Add the ability to unseal using recovery keys via an explicit seal option. (#18683)

* wip * wip * Got it 'working', but not happy about cleanliness yet * Switch to a dedicated defaultSeal with recovery keys This is simpler than trying to hijack SealAccess as before. Instead, if the operator has requested recovery unseal mode (via a flag in the seal stanza), we new up a shamir seal with the recovery unseal key path instead of the auto seal. Then everything proceeds as if you had a shamir seal to begin with. * Handle recovery rekeying * changelog * Revert go.mod redirect * revert multi-blob info * Dumb nil unmarshal target * More comments * Update vault/seal.go Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> * Update changelog/18683.txt Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> * pr feedback * Fix recovery rekey, which needs to fetch root keys and restore them under the new recovery split * Better comment on recovery seal during adjustSealMigration * Make it possible to migrate from an auto-seal in recovery mode to shamir * Fix sealMigrated to account for a recovery seal * comments * Update changelog/18683.txt Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> * Address PR feedback * Refactor duplicated migration code into helpers, using UnsealRecoveryKey/RecoveryKey where appropriate * Don't shortcut the reast of seal migration * get rid of redundant transit server cleanup Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2025-11-02 03:27:54 +00:00 · 2023-01-24 14:57:56 -06:00
parent 8f3dc3082c
commit 2ffe49aab0
14 changed files with 354 additions and 92 deletions
--- a/http/sys_init.go
+++ b/http/sys_init.go
@@ -61,9 +61,10 @@ func handleSysInitPut(core *vault.Core, w http.ResponseWriter, r *http.Request)
 	}

 	recoveryConfig := &vault.SealConfig{
-		SecretShares:    req.RecoveryShares,
-		SecretThreshold: req.RecoveryThreshold,
-		PGPKeys:         req.RecoveryPGPKeys,
+		SecretShares:          req.RecoveryShares,
+		SecretThreshold:       req.RecoveryThreshold,
+		PGPKeys:               req.RecoveryPGPKeys,
+		DisableUnsealRecovery: req.DisableUnsealRecovery,
 	}

 	initParams := &vault.InitParams{
@@ -115,14 +116,15 @@ func handleSysInitPut(core *vault.Core, w http.ResponseWriter, r *http.Request)
 }

 type InitRequest struct {
-	SecretShares      int      `json:"secret_shares"`
-	SecretThreshold   int      `json:"secret_threshold"`
-	StoredShares      int      `json:"stored_shares"`
-	PGPKeys           []string `json:"pgp_keys"`
-	RecoveryShares    int      `json:"recovery_shares"`
-	RecoveryThreshold int      `json:"recovery_threshold"`
-	RecoveryPGPKeys   []string `json:"recovery_pgp_keys"`
-	RootTokenPGPKey   string   `json:"root_token_pgp_key"`
+	SecretShares          int      `json:"secret_shares"`
+	SecretThreshold       int      `json:"secret_threshold"`
+	StoredShares          int      `json:"stored_shares"`
+	PGPKeys               []string `json:"pgp_keys"`
+	RecoveryShares        int      `json:"recovery_shares"`
+	RecoveryThreshold     int      `json:"recovery_threshold"`
+	RecoveryPGPKeys       []string `json:"recovery_pgp_keys"`
+	RootTokenPGPKey       string   `json:"root_token_pgp_key"`
+	DisableUnsealRecovery bool     `json:"disable_unseal_recovery"`
 }

 type InitResponse struct {