Add the ability to unseal using recovery keys via an explicit seal option. (#18683)

* wip * wip * Got it 'working', but not happy about cleanliness yet * Switch to a dedicated defaultSeal with recovery keys This is simpler than trying to hijack SealAccess as before. Instead, if the operator has requested recovery unseal mode (via a flag in the seal stanza), we new up a shamir seal with the recovery unseal key path instead of the auto seal. Then everything proceeds as if you had a shamir seal to begin with. * Handle recovery rekeying * changelog * Revert go.mod redirect * revert multi-blob info * Dumb nil unmarshal target * More comments * Update vault/seal.go Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> * Update changelog/18683.txt Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> * pr feedback * Fix recovery rekey, which needs to fetch root keys and restore them under the new recovery split * Better comment on recovery seal during adjustSealMigration * Make it possible to migrate from an auto-seal in recovery mode to shamir * Fix sealMigrated to account for a recovery seal * comments * Update changelog/18683.txt Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> * Address PR feedback * Refactor duplicated migration code into helpers, using UnsealRecoveryKey/RecoveryKey where appropriate * Don't shortcut the reast of seal migration * get rid of redundant transit server cleanup Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2025-10-30 18:17:55 +00:00 · 2023-01-24 14:57:56 -06:00
parent 8f3dc3082c
commit 2ffe49aab0
14 changed files with 354 additions and 92 deletions
--- a/command/operator_init.go
+++ b/command/operator_init.go
@@ -29,10 +29,11 @@ type OperatorInitCommand struct {
 	flagRootTokenPGPKey string

 	// Auto Unseal
-	flagRecoveryShares    int
-	flagRecoveryThreshold int
-	flagRecoveryPGPKeys   []string
-	flagStoredShares      int
+	flagRecoveryShares        int
+	flagRecoveryThreshold     int
+	flagRecoveryPGPKeys       []string
+	flagStoredShares          int
+	flagDisableUnsealRecovery bool

 	// Consul
 	flagConsulAuto    bool
@@ -149,6 +150,13 @@ func (c *OperatorInitCommand) Flags() *FlagSets {
 		Usage:   "DEPRECATED: This flag does nothing. It will be removed in Vault 1.3.",
 	})

+	f.BoolVar(&BoolVar{
+		Name:    "disable-unseal-recovery",
+		Target:  &c.flagDisableUnsealRecovery,
+		Default: false,
+		Usage:   "If disabled, unsealing Vault using recovery keys is not possible.",
+	})
+
 	// Consul Options
 	f = set.NewFlagSet("Consul Options")

@@ -280,9 +288,10 @@ func (c *OperatorInitCommand) Run(args []string) int {
 		PGPKeys:         c.flagPGPKeys,
 		RootTokenPGPKey: c.flagRootTokenPGPKey,

-		RecoveryShares:    c.flagRecoveryShares,
-		RecoveryThreshold: c.flagRecoveryThreshold,
-		RecoveryPGPKeys:   c.flagRecoveryPGPKeys,
+		RecoveryShares:         c.flagRecoveryShares,
+		RecoveryThreshold:      c.flagRecoveryThreshold,
+		RecoveryPGPKeys:        c.flagRecoveryPGPKeys,
+		UnsealRecoveryDisabled: c.flagDisableUnsealRecovery,
 	}

 	// Check auto mode