d7b0cd0f/go.mod h1:myCDvQSzCW+wB1WAlocEru4wMGJxy+vlxHdhegi1CDQ=
+github.com/aliyun/alibaba-cloud-sdk-go v1.61.1499 h1:P2FUu1/xkj4abuHcqdRQO9ZAYc9hSWG5c5gifsU/Ogc=
+github.com/aliyun/alibaba-cloud-sdk-go v1.61.1499/go.mod h1:RcDobYh8k5VP6TNybz9m++gL3ijVI5wueVr0EM10VsU=
 github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5 h1:nWDRPCyCltiTsANwC/n3QZH7Vww33Npq9MKqlwRzI/c=
 github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
 github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
@@ -242,8 +243,8 @@ github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZo
 github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.36.29/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
-github.com/aws/aws-sdk-go v1.43.4 h1:EtsGbtOB+1548T6Nb62XCOofgXtMHwf+WZh5gQc3xTY=
+github.com/aws/aws-sdk-go v1.43.8 h1:8a/M9C4l5CxFNM6IuNx4F1p+ITJEX12VxWxUQo61cbc=
-github.com/aws/aws-sdk-go v1.43.4/go.mod h1:OGr6lGMAKGlG9CVrYnWYDKIyb829c6EVBRjxqjmPepc=
+github.com/aws/aws-sdk-go v1.43.8/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go-v2 v1.8.0 h1:HcN6yDnHV9S7D69E7To0aUppJhiJNEzQSNcUxc7r3qo=
 github.com/aws/aws-sdk-go-v2 v1.8.0/go.mod h1:xEFuWz+3TYdlPRuo+CqATbeDWIWyaT5uAPwPaWtgse0=
 github.com/aws/aws-sdk-go-v2/config v1.6.0 h1:rtoCnNObhVm7me+v9sA2aY+NtHNZjjWWC3ifXVci+wE=
@@ -878,10 +879,26 @@ github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjh
 github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
 github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-kms-wrapping v0.7.0 h1:UBagVJn4nSNOSjjtpkR370VOEBLnGMXfQcIlE/WL/7o=
+github.com/hashicorp/go-kms-wrapping v0.7.1 h1:SPdvddcmGjYkFrMROhRuW3VkOeVsNuEbpmfT7B1qSGM=
-github.com/hashicorp/go-kms-wrapping v0.7.0/go.mod h1:rmGmNzO/DIBzUyisFjeocXvazOlxgO5K8vsFQkUn7Hk=
+github.com/hashicorp/go-kms-wrapping v0.7.1/go.mod h1:rmGmNzO/DIBzUyisFjeocXvazOlxgO5K8vsFQkUn7Hk=
 github.com/hashicorp/go-kms-wrapping/entropy v0.1.0 h1:xuTi5ZwjimfpvpL09jDE71smCBRpnF5xfo871BSX4gs=
 github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g=
+github.com/hashicorp/go-kms-wrapping/v2 v2.0.6-0.20220722192355-a843f53fa48d h1:mOtPXWIp4cWKNt9S55IuYAdyUgNtCfUAEVIjcXDx59E=
+github.com/hashicorp/go-kms-wrapping/v2 v2.0.6-0.20220722192355-a843f53fa48d/go.mod h1:sDQAfwJGv25uGPZA04x87ERglCG6avnRcBT9wYoMII8=
+github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.4 h1:ws2CPDuXMKwaBb2z/duBCdnB9pSxlN2nuDZWXcVj6RU=
+github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.4/go.mod h1:dDxt3GXi5QONVHYrJi2+EjsJLCUs59FktZQA8ZMnm+U=
+github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1 h1:ydUCtmr8f9F+mHZ1iCsvzqFTXqNVpewX3s9zcYipMKI=
+github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.1/go.mod h1:Sl/ffzV57UAyjtSg1h5Km0rN5+dtzZJm1CUztkoCW2c=
+github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.0 h1:RnTa2yQXHPP7CocgTAciNXcn5OG4wsqqENlMuUTXl74=
+github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.0/go.mod h1:3D5UB9fjot4oUTYGQ5gGmhLJKreyLZeI0XB+NxcLTKs=
+github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1 h1:6joKpqCFveaNMEwC3qna67usws6DjdxqfCuQEHSM0aM=
+github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.1/go.mod h1:sDmsWR/W2LqwU217o32RzdHMb/FywGLF72PVIhpZ3hE=
+github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.0 h1:UE5bUOSPYqAUK+hV9ngxkQthltjhrYZHEbwqeh7hEq4=
+github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.0/go.mod h1:YRtkersQ2N3iHlPDG5B3xBQtBsNZ3bjmlCwnrl26jVE=
+github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0 h1:FnWV2E0NLj+yYdhToUQjU81ayCMgURiL2WbJ0V7u/XY=
+github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.0/go.mod h1:17twrc0lM8IpfGqIv69WQvwgDiu3nRwWlk5YfCSQduY=
+github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1 h1:72zlIBTJd2pvYmINqotpvcI4ZXLxhRq2cVPTuqv0xqY=
+github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.1/go.mod h1:JytRAxdJViV+unUUWedb7uzEy5pgu7OurbqX0eHEikE=
 github.com/hashicorp/go-memdb v1.3.3 h1:oGfEWrFuxtIUF3W2q/Jzt6G85TrMk9ey6XfYLvVe1Wo=
 github.com/hashicorp/go-memdb v1.3.3/go.mod h1:uBTr1oQbtuMgd1SSGoR8YV27eT3sBHbYiNm53bMpgSg=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
@@ -1403,6 +1420,8 @@ github.com/openlyinc/pointy v1.1.2/go.mod h1:w2Sytx+0FVuMKn37xpXIAyBNhFNBIJGR/v2
 github.com/oracle/oci-go-sdk v7.0.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
 github.com/oracle/oci-go-sdk v13.1.0+incompatible h1:inwbT0b/mMbnTfzYoW2xcU1cCMIlU6Fz973at5phRXM=
 github.com/oracle/oci-go-sdk v13.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
+github.com/oracle/oci-go-sdk/v60 v60.0.0 h1:EJAWjEi4SY5Raha6iUzq4LTQ0uM5YFw/wat/L1ehIEM=
+github.com/oracle/oci-go-sdk/v60 v60.0.0/go.mod h1:krz+2gkSzlSL/L4PvP0Z9pZpag9HYLNtsMd1PmxlA2w=
 github.com/ory/dockertest v3.3.5+incompatible h1:iLLK6SQwIhcbrG783Dghaaa3WPzGc+4Emza6EbVUUGA=
 github.com/ory/dockertest v3.3.5+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnhNrne+V0E6LAcBILJdPs=
 github.com/ory/dockertest/v3 v3.8.0 h1:i5b0cJCd801qw0cVQUOH6dSpI9fT3j5tdWu0jKu90ks=
@@ -1561,6 +1580,8 @@ github.com/snowflakedb/gosnowflake v1.6.3/go.mod h1:6hLajn6yxuJ4xUHZegMekpq9rnQb
 github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d h1:bVQRCxQvfjNUeRqaY/uT0tFuvuFY0ulgnczuR684Xic=
 github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d/go.mod h1:Cw4GTlQccdRGSEf6KiMju767x0NEHE0YIVPJSaXjlsw=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b h1:br+bPNZsJWKicw/5rALEo67QHs5weyD5tf8WST+4sJ0=
+github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.1/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
@@ -2393,8 +2414,9 @@ gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:a
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU=
 gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/ini.v1 v1.66.2 h1:XfR1dOYubytKy4Shzc2LHrrGhU0lDCfDGG1yLPmpgsI=
+gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/jcmturner/goidentity.v3 v3.0.0 h1:1duIyWiTaYvVx3YX2CYtpJbUFd7/UuPYCfgXtQ3VTbI=
 gopkg.in/jcmturner/goidentity.v3 v3.0.0/go.mod h1:oG2kH0IvSYNIu80dVAyu/yoefjq1mNfM5bm88whjWx4=
 gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce h1:xcEWjVhvbDy+nHP67nPDDpbYrY+ILlfndk4bRioVHaU=

helper/testhelpers/seal/sealhelper.go

@@ -57,7 +57,7 @@ func (tss *TransitSealServer) MakeKey(t testing.T, key string) {
 	}
 }
 
-func (tss *TransitSealServer) MakeSeal(t testing.T, key string) vault.Seal {
+func (tss *TransitSealServer) MakeSeal(t testing.T, key string) (vault.Seal, error) {
 	client := tss.Cores[0].Client
 	wrapperConfig := map[string]string{
 		"address":     client.Address(),
@@ -66,7 +66,7 @@ func (tss *TransitSealServer) MakeSeal(t testing.T, key string) vault.Seal {
 		"key_name":    key,
 		"tls_ca_cert": tss.CACertPEMFile,
 	}
-	transitSeal, _, err := configutil.GetTransitKMSFunc(nil, &configutil.KMS{Config: wrapperConfig})
+	transitSeal, _, err := configutil.GetTransitKMSFunc(&configutil.KMS{Config: wrapperConfig})
 	if err != nil {
 		t.Fatalf("error setting wrapper config: %v", err)
 	}

http/sys_init_test.go

@@ -151,7 +151,10 @@ func TestSysInit_Put_ValidateParams(t *testing.T) {
 
 func TestSysInit_Put_ValidateParams_AutoUnseal(t *testing.T) {
 	testSeal := seal.NewTestSeal(nil)
-	autoSeal := vault.NewAutoSeal(testSeal)
+	autoSeal, err := vault.NewAutoSeal(testSeal)
+	if err != nil {
+		t.Fatal(err)
+	}
 	autoSeal.SetType("transit")
 
 	// Create the transit server.

internalshared/configutil/encrypt_decrypt.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"regexp"
 
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"google.golang.org/protobuf/proto"
 )
 
@@ -71,7 +71,7 @@ func EncryptDecrypt(rawStr string, decrypt, strip bool, wrapper wrapping.Wrapper
 			if err != nil {
 				return "", fmt.Errorf("error decoding encrypted parameter: %w", err)
 			}
-			inBlob := new(wrapping.EncryptedBlobInfo)
+			inBlob := new(wrapping.BlobInfo)
 			if err := proto.Unmarshal(inMsg, inBlob); err != nil {
 				return "", fmt.Errorf("error unmarshaling encrypted parameter: %w", err)
 			}

internalshared/configutil/encrypt_decrypt_test.go

@@ -6,7 +6,7 @@ import (
 	"encoding/base64"
 	"testing"
 
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"google.golang.org/protobuf/proto"
 )
 
@@ -51,7 +51,7 @@ telemetry {
 		if err != nil {
 			t.Fatal(err)
 		}
-		inBlob := new(wrapping.EncryptedBlobInfo)
+		inBlob := new(wrapping.BlobInfo)
 		if err := proto.Unmarshal(inMsg, inBlob); err != nil {
 			t.Fatal(err)
 		}
@@ -89,18 +89,24 @@ telemetry {
 
 type reversingWrapper struct{}
 
-func (r *reversingWrapper) Type() string                     { return "reversing" }
+func (r *reversingWrapper) Type(_ context.Context) (wrapping.WrapperType, error) {
-func (r *reversingWrapper) KeyID() string                    { return "reverser" }
+	return "reverser", nil
-func (r *reversingWrapper) HMACKeyID() string                { return "" }
+}
-func (r *reversingWrapper) Init(_ context.Context) error     { return nil }
+func (r *reversingWrapper) KeyId(_ context.Context) (string, error) { return "reverser", nil }
-func (r *reversingWrapper) Finalize(_ context.Context) error { return nil }
+func (r *reversingWrapper) HMACKeyID() string                       { return "" }
-func (r *reversingWrapper) Encrypt(_ context.Context, input []byte, _ []byte) (*wrapping.EncryptedBlobInfo, error) {
+func (r *reversingWrapper) Init(_ context.Context) error            { return nil }
-	return &wrapping.EncryptedBlobInfo{
+func (r *reversingWrapper) Finalize(_ context.Context) error        { return nil }
+func (r *reversingWrapper) SetConfig(_ context.Context, opts ...wrapping.Option) (*wrapping.WrapperConfig, error) {
+	return &wrapping.WrapperConfig{}, nil
+}
+
+func (r *reversingWrapper) Encrypt(_ context.Context, input []byte, _ ...wrapping.Option) (*wrapping.BlobInfo, error) {
+	return &wrapping.BlobInfo{
 		Ciphertext: r.reverse(input),
 	}, nil
 }
 
-func (r *reversingWrapper) Decrypt(_ context.Context, input *wrapping.EncryptedBlobInfo, _ []byte) ([]byte, error) {
+func (r *reversingWrapper) Decrypt(_ context.Context, input *wrapping.BlobInfo, _ ...wrapping.Option) ([]byte, error) {
 	return r.reverse(input.Ciphertext), nil
 }
 

internalshared/configutil/kms.go

@@ -1,6 +1,7 @@
 package configutil
 
 import (
+	"context"
 	"crypto/rand"
 	"fmt"
 	"io"
@@ -8,14 +9,14 @@ import (
 
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
-	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
+	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
-	"github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms"
+	"github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2"
-	"github.com/hashicorp/go-kms-wrapping/wrappers/awskms"
+	"github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2"
-	"github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault"
+	"github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2"
-	"github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms"
+	"github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2"
-	"github.com/hashicorp/go-kms-wrapping/wrappers/ocikms"
+	"github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2"
-	"github.com/hashicorp/go-kms-wrapping/wrappers/transit"
+	"github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2"
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/hashicorp/hcl"
@@ -159,41 +160,37 @@ func ParseKMSes(d string) ([]*KMS, error) {
 	return result.Seals, nil
 }
 
-func configureWrapper(configKMS *KMS, infoKeys *[]string, info *map[string]string, logger hclog.Logger) (wrapping.Wrapper, error) {
+func configureWrapper(configKMS *KMS, infoKeys *[]string, info *map[string]string, logger hclog.Logger, opts ...wrapping.Option) (wrapping.Wrapper, error) {
 	var wrapper wrapping.Wrapper
 	var kmsInfo map[string]string
 	var err error
 
-	opts := &wrapping.WrapperOptions{
+	switch wrapping.WrapperType(configKMS.Type) {
-		Logger: logger,
+	case wrapping.WrapperTypeShamir:
-	}
-
-	switch configKMS.Type {
-	case wrapping.Shamir:
 		return nil, nil
 
-	case wrapping.AEAD:
+	case wrapping.WrapperTypeAead:
-		wrapper, kmsInfo, err = GetAEADKMSFunc(opts, configKMS)
+		wrapper, kmsInfo, err = GetAEADKMSFunc(configKMS, opts...)
 
-	case wrapping.AliCloudKMS:
+	case wrapping.WrapperTypeAliCloudKms:
-		wrapper, kmsInfo, err = GetAliCloudKMSFunc(opts, configKMS)
+		wrapper, kmsInfo, err = GetAliCloudKMSFunc(configKMS, opts...)
 
-	case wrapping.AWSKMS:
+	case wrapping.WrapperTypeAwsKms:
-		wrapper, kmsInfo, err = GetAWSKMSFunc(opts, configKMS)
+		wrapper, kmsInfo, err = GetAWSKMSFunc(configKMS, opts...)
 
-	case wrapping.AzureKeyVault:
+	case wrapping.WrapperTypeAzureKeyVault:
-		wrapper, kmsInfo, err = GetAzureKeyVaultKMSFunc(opts, configKMS)
+		wrapper, kmsInfo, err = GetAzureKeyVaultKMSFunc(configKMS, opts...)
 
-	case wrapping.GCPCKMS:
+	case wrapping.WrapperTypeGcpCkms:
-		wrapper, kmsInfo, err = GetGCPCKMSKMSFunc(opts, configKMS)
+		wrapper, kmsInfo, err = GetGCPCKMSKMSFunc(configKMS, opts...)
 
-	case wrapping.OCIKMS:
+	case wrapping.WrapperTypeOciKms:
-		wrapper, kmsInfo, err = GetOCIKMSKMSFunc(opts, configKMS)
+		wrapper, kmsInfo, err = GetOCIKMSKMSFunc(configKMS, opts...)
 
-	case wrapping.Transit:
+	case wrapping.WrapperTypeTransit:
-		wrapper, kmsInfo, err = GetTransitKMSFunc(opts, configKMS)
+		wrapper, kmsInfo, err = GetTransitKMSFunc(configKMS, opts...)
 
-	case wrapping.PKCS11:
+	case wrapping.WrapperTypePkcs11:
 		return nil, fmt.Errorf("KMS type 'pkcs11' requires the Vault Enterprise HSM binary")
 
 	default:
@@ -214,9 +211,9 @@ func configureWrapper(configKMS *KMS, infoKeys *[]string, info *map[string]strin
 	return wrapper, nil
 }
 
-func GetAEADKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
+func GetAEADKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
-	wrapper := aeadwrapper.NewWrapper(opts)
+	wrapper := aeadwrapper.NewWrapper()
-	wrapperInfo, err := wrapper.SetConfig(kms.Config)
+	wrapperInfo, err := wrapper.SetConfig(context.Background(), opts...)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -226,14 +223,14 @@ func GetAEADKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper,
 		if len(kms.Purpose) > 0 {
 			str = fmt.Sprintf("%v %s", kms.Purpose, str)
 		}
-		info[str] = wrapperInfo["aead_type"]
+		info[str] = wrapperInfo.Metadata["aead_type"]
 	}
 	return wrapper, info, nil
 }
 
-func GetAliCloudKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
+func GetAliCloudKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
-	wrapper := alicloudkms.NewWrapper(opts)
+	wrapper := alicloudkms.NewWrapper()
-	wrapperInfo, err := wrapper.SetConfig(kms.Config)
+	wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
 	if err != nil {
 		// If the error is any other than logical.KeyNotFoundError, return the error
 		if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
@@ -242,18 +239,18 @@ func GetAliCloudKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapp
 	}
 	info := make(map[string]string)
 	if wrapperInfo != nil {
-		info["AliCloud KMS Region"] = wrapperInfo["region"]
+		info["AliCloud KMS Region"] = wrapperInfo.Metadata["region"]
-		info["AliCloud KMS KeyID"] = wrapperInfo["kms_key_id"]
+		info["AliCloud KMS KeyID"] = wrapperInfo.Metadata["kms_key_id"]
-		if domain, ok := wrapperInfo["domain"]; ok {
+		if domain, ok := wrapperInfo.Metadata["domain"]; ok {
 			info["AliCloud KMS Domain"] = domain
 		}
 	}
 	return wrapper, info, nil
 }
 
-var GetAWSKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
+var GetAWSKMSFunc = func(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
-	wrapper := awskms.NewWrapper(opts)
+	wrapper := awskms.NewWrapper()
-	wrapperInfo, err := wrapper.SetConfig(kms.Config)
+	wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
 	if err != nil {
 		// If the error is any other than logical.KeyNotFoundError, return the error
 		if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
@@ -262,18 +259,18 @@ var GetAWSKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrap
 	}
 	info := make(map[string]string)
 	if wrapperInfo != nil {
-		info["AWS KMS Region"] = wrapperInfo["region"]
+		info["AWS KMS Region"] = wrapperInfo.Metadata["region"]
-		info["AWS KMS KeyID"] = wrapperInfo["kms_key_id"]
+		info["AWS KMS KeyID"] = wrapperInfo.Metadata["kms_key_id"]
-		if endpoint, ok := wrapperInfo["endpoint"]; ok {
+		if endpoint, ok := wrapperInfo.Metadata["endpoint"]; ok {
 			info["AWS KMS Endpoint"] = endpoint
 		}
 	}
 	return wrapper, info, nil
 }
 
-func GetAzureKeyVaultKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
+func GetAzureKeyVaultKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
-	wrapper := azurekeyvault.NewWrapper(opts)
+	wrapper := azurekeyvault.NewWrapper()
-	wrapperInfo, err := wrapper.SetConfig(kms.Config)
+	wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
 	if err != nil {
 		// If the error is any other than logical.KeyNotFoundError, return the error
 		if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
@@ -282,16 +279,16 @@ func GetAzureKeyVaultKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.
 	}
 	info := make(map[string]string)
 	if wrapperInfo != nil {
-		info["Azure Environment"] = wrapperInfo["environment"]
+		info["Azure Environment"] = wrapperInfo.Metadata["environment"]
-		info["Azure Vault Name"] = wrapperInfo["vault_name"]
+		info["Azure Vault Name"] = wrapperInfo.Metadata["vault_name"]
-		info["Azure Key Name"] = wrapperInfo["key_name"]
+		info["Azure Key Name"] = wrapperInfo.Metadata["key_name"]
 	}
 	return wrapper, info, nil
 }
 
-func GetGCPCKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
+func GetGCPCKMSKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
-	wrapper := gcpckms.NewWrapper(opts)
+	wrapper := gcpckms.NewWrapper()
-	wrapperInfo, err := wrapper.SetConfig(kms.Config)
+	wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
 	if err != nil {
 		// If the error is any other than logical.KeyNotFoundError, return the error
 		if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
@@ -300,33 +297,33 @@ func GetGCPCKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrappe
 	}
 	info := make(map[string]string)
 	if wrapperInfo != nil {
-		info["GCP KMS Project"] = wrapperInfo["project"]
+		info["GCP KMS Project"] = wrapperInfo.Metadata["project"]
-		info["GCP KMS Region"] = wrapperInfo["region"]
+		info["GCP KMS Region"] = wrapperInfo.Metadata["region"]
-		info["GCP KMS Key Ring"] = wrapperInfo["key_ring"]
+		info["GCP KMS Key Ring"] = wrapperInfo.Metadata["key_ring"]
-		info["GCP KMS Crypto Key"] = wrapperInfo["crypto_key"]
+		info["GCP KMS Crypto Key"] = wrapperInfo.Metadata["crypto_key"]
 	}
 	return wrapper, info, nil
 }
 
-func GetOCIKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
+func GetOCIKMSKMSFunc(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
-	wrapper := ocikms.NewWrapper(opts)
+	wrapper := ocikms.NewWrapper()
-	wrapperInfo, err := wrapper.SetConfig(kms.Config)
+	wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
 	if err != nil {
 		return nil, nil, err
 	}
 	info := make(map[string]string)
 	if wrapperInfo != nil {
-		info["OCI KMS KeyID"] = wrapperInfo[ocikms.KMSConfigKeyID]
+		info["OCI KMS KeyID"] = wrapperInfo.Metadata[ocikms.KmsConfigKeyId]
-		info["OCI KMS Crypto Endpoint"] = wrapperInfo[ocikms.KMSConfigCryptoEndpoint]
+		info["OCI KMS Crypto Endpoint"] = wrapperInfo.Metadata[ocikms.KmsConfigCryptoEndpoint]
-		info["OCI KMS Management Endpoint"] = wrapperInfo[ocikms.KMSConfigManagementEndpoint]
+		info["OCI KMS Management Endpoint"] = wrapperInfo.Metadata[ocikms.KmsConfigManagementEndpoint]
-		info["OCI KMS Principal Type"] = wrapperInfo["principal_type"]
+		info["OCI KMS Principal Type"] = wrapperInfo.Metadata["principal_type"]
 	}
 	return wrapper, info, nil
 }
 
-var GetTransitKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
+var GetTransitKMSFunc = func(kms *KMS, opts ...wrapping.Option) (wrapping.Wrapper, map[string]string, error) {
-	wrapper := transit.NewWrapper(opts)
+	wrapper := transit.NewWrapper()
-	wrapperInfo, err := wrapper.SetConfig(kms.Config)
+	wrapperInfo, err := wrapper.SetConfig(context.Background(), wrapping.WithConfigMap(kms.Config))
 	if err != nil {
 		// If the error is any other than logical.KeyNotFoundError, return the error
 		if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
@@ -335,10 +332,10 @@ var GetTransitKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.
 	}
 	info := make(map[string]string)
 	if wrapperInfo != nil {
-		info["Transit Address"] = wrapperInfo["address"]
+		info["Transit Address"] = wrapperInfo.Metadata["address"]
-		info["Transit Mount Path"] = wrapperInfo["mount_path"]
+		info["Transit Mount Path"] = wrapperInfo.Metadata["mount_path"]
-		info["Transit Key Name"] = wrapperInfo["key_name"]
+		info["Transit Key Name"] = wrapperInfo.Metadata["key_name"]
-		if namespace, ok := wrapperInfo["namespace"]; ok {
+		if namespace, ok := wrapperInfo.Metadata["namespace"]; ok {
 			info["Transit Namespace"] = namespace
 		}
 	}

physical/raft/raft.go

@@ -17,7 +17,7 @@ import (
 	"github.com/armon/go-metrics"
 	"github.com/golang/protobuf/proto"
 	log "github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/go-raftchunking"
 	"github.com/hashicorp/go-secure-stdlib/tlsutil"
 	"github.com/hashicorp/go-uuid"
@@ -1801,7 +1801,7 @@ func (s sealer) Open(ctx context.Context, ct []byte) ([]byte, error) {
 		return nil, errors.New("no seal access available")
 	}
 
-	var eblob wrapping.EncryptedBlobInfo
+	var eblob wrapping.BlobInfo
 	err := proto.Unmarshal(ct, &eblob)
 	if err != nil {
 		return nil, err

vault/core.go

@@ -22,11 +22,13 @@ import (
 	"sync/atomic"
 	"time"
 
+	"github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2"
+
 	"github.com/armon/go-metrics"
 	"github.com/hashicorp/errwrap"
 	log "github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
-	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
+	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/go-secure-stdlib/mlock"
 	"github.com/hashicorp/go-secure-stdlib/reloadutil"
@@ -93,6 +95,8 @@ const (
 	// forwardToActive to trigger forwarding if a perf standby encounters
 	// an SSC Token that it does not have the WAL state for.
 	ForwardSSCTokenToActive = "new_token"
+
+	WrapperTypeHsmAutoDeprecated = wrapping.WrapperType("hsm-auto")
 )
 
 var (
@@ -190,7 +194,7 @@ type unlockInformation struct {
 }
 
 type raftInformation struct {
-	challenge           *wrapping.EncryptedBlobInfo
+	challenge           *wrapping.BlobInfo
 	leaderClient        *api.Client
 	leaderBarrierConfig *SealConfig
 	nonVoter            bool
@@ -961,10 +965,11 @@ func CreateCore(conf *CoreConfig) (*Core, error) {
 	}
 
 	if c.seal == nil {
+		wrapper := aeadwrapper.NewShamirWrapper()
+		wrapper.SetConfig(context.Background(), awskms.WithLogger(c.logger.Named("shamir")))
+
 		c.seal = NewDefaultSeal(&vaultseal.Access{
-			Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
+			Wrapper: wrapper,
-				Logger: c.logger.Named("shamir"),
-			}),
 		})
 	}
 	c.seal.SetCore(c)
@@ -1368,10 +1373,10 @@ func (c *Core) unsealFragment(key []byte, migrate bool) error {
 func (c *Core) unsealWithRaft(combinedKey []byte) error {
 	ctx := context.Background()
 
-	if c.seal.BarrierType() == wrapping.Shamir {
+	if c.seal.BarrierType() == wrapping.WrapperTypeShamir {
 		// If this is a legacy shamir seal this serves no purpose but it
 		// doesn't hurt.
-		err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(combinedKey)
+		err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(combinedKey)
 		if err != nil {
 			return err
 		}
@@ -1540,7 +1545,7 @@ func (c *Core) sealMigrated(ctx context.Context) (bool, error) {
 		return false, err
 	}
 
-	if existBarrierSealConfig.Type != c.seal.BarrierType() {
+	if existBarrierSealConfig.Type != c.seal.BarrierType().String() {
 		return false, nil
 	}
 	if c.seal.RecoveryKeySupported() && existRecoverySealConfig.Type != c.seal.RecoveryType() {
@@ -1622,7 +1627,7 @@ func (c *Core) migrateSeal(ctx context.Context) error {
 		}
 
 		// We have recovery keys; we're going to use them as the new shamir KeK.
-		err = c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(recoveryKey)
+		err = c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(recoveryKey)
 		if err != nil {
 			return fmt.Errorf("failed to set master key in seal: %w", err)
 		}
@@ -2496,7 +2501,7 @@ func (c *Core) PhysicalSealConfigs(ctx context.Context) (*SealConfig, *SealConfi
 	// In older versions of vault the default seal would not store a type. This
 	// is here to offer backwards compatibility for older seal configs.
 	if barrierConf.Type == "" {
-		barrierConf.Type = wrapping.Shamir
+		barrierConf.Type = wrapping.WrapperTypeShamir.String()
 	}
 
 	var recoveryConf *SealConfig
@@ -2516,7 +2521,7 @@ func (c *Core) PhysicalSealConfigs(ctx context.Context) (*SealConfig, *SealConfi
 		// In older versions of vault the default seal would not store a type. This
 		// is here to offer backwards compatibility for older seal configs.
 		if recoveryConf.Type == "" {
-			recoveryConf.Type = wrapping.Shamir
+			recoveryConf.Type = wrapping.WrapperTypeShamir.String()
 		}
 	}
 
@@ -2551,31 +2556,30 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
 
 	// If we don't have an existing config or if it's the deprecated auto seal
 	// which needs an upgrade, skip out
-	if existBarrierSealConfig == nil || existBarrierSealConfig.Type == wrapping.HSMAutoDeprecated {
+	if existBarrierSealConfig == nil || existBarrierSealConfig.Type == WrapperTypeHsmAutoDeprecated.String() {
 		return nil
 	}
 
 	if unwrapSeal == nil {
 		// With unwrapSeal==nil, either we're not migrating, or we're migrating
 		// from shamir.
+
 		switch {
-		case existBarrierSealConfig.Type == c.seal.BarrierType():
+		case existBarrierSealConfig.Type == c.seal.BarrierType().String():
 			// We have the same barrier type and the unwrap seal is nil so we're not
 			// migrating from same to same, IOW we assume it's not a migration.
 			return nil
-		case c.seal.BarrierType() == wrapping.Shamir:
+		case c.seal.BarrierType() == wrapping.WrapperTypeShamir:
 			// The stored barrier config is not shamir, there is no disabled seal
 			// in config, and either no configured seal (which equates to Shamir)
 			// or an explicitly configured Shamir seal.
 			return fmt.Errorf("cannot seal migrate from %q to Shamir, no disabled seal in configuration",
 				existBarrierSealConfig.Type)
-		case existBarrierSealConfig.Type == wrapping.Shamir:
+		case existBarrierSealConfig.Type == wrapping.WrapperTypeShamir.String():
 			// The configured seal is not Shamir, the stored seal config is Shamir.
 			// This is a migration away from Shamir.
 			unwrapSeal = NewDefaultSeal(&vaultseal.Access{
-				Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
+				Wrapper: aeadwrapper.NewShamirWrapper(),
-					Logger: c.logger.Named("shamir"),
-				}),
 			})
 		default:
 			// We know at this point that there is a configured non-Shamir seal,
@@ -2587,7 +2591,8 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
 	} else {
 		// If we're not coming from Shamir we expect the previous seal to be
 		// in the config and disabled.
-		if unwrapSeal.BarrierType() == wrapping.Shamir {
+
+		if unwrapSeal.BarrierType() == wrapping.WrapperTypeShamir {
 			return errors.New("Shamir seals cannot be set disabled (they should simply not be set)")
 		}
 	}
@@ -2597,7 +2602,7 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
 	unwrapSeal.SetCore(c)
 
 	// No stored recovery seal config found, what about the legacy recovery config?
-	if existBarrierSealConfig.Type != wrapping.Shamir && existRecoverySealConfig == nil {
+	if existBarrierSealConfig.Type != wrapping.WrapperTypeShamir.String() && existRecoverySealConfig == nil {
 		entry, err := c.physical.Get(ctx, recoverySealConfigPath)
 		if err != nil {
 			return fmt.Errorf("failed to read %q recovery seal configuration: %w", existBarrierSealConfig.Type, err)
@@ -2611,7 +2616,7 @@ func (c *Core) adjustForSealMigration(unwrapSeal Seal) error {
 	c.migrationInfo = &migrationInformation{
 		seal: unwrapSeal,
 	}
-	if existBarrierSealConfig.Type != c.seal.BarrierType() {
+	if existBarrierSealConfig.Type != c.seal.BarrierType().String() {
 		// It's unnecessary to call this when doing an auto->auto
 		// same-seal-type migration, since they'll have the same configs before
 		// and after migration.
@@ -2645,7 +2650,7 @@ func (c *Core) migrateSealConfig(ctx context.Context) error {
 		// recovery config to a clone of shamir's barrier config with stored
 		// keys set to 0.
 		bc = &SealConfig{
-			Type:            c.seal.BarrierType(),
+			Type:            c.seal.BarrierType().String(),
 			SecretShares:    1,
 			SecretThreshold: 1,
 			StoredShares:    1,
@@ -2684,7 +2689,7 @@ func (c *Core) adjustSealConfigDuringMigration(existBarrierSealConfig, existReco
 		// recovery config to a clone of shamir's barrier config with stored
 		// keys set to 0.
 		newBarrierSealConfig := &SealConfig{
-			Type:            c.seal.BarrierType(),
+			Type:            c.seal.BarrierType().String(),
 			SecretShares:    1,
 			SecretThreshold: 1,
 			StoredShares:    1,
@@ -2739,9 +2744,7 @@ func (c *Core) unsealKeyToMasterKey(ctx context.Context, seal Seal, combinedKey
 	case vaultseal.StoredKeysSupportedShamirRoot:
 		if useTestSeal {
 			testseal := NewDefaultSeal(&vaultseal.Access{
-				Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
+				Wrapper: aeadwrapper.NewShamirWrapper(),
-					Logger: c.logger.Named("testseal"),
-				}),
 			})
 			testseal.SetCore(c)
 			cfg, err := seal.BarrierConfig(ctx)
@@ -2752,7 +2755,7 @@ func (c *Core) unsealKeyToMasterKey(ctx context.Context, seal Seal, combinedKey
 			seal = testseal
 		}
 
-		err := seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(combinedKey)
+		err := seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(combinedKey)
 		if err != nil {
 			return nil, fmt.Errorf("failed to setup unseal key: %w", err)
 		}

vault/external_tests/raft/raft_test.go

@@ -549,9 +549,13 @@ func TestRaft_SnapshotAPI_MidstreamFailure(t *testing.T) {
 	t.Parallel()
 
 	seal, setErr := vaultseal.NewToggleableTestSeal(nil)
+	autoSeal, err := vault.NewAutoSeal(seal)
+	if err != nil {
+		t.Fatal(err)
+	}
 	cluster := raftCluster(t, &RaftClusterOpts{
 		NumCores: 1,
-		Seal:     vault.NewAutoSeal(seal),
+		Seal:     autoSeal,
 	})
 	defer cluster.Cleanup()
 
@@ -582,7 +586,7 @@ func TestRaft_SnapshotAPI_MidstreamFailure(t *testing.T) {
 
 	setErr(errors.New("seal failure"))
 	// Take a snapshot
-	err := leaderClient.Sys().RaftSnapshot(w)
+	err = leaderClient.Sys().RaftSnapshot(w)
 	w.Close()
 	if err == nil || err != api.ErrIncompleteSnapshot {
 		t.Fatalf("expected err=%v, got: %v", api.ErrIncompleteSnapshot, err)

vault/external_tests/sealmigration/testshared.go

@@ -132,7 +132,11 @@ func ParamTestSealMigrationShamirToTransit_Post14(t *testing.T, logger hclog.Log
 
 	// Migrate the backend from shamir to transit.
 	opts.SealFunc = func() vault.Seal {
-		return tss.MakeSeal(t, sealKeyName)
+		seal, err := tss.MakeSeal(t, sealKeyName)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return seal
 	}
 
 	// Restart each follower with the new config, and migrate to Transit.
@@ -173,7 +177,11 @@ func ParamTestSealMigration_TransitToTransit(t *testing.T, logger hclog.Logger,
 	// Migrate the backend from transit to transit.
 	opts.UnwrapSealFunc = opts.SealFunc
 	opts.SealFunc = func() vault.Seal {
-		return tss2.MakeSeal(t, "transit-seal-key-2")
+		seal, err := tss2.MakeSeal(t, "transit-seal-key-2")
+		if err != nil {
+			t.Fatal(err)
+		}
+		return seal
 	}
 	leaderIdx := migratePost14(t, storage, cluster, opts, cluster.RecoveryKeys)
 	validateMigration(t, storage, cluster, leaderIdx, verifySealConfigTransit)
@@ -279,7 +287,11 @@ func migrateFromShamirToTransit_Pre14(t *testing.T, logger hclog.Logger, storage
 		SkipInit:              true,
 		// N.B. Providing a transit seal puts us in migration mode.
 		SealFunc: func() vault.Seal {
-			return tss.MakeSeal(t, "transit-seal-key")
+			seal, err := tss.MakeSeal(t, "transit-seal-key")
+			if err != nil {
+				t.Fatal(err)
+			}
+			return seal
 		},
 	}
 	storage.Setup(&conf, &opts)
@@ -697,7 +709,11 @@ func InitializeTransit(t *testing.T, logger hclog.Logger, storage teststorage.Re
 		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
 		BaseClusterListenPort: baseClusterPort,
 		SealFunc: func() vault.Seal {
-			return tss.MakeSeal(t, sealKeyName)
+			seal, err := tss.MakeSeal(t, sealKeyName)
+			if err != nil {
+				t.Fatal(err)
+			}
+			return seal
 		},
 	}
 	storage.Setup(&conf, &opts)

vault/ha.go

@@ -13,7 +13,7 @@ import (
 
 	"github.com/armon/go-metrics"
 	"github.com/hashicorp/errwrap"
-	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
+	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/helper/namespace"
@@ -869,7 +869,7 @@ func (c *Core) reloadShamirKey(ctx context.Context) error {
 		}
 		shamirKey = keyring.rootKey
 	}
-	return c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(shamirKey)
+	return c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(shamirKey)
 }
 
 func (c *Core) performKeyUpgrades(ctx context.Context) error {

vault/identity_store_oidc.go

@@ -1774,7 +1774,7 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor
 				nextExpiration = k.ExpireAt
 			}
 
-			// Mark the KeyID as in use so it doesn't get deleted in the next step
+			// Mark the KeyId as in use so it doesn't get deleted in the next step
 			usedKeys = append(usedKeys, k.KeyID)
 		}
 

vault/init.go

@@ -9,11 +9,11 @@ import (
 	"net/url"
 	"sync/atomic"
 
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/vault/physical/raft"
 	"github.com/hashicorp/vault/vault/seal"
 
-	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
+	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/helper/pgpkeys"
 	"github.com/hashicorp/vault/shamir"
@@ -276,7 +276,8 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
 
 	var sealKey []byte
 	var sealKeyShares [][]byte
-	if barrierConfig.StoredShares == 1 && c.seal.BarrierType() == wrapping.Shamir {
+
+	if barrierConfig.StoredShares == 1 && c.seal.BarrierType() == wrapping.WrapperTypeShamir {
 		sealKey, sealKeyShares, err = c.generateShares(barrierConfig)
 		if err != nil {
 			c.logger.Error("error generating shares", "error", err)
@@ -324,7 +325,7 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes
 	switch c.seal.StoredKeysSupported() {
 	case seal.StoredKeysSupportedShamirRoot:
 		keysToStore := [][]byte{barrierKey}
-		if err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(sealKey); err != nil {
+		if err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(sealKey); err != nil {
 			c.logger.Error("failed to set seal key", "error", err)
 			return nil, fmt.Errorf("failed to set seal key: %w", err)
 		}
@@ -439,7 +440,7 @@ func (c *Core) UnsealWithStoredKeys(ctx context.Context) error {
 	c.unsealWithStoredKeysLock.Lock()
 	defer c.unsealWithStoredKeysLock.Unlock()
 
-	if c.seal.BarrierType() == wrapping.Shamir {
+	if c.seal.BarrierType() == wrapping.WrapperTypeShamir {
 		return nil
 	}
 

vault/init_test.go

@@ -6,7 +6,7 @@ import (
 	"testing"
 
 	log "github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/sdk/physical/inmem"
@@ -89,7 +89,7 @@ func testCore_Init_Common(t *testing.T, c *Core, conf *CoreConfig, barrierConf,
 		t.Fatalf("err: %v", err)
 	}
 
-	if c.seal.BarrierType() == wrapping.Shamir && len(res.SecretShares) != barrierConf.SecretShares {
+	if c.seal.BarrierType() == wrapping.WrapperTypeShamir && len(res.SecretShares) != barrierConf.SecretShares {
 		t.Fatalf("Bad: got\n%#v\nexpected conf matching\n%#v\n", *res, *barrierConf)
 	}
 	if recoveryConf != nil {

vault/logical_system.go

@@ -4181,7 +4181,7 @@ func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error
 
 	if sealConfig == nil {
 		return &SealStatusResponse{
-			Type:         core.SealAccess().BarrierType(),
+			Type:         core.SealAccess().BarrierType().String(),
 			Initialized:  initialized,
 			Sealed:       true,
 			RecoverySeal: core.SealAccess().RecoveryKeySupported(),

vault/logical_system_raft.go

@@ -10,7 +10,7 @@ import (
 	"time"
 
 	"github.com/golang/protobuf/proto"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/helper/constants"
 	"github.com/hashicorp/vault/helper/namespace"
@@ -572,7 +572,7 @@ func (b *SystemBackend) handleStorageRaftSnapshotWrite(force bool) framework.Ope
 		case err == nil:
 		case strings.Contains(err.Error(), "failed to open the sealed hashes"):
 			switch b.Core.seal.BarrierType() {
-			case wrapping.Shamir:
+			case wrapping.WrapperTypeShamir:
 				return logical.ErrorResponse("could not verify hash file, possibly the snapshot is using a different set of unseal keys; use the snapshot-force API to bypass this check"), logical.ErrInvalidRequest
 			default:
 				return logical.ErrorResponse("could not verify hash file, possibly the snapshot is using a different autoseal key; use the snapshot-force API to bypass this check"), logical.ErrInvalidRequest

vault/raft.go

@@ -17,7 +17,7 @@ import (
 	"github.com/hashicorp/go-discover"
 	discoverk8s "github.com/hashicorp/go-discover/provider/k8s"
 	"github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/go-secure-stdlib/tlsutil"
 	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/api"
@@ -660,7 +660,7 @@ func (c *Core) raftSnapshotRestoreCallback(grabLock bool, sealNode bool) func(co
 			// The snapshot contained a root key or keyring we couldn't
 			// recover
 			switch c.seal.BarrierType() {
-			case wrapping.Shamir:
+			case wrapping.WrapperTypeShamir:
 				// If we are a shamir seal we can't do anything. Just
 				// seal all nodes.
 
@@ -804,7 +804,7 @@ func (c *Core) getRaftChallenge(leaderInfo *raft.LeaderJoinInfo) (*raftInformati
 		return nil, err
 	}
 
-	if sealConfig.Type != c.seal.BarrierType() {
+	if sealConfig.Type != c.seal.BarrierType().String() {
 		return nil, fmt.Errorf("mismatching seal types between raft leader (%s) and follower (%s)", sealConfig.Type, c.seal.BarrierType())
 	}
 
@@ -817,7 +817,7 @@ func (c *Core) getRaftChallenge(leaderInfo *raft.LeaderJoinInfo) (*raftInformati
 		return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err)
 	}
 
-	eBlob := &wrapping.EncryptedBlobInfo{}
+	eBlob := &wrapping.BlobInfo{}
 	if err := proto.Unmarshal(challengeRaw, eBlob); err != nil {
 		return nil, fmt.Errorf("error decoding raft bootstrap challenge: %w", err)
 	}
@@ -913,7 +913,7 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfos []*raft.LeaderJo
 		// If we're using Shamir and using raft for both physical and HA, we
 		// need to block until the node is unsealed, unless retry is set to
 		// false.
-		if c.seal.BarrierType() == wrapping.Shamir && !c.isRaftHAOnly() {
+		if c.seal.BarrierType() == wrapping.WrapperTypeShamir && !c.isRaftHAOnly() {
 			c.raftInfo.Store(raftInfo)
 			if err := c.seal.SetBarrierConfig(ctx, raftInfo.leaderBarrierConfig); err != nil {
 				return err
@@ -936,7 +936,7 @@ func (c *Core) JoinRaftCluster(ctx context.Context, leaderInfos []*raft.LeaderJo
 			return fmt.Errorf("failed to send answer to raft leader node: %w", err)
 		}
 
-		if c.seal.BarrierType() == wrapping.Shamir && !isRaftHAOnly {
+		if c.seal.BarrierType() == wrapping.WrapperTypeShamir && !isRaftHAOnly {
 			// Reset the state
 			c.raftInfo.Store((*raftInformation)(nil))
 

vault/rekey.go

@@ -9,8 +9,8 @@ import (
 	"fmt"
 	"net/http"
 
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
-	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
+	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
 	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/helper/pgpkeys"
 	"github.com/hashicorp/vault/sdk/helper/consts"
@@ -169,7 +169,7 @@ func (c *Core) RekeyInit(config *SealConfig, recovery bool) logical.HTTPCodedErr
 // BarrierRekeyInit is used to initialize the rekey settings for the barrier key
 func (c *Core) BarrierRekeyInit(config *SealConfig) logical.HTTPCodedError {
 	switch c.seal.BarrierType() {
-	case wrapping.Shamir:
+	case wrapping.WrapperTypeShamir:
 		// As of Vault 1.3 all seals use StoredShares==1.  The one exception is
 		// legacy shamir seals, which we can read but not write (by design).
 		// So if someone does a rekey, regardless of their intention, we're going
@@ -396,15 +396,13 @@ func (c *Core) BarrierRekeyUpdate(ctx context.Context, key []byte, nonce string)
 			c.logger.Error("rekey recovery key verification failed", "error", err)
 			return nil, logical.CodedError(http.StatusBadRequest, fmt.Errorf("recovery key verification failed: %w", err).Error())
 		}
-	case c.seal.BarrierType() == wrapping.Shamir:
+	case c.seal.BarrierType() == wrapping.WrapperTypeShamir:
 		if c.seal.StoredKeysSupported() == seal.StoredKeysSupportedShamirRoot {
 			testseal := NewDefaultSeal(&seal.Access{
-				Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
+				Wrapper: aeadwrapper.NewShamirWrapper(),
-					Logger: c.logger.Named("testseal"),
-				}),
 			})
 			testseal.SetCore(c)
-			err = testseal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(recoveredKey)
+			err = testseal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(recoveredKey)
 			if err != nil {
 				return nil, logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to setup unseal key: %w", err).Error())
 			}
@@ -532,7 +530,7 @@ func (c *Core) performBarrierRekey(ctx context.Context, newSealKey []byte) logic
 	}
 
 	if c.seal.StoredKeysSupported() != seal.StoredKeysSupportedGeneric {
-		err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAESGCMKeyBytes(newSealKey)
+		err := c.seal.GetAccess().Wrapper.(*aeadwrapper.ShamirWrapper).SetAesGcmKeyBytes(newSealKey)
 		if err != nil {
 			return logical.CodedError(http.StatusInternalServerError, fmt.Errorf("failed to update barrier seal key: %w", err).Error())
 		}

vault/rekey_test.go

@@ -154,7 +154,7 @@ func testCore_Rekey_Update_Common(t *testing.T, c *Core, keys [][]byte, root str
 	if recovery {
 		expType = c.seal.RecoveryType()
 	} else {
-		expType = c.seal.BarrierType()
+		expType = c.seal.BarrierType().String()
 	}
 
 	newConf := &SealConfig{

vault/seal.go

@@ -13,7 +13,7 @@ import (
 	"github.com/hashicorp/vault/sdk/physical"
 
 	"github.com/golang/protobuf/proto"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/vault/vault/seal"
 	"github.com/keybase/go-crypto/openpgp"
 	"github.com/keybase/go-crypto/openpgp/packet"
@@ -59,7 +59,7 @@ type Seal interface {
 	SealWrapable() bool
 	SetStoredKeys(context.Context, [][]byte) error
 	GetStoredKeys(context.Context) ([][]byte, error)
-	BarrierType() string
+	BarrierType() wrapping.WrapperType
 	BarrierConfig(context.Context) (*SealConfig, error)
 	SetBarrierConfig(context.Context, *SealConfig) error
 	SetCachedBarrierConfig(*SealConfig)
@@ -119,8 +119,8 @@ func (d *defaultSeal) Finalize(ctx context.Context) error {
 	return nil
 }
 
-func (d *defaultSeal) BarrierType() string {
+func (d *defaultSeal) BarrierType() wrapping.WrapperType {
-	return wrapping.Shamir
+	return wrapping.WrapperTypeShamir
 }
 
 func (d *defaultSeal) StoredKeysSupported() seal.StoredKeysSupport {
@@ -193,8 +193,8 @@ func (d *defaultSeal) BarrierConfig(ctx context.Context) (*SealConfig, error) {
 	switch conf.Type {
 	// This case should not be valid for other types as only this is the default
 	case "":
-		conf.Type = d.BarrierType()
+		conf.Type = d.BarrierType().String()
-	case d.BarrierType():
+	case d.BarrierType().String():
 	default:
 		d.core.logger.Error("barrier seal type does not match expected type", "barrier_seal_type", conf.Type, "loaded_seal_type", d.BarrierType())
 		return nil, fmt.Errorf("barrier seal type of %q does not match expected type of %q", conf.Type, d.BarrierType())
@@ -222,7 +222,7 @@ func (d *defaultSeal) SetBarrierConfig(ctx context.Context, config *SealConfig)
 		return nil
 	}
 
-	config.Type = d.BarrierType()
+	config.Type = d.BarrierType().String()
 
 	// If we are doing a raft unseal we do not want to persist the barrier config
 	// because storage isn't setup yet.
@@ -477,7 +477,7 @@ func readStoredKeys(ctx context.Context, storage physical.Backend, encryptor *se
 		return nil, nil
 	}
 
-	blobInfo := &wrapping.EncryptedBlobInfo{}
+	blobInfo := &wrapping.BlobInfo{}
 	if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
 		return nil, fmt.Errorf("failed to proto decode stored keys: %w", err)
 	}

vault/seal/envelope.go

@@ -5,11 +5,11 @@ import (
 	"time"
 
 	metrics "github.com/armon/go-metrics"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 )
 
 type Envelope struct {
-	envelope *wrapping.Envelope
+	envelope *wrapping.EnvelopeInfo
 	once     sync.Once
 }
 
@@ -18,19 +18,19 @@ func NewEnvelope() *Envelope {
 }
 
 func (e *Envelope) init() {
-	e.envelope = new(wrapping.Envelope)
+	e.envelope = new(wrapping.EnvelopeInfo)
 }
 
 func (e *Envelope) Encrypt(plaintext, aad []byte) (*wrapping.EnvelopeInfo, error) {
 	defer metrics.MeasureSince([]string{"seal", "envelope", "encrypt"}, time.Now())
 	e.once.Do(e.init)
 
-	return e.envelope.Encrypt(plaintext, aad)
+	return wrapping.EnvelopeEncrypt(plaintext, wrapping.WithAad(aad))
 }
 
 func (e *Envelope) Decrypt(data *wrapping.EnvelopeInfo, aad []byte) ([]byte, error) {
 	defer metrics.MeasureSince([]string{"seal", "envelope", "decrypt"}, time.Now())
 	e.once.Do(e.init)
 
-	return e.envelope.Decrypt(data, aad)
+	return wrapping.EnvelopeDecrypt(data, wrapping.WithAad(aad))
 }

vault/seal/seal.go

@@ -5,7 +5,7 @@ import (
 	"time"
 
 	metrics "github.com/armon/go-metrics"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 )
 
 type StoredKeysSupport int
@@ -35,54 +35,74 @@ func (s StoredKeysSupport) String() string {
 // specific to encrypting and decrypting data, or in this case keys.
 type Access struct {
 	wrapping.Wrapper
-	OverriddenType string
+	WrapperType wrapping.WrapperType
 }
 
-func (a *Access) SetType(t string) {
+func (a *Access) Init(ctx context.Context) error {
-	a.OverriddenType = t
+	if initWrapper, ok := a.Wrapper.(wrapping.InitFinalizer); ok {
-}
+		return initWrapper.Init(ctx)
-
-func (a *Access) Type() string {
-	if a.OverriddenType != "" {
-		return a.OverriddenType
 	}
-	return a.Wrapper.Type()
+	return nil
+}
+
+func (a *Access) SetType(t wrapping.WrapperType) {
+	a.WrapperType = t
+}
+
+func (a *Access) Type(ctx context.Context) (wrapping.WrapperType, error) {
+	if a != nil && a.WrapperType != "" {
+		return a.WrapperType, nil
+	}
+	return a.Wrapper.Type(ctx)
 }
 
 // Encrypt uses the underlying seal to encrypt the plaintext and returns it.
-func (a *Access) Encrypt(ctx context.Context, plaintext, aad []byte) (blob *wrapping.EncryptedBlobInfo, err error) {
+func (a *Access) Encrypt(ctx context.Context, plaintext, aad []byte) (blob *wrapping.BlobInfo, err error) {
+	wTyp, err := a.Wrapper.Type(ctx)
+	if err != nil {
+		return nil, err
+	}
+
 	defer func(now time.Time) {
 		metrics.MeasureSince([]string{"seal", "encrypt", "time"}, now)
-		metrics.MeasureSince([]string{"seal", a.Wrapper.Type(), "encrypt", "time"}, now)
+		metrics.MeasureSince([]string{"seal", wTyp.String(), "encrypt", "time"}, now)
 
 		if err != nil {
 			metrics.IncrCounter([]string{"seal", "encrypt", "error"}, 1)
-			metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "encrypt", "error"}, 1)
+			metrics.IncrCounter([]string{"seal", wTyp.String(), "encrypt", "error"}, 1)
 		}
 	}(time.Now())
 
 	metrics.IncrCounter([]string{"seal", "encrypt"}, 1)
-	metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "encrypt"}, 1)
+	metrics.IncrCounter([]string{"seal", wTyp.String(), "encrypt"}, 1)
 
-	return a.Wrapper.Encrypt(ctx, plaintext, aad)
+	return a.Wrapper.Encrypt(ctx, plaintext, wrapping.WithAad(aad))
 }
 
 // Decrypt uses the underlying seal to decrypt the cryptotext and returns it.
 // Note that it is possible depending on the wrapper used that both pt and err
 // are populated.
-func (a *Access) Decrypt(ctx context.Context, data *wrapping.EncryptedBlobInfo, aad []byte) (pt []byte, err error) {
+func (a *Access) Decrypt(ctx context.Context, data *wrapping.BlobInfo, aad []byte) (pt []byte, err error) {
+	wTyp, err := a.Wrapper.Type(ctx)
 	defer func(now time.Time) {
 		metrics.MeasureSince([]string{"seal", "decrypt", "time"}, now)
-		metrics.MeasureSince([]string{"seal", a.Wrapper.Type(), "decrypt", "time"}, now)
+		metrics.MeasureSince([]string{"seal", wTyp.String(), "decrypt", "time"}, now)
 
 		if err != nil {
 			metrics.IncrCounter([]string{"seal", "decrypt", "error"}, 1)
-			metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "decrypt", "error"}, 1)
+			metrics.IncrCounter([]string{"seal", wTyp.String(), "decrypt", "error"}, 1)
 		}
 	}(time.Now())
 
 	metrics.IncrCounter([]string{"seal", "decrypt"}, 1)
-	metrics.IncrCounter([]string{"seal", a.Wrapper.Type(), "decrypt"}, 1)
+	metrics.IncrCounter([]string{"seal", wTyp.String(), "decrypt"}, 1)
 
-	return a.Wrapper.Decrypt(ctx, data, aad)
+	return a.Wrapper.Decrypt(ctx, data, wrapping.WithAad(aad))
+}
+
+func (a *Access) Finalize(ctx context.Context) error {
+	if finalizeWrapper, ok := a.Wrapper.(wrapping.InitFinalizer); ok {
+		return finalizeWrapper.Finalize(ctx)
+	}
+	return nil
 }

vault/seal/seal_testing.go

@@ -5,14 +5,14 @@ import (
 	"sync"
 
 	"github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 )
 
 type TestSealOpts struct {
 	Logger     hclog.Logger
 	StoredKeys StoredKeysSupport
 	Secret     []byte
-	Name       string
+	Name       wrapping.WrapperType
 }
 
 func NewTestSeal(opts *TestSealOpts) *Access {
@@ -21,8 +21,8 @@ func NewTestSeal(opts *TestSealOpts) *Access {
 	}
 
 	return &Access{
-		Wrapper:        wrapping.NewTestWrapper(opts.Secret),
+		Wrapper:     wrapping.NewTestWrapper(opts.Secret),
-		OverriddenType: opts.Name,
+		WrapperType: opts.Name,
 	}
 }
 
@@ -33,8 +33,8 @@ func NewToggleableTestSeal(opts *TestSealOpts) (*Access, func(error)) {
 
 	w := &ToggleableWrapper{Wrapper: wrapping.NewTestWrapper(opts.Secret)}
 	return &Access{
-		Wrapper:        w,
+		Wrapper:     w,
-		OverriddenType: opts.Name,
+		WrapperType: opts.Name,
 	}, w.SetError
 }
 
@@ -44,22 +44,22 @@ type ToggleableWrapper struct {
 	l     sync.RWMutex
 }
 
-func (t *ToggleableWrapper) Encrypt(ctx context.Context, bytes []byte, bytes2 []byte) (*wrapping.EncryptedBlobInfo, error) {
+func (t *ToggleableWrapper) Encrypt(ctx context.Context, bytes []byte, opts ...wrapping.Option) (*wrapping.BlobInfo, error) {
 	t.l.RLock()
 	defer t.l.RUnlock()
 	if t.error != nil {
 		return nil, t.error
 	}
-	return t.Wrapper.Encrypt(ctx, bytes, bytes2)
+	return t.Wrapper.Encrypt(ctx, bytes, opts...)
 }
 
-func (t ToggleableWrapper) Decrypt(ctx context.Context, info *wrapping.EncryptedBlobInfo, bytes []byte) ([]byte, error) {
+func (t ToggleableWrapper) Decrypt(ctx context.Context, info *wrapping.BlobInfo, opts ...wrapping.Option) ([]byte, error) {
 	t.l.RLock()
 	defer t.l.RUnlock()
 	if t.error != nil {
 		return nil, t.error
 	}
-	return t.Wrapper.Decrypt(ctx, info, bytes)
+	return t.Wrapper.Decrypt(ctx, info, opts...)
 }
 
 func (t *ToggleableWrapper) SetError(err error) {

vault/seal_access.go

@@ -3,6 +3,8 @@ package vault
 import (
 	"context"
 
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+
 	"github.com/hashicorp/vault/vault/seal"
 )
 
@@ -21,7 +23,7 @@ func (s *SealAccess) StoredKeysSupported() seal.StoredKeysSupport {
 	return s.seal.StoredKeysSupported()
 }
 
-func (s *SealAccess) BarrierType() string {
+func (s *SealAccess) BarrierType() wrapping.WrapperType {
 	return s.seal.BarrierType()
 }
 

vault/seal_autoseal.go

@@ -13,7 +13,7 @@ import (
 
 	proto "github.com/golang/protobuf/proto"
 	log "github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/vault/sdk/physical"
 	"github.com/hashicorp/vault/vault/seal"
 )
@@ -21,7 +21,7 @@ import (
 // barrierTypeUpgradeCheck checks for backwards compat on barrier type, not
 // applicable in the OSS side
 var (
-	barrierTypeUpgradeCheck     = func(_ string, _ *SealConfig) {}
+	barrierTypeUpgradeCheck     = func(_ wrapping.WrapperType, _ *SealConfig) {}
 	autoSealUnavailableDuration = []string{"seal", "unreachable", "time"}
 	// vars for unit testings
 	sealHealthTestIntervalNominal   = 10 * time.Minute
@@ -47,13 +47,19 @@ type autoSeal struct {
 // Ensure we are implementing the Seal interface
 var _ Seal = (*autoSeal)(nil)
 
-func NewAutoSeal(lowLevel *seal.Access) *autoSeal {
+func NewAutoSeal(lowLevel *seal.Access) (*autoSeal, error) {
 	ret := &autoSeal{
 		Access: lowLevel,
 	}
 	ret.barrierConfig.Store((*SealConfig)(nil))
 	ret.recoveryConfig.Store((*SealConfig)(nil))
-	return ret
+
+	var err error
+	ret.WrapperType, err = ret.Type(context.Background())
+	if err != nil {
+		return nil, err
+	}
+	return ret, nil
 }
 
 func (d *autoSeal) SealWrapable() bool {
@@ -87,8 +93,8 @@ func (d *autoSeal) Finalize(ctx context.Context) error {
 	return d.Access.Finalize(ctx)
 }
 
-func (d *autoSeal) BarrierType() string {
+func (d *autoSeal) BarrierType() wrapping.WrapperType {
-	return d.Type()
+	return d.WrapperType
 }
 
 func (d *autoSeal) StoredKeysSupported() seal.StoredKeysSupport {
@@ -120,12 +126,16 @@ func (d *autoSeal) upgradeStoredKeys(ctx context.Context) error {
 		return fmt.Errorf("no stored keys found")
 	}
 
-	blobInfo := &wrapping.EncryptedBlobInfo{}
+	blobInfo := &wrapping.BlobInfo{}
 	if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
 		return fmt.Errorf("failed to proto decode stored keys: %w", err)
 	}
 
-	if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyID != d.Access.KeyID() {
+	keyId, err := d.Access.KeyId(ctx)
+	if err != nil {
+		return err
+	}
+	if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyId != keyId {
 		d.logger.Info("upgrading stored keys")
 
 		pt, err := d.Decrypt(ctx, blobInfo, nil)
@@ -147,11 +157,11 @@ func (d *autoSeal) upgradeStoredKeys(ctx context.Context) error {
 }
 
 // UpgradeKeys re-encrypts and saves the stored keys and the recovery key
-// with the current key if the current KeyID is different from the KeyID
+// with the current key if the current KeyId is different from the KeyId
 // the stored keys and the recovery key are encrypted with. The provided
 // Context must be non-nil.
 func (d *autoSeal) UpgradeKeys(ctx context.Context) error {
-	// Many of the seals update their keys to the latest KeyID when Encrypt
+	// Many of the seals update their keys to the latest KeyId when Encrypt
 	// is called.
 	if _, err := d.Encrypt(ctx, []byte("a"), nil); err != nil {
 		return err
@@ -206,7 +216,7 @@ func (d *autoSeal) BarrierConfig(ctx context.Context) (*SealConfig, error) {
 
 	barrierTypeUpgradeCheck(d.BarrierType(), conf)
 
-	if conf.Type != d.BarrierType() {
+	if conf.Type != d.BarrierType().String() {
 		d.logger.Error("barrier seal type does not match loaded type", "seal_type", conf.Type, "loaded_type", d.BarrierType())
 		return nil, fmt.Errorf("barrier seal type of %q does not match loaded type of %q", conf.Type, d.BarrierType())
 	}
@@ -225,7 +235,7 @@ func (d *autoSeal) SetBarrierConfig(ctx context.Context, conf *SealConfig) error
 		return nil
 	}
 
-	conf.Type = d.BarrierType()
+	conf.Type = d.BarrierType().String()
 
 	// Encode the seal configuration
 	buf, err := json.Marshal(conf)
@@ -436,7 +446,7 @@ func (d *autoSeal) getRecoveryKeyInternal(ctx context.Context) ([]byte, error) {
 		return nil, fmt.Errorf("no recovery key found")
 	}
 
-	blobInfo := &wrapping.EncryptedBlobInfo{}
+	blobInfo := &wrapping.BlobInfo{}
 	if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
 		return nil, fmt.Errorf("failed to proto decode stored keys: %w", err)
 	}
@@ -458,12 +468,17 @@ func (d *autoSeal) upgradeRecoveryKey(ctx context.Context) error {
 		return fmt.Errorf("no recovery key found")
 	}
 
-	blobInfo := &wrapping.EncryptedBlobInfo{}
+	blobInfo := &wrapping.BlobInfo{}
 	if err := proto.Unmarshal(pe.Value, blobInfo); err != nil {
 		return fmt.Errorf("failed to proto decode recovery key: %w", err)
 	}
 
-	if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyID != d.Access.KeyID() {
+	keyId, err := d.Access.KeyId(ctx)
+	if err != nil {
+		return err
+	}
+
+	if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyId != keyId {
 		d.logger.Info("upgrading recovery key")
 
 		pt, err := d.Decrypt(ctx, blobInfo, nil)

vault/seal_autoseal_test.go

@@ -13,7 +13,7 @@ import (
 	"github.com/hashicorp/vault/helper/metricsutil"
 
 	proto "github.com/golang/protobuf/proto"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/vault/sdk/physical"
 	"github.com/hashicorp/vault/vault/seal"
 )
@@ -71,13 +71,17 @@ func TestAutoSeal_UpgradeKeys(t *testing.T) {
 	var encKeys []string
 	changeKey := func(key string) {
 		encKeys = append(encKeys, key)
-		testSeal.Wrapper.(*wrapping.TestWrapper).SetKeyID(key)
+		testSeal.Wrapper.(*wrapping.TestWrapper).SetKeyId(key)
 	}
 
 	// Set initial encryption key.
 	changeKey("kaz")
 
-	autoSeal := NewAutoSeal(testSeal)
+	autoSeal, err := NewAutoSeal(testSeal)
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	autoSeal.SetCore(core)
 	pBackend := newTestBackend(t)
 	core.physical = pBackend
@@ -130,14 +134,14 @@ func TestAutoSeal_UpgradeKeys(t *testing.T) {
 			// in encKeys. Iterate over each phyEntry and verify it was
 			// encrypted with its corresponding key in encKeys.
 			for i, phyEntry := range phyEntries {
-				blobInfo := &wrapping.EncryptedBlobInfo{}
+				blobInfo := &wrapping.BlobInfo{}
 				if err := proto.Unmarshal(phyEntry.Value, blobInfo); err != nil {
 					t.Errorf("phyKey = %s: failed to proto decode stored keys: %s", phyKey, err)
 				}
 				if blobInfo.KeyInfo == nil {
 					t.Errorf("phyKey = %s: KeyInfo missing: %+v", phyKey, blobInfo)
 				}
-				if want, got := encKeys[i], blobInfo.KeyInfo.KeyID; want != got {
+				if want, got := encKeys[i], blobInfo.KeyInfo.KeyId; want != got {
 					t.Errorf("phyKey = %s: Incorrect encryption key: want %s, got %s", phyKey, want, got)
 				}
 			}
@@ -185,7 +189,11 @@ func TestAutoSeal_HealthCheck(t *testing.T) {
 	})
 	sealHealthTestIntervalNominal = 10 * time.Millisecond
 	sealHealthTestIntervalUnhealthy = 10 * time.Millisecond
-	autoSeal := NewAutoSeal(testSealAccess)
+	autoSeal, err := NewAutoSeal(testSealAccess)
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	autoSeal.SetCore(core)
 	core.seal = autoSeal
 	autoSeal.StartHealthCheck()

vault/seal_testing_util.go

@@ -2,8 +2,7 @@ package vault
 
 import (
 	"github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2"
-	aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead"
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/vault/seal"
 	testing "github.com/mitchellh/go-testing-interface"
@@ -21,9 +20,7 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
 	switch opts.StoredKeys {
 	case seal.StoredKeysSupportedShamirRoot:
 		newSeal := NewDefaultSeal(&seal.Access{
-			Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
+			Wrapper: aeadwrapper.NewShamirWrapper(),
-				Logger: opts.Logger,
-			}),
 		})
 		// Need StoredShares set or this will look like a legacy shamir seal.
 		newSeal.SetCachedBarrierConfig(&SealConfig{
@@ -34,9 +31,7 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
 		return newSeal
 	case seal.StoredKeysNotSupported:
 		newSeal := NewDefaultSeal(&seal.Access{
-			Wrapper: aeadwrapper.NewShamirWrapper(&wrapping.WrapperOptions{
+			Wrapper: aeadwrapper.NewShamirWrapper(),
-				Logger: opts.Logger,
-			}),
 		})
 		newSeal.SetCachedBarrierConfig(&SealConfig{
 			StoredShares:    0,
@@ -45,6 +40,10 @@ func NewTestSeal(t testing.T, opts *seal.TestSealOpts) Seal {
 		})
 		return newSeal
 	default:
-		return NewAutoSeal(seal.NewTestSeal(opts))
+		seal, err := NewAutoSeal(seal.NewTestSeal(opts))
+		if err != nil {
+			t.Fatal(err)
+		}
+		return seal
 	}
 }

vault/sealunwrapper.go

@@ -9,7 +9,7 @@ import (
 
 	proto "github.com/golang/protobuf/proto"
 	log "github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/vault/sdk/helper/locksutil"
 	"github.com/hashicorp/vault/sdk/physical"
 )
@@ -72,7 +72,7 @@ func (d *sealUnwrapper) Get(ctx context.Context, key string) (*physical.Entry, e
 	}
 
 	var performUnwrap bool
-	se := &wrapping.EncryptedBlobInfo{}
+	se := &wrapping.BlobInfo{}
 	// If the value ends in our canary value, try to decode the bytes.
 	eLen := len(entry.Value)
 	if eLen > 0 && entry.Value[eLen-1] == 's' {
@@ -109,7 +109,7 @@ func (d *sealUnwrapper) Get(ctx context.Context, key string) (*physical.Entry, e
 	}
 
 	performUnwrap = false
-	se = &wrapping.EncryptedBlobInfo{}
+	se = &wrapping.BlobInfo{}
 	// If the value ends in our canary value, try to decode the bytes.
 	eLen = len(entry.Value)
 	if eLen > 0 && entry.Value[eLen-1] == 's' {

vault/sealunwrapper_test.go

@@ -10,7 +10,7 @@ import (
 
 	proto "github.com/golang/protobuf/proto"
 	log "github.com/hashicorp/go-hclog"
-	wrapping "github.com/hashicorp/go-kms-wrapping"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/vault/sdk/physical"
 	"github.com/hashicorp/vault/sdk/physical/inmem"
 )
@@ -57,7 +57,7 @@ func performTestSealUnwrapper(t *testing.T, phys physical.Backend, logger log.Lo
 	// Save the original for comparison later
 	origBytes := make([]byte, len(entry.Value))
 	copy(origBytes, entry.Value)
-	se := &wrapping.EncryptedBlobInfo{
+	se := &wrapping.BlobInfo{
 		Ciphertext: entry.Value,
 	}
 	seb, err := proto.Marshal(se)