mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-01 02:57:59 +00:00
Vault documentation: updated key share/unseal images (#15526)
* updated images * added new image files
This commit is contained in:
Loann Le
@@ -37,7 +37,7 @@ the unseal key.
|
|||||||
|
|
||||||
## Shamir seals
|
## Shamir seals
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
The default Vault config uses a Shamir seal. Instead of distributing the unseal
|
The default Vault config uses a Shamir seal. Instead of distributing the unseal
|
||||||
key as a single key to an operator, Vault uses an algorithm known as
|
key as a single key to an operator, Vault uses an algorithm known as
|
||||||
@@ -89,7 +89,7 @@ securing the unseal key from users to a trusted device or service. At startup
|
|||||||
Vault will connect to the device or service implementing the seal and ask it
|
Vault will connect to the device or service implementing the seal and ask it
|
||||||
to decrypt the root key Vault read from storage.
|
to decrypt the root key Vault read from storage.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
There are certain operations in Vault besides unsealing that
|
There are certain operations in Vault besides unsealing that
|
||||||
require a quorum of users to perform, e.g. generating a root token. When
|
require a quorum of users to perform, e.g. generating a root token. When
|
||||||
|
|||||||
@@ -41,9 +41,9 @@ a root key. By default, Vault uses [Shamir's Secret
|
|||||||
Sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing) to split the
|
Sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing) to split the
|
||||||
root key into a configured number of shards (referred as key shares or unseal
|
root key into a configured number of shards (referred as key shares or unseal
|
||||||
keys). A certain threshold of shards is required to reconstruct the root key,
|
keys). A certain threshold of shards is required to reconstruct the root key,
|
||||||
which is then used to decrypt the Vault's encryption key.
|
which is then used to decrypt the Vault's encryption key.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Refer to the [Seal/Unseal](/docs/concepts/seal#seal-unseal) documentation for
|
Refer to the [Seal/Unseal](/docs/concepts/seal#seal-unseal) documentation for
|
||||||
further details.
|
further details.
|
||||||
|
|||||||
@@ -17,7 +17,7 @@ to split the root key into 5 shares, any 3 of which are required to reconstruct
|
|||||||
key. The root key is used to protect the encryption key, which is ultimately used to protect
|
key. The root key is used to protect the encryption key, which is ultimately used to protect
|
||||||
data written to the storage backend.
|
data written to the storage backend.
|
||||||
|
|
||||||
[](/img/vault-shamir-secret-sharing.svg)
|
|
||||||
|
|
||||||
To support key rotation, we need to support changing the unseal keys, root key, and the
|
To support key rotation, we need to support changing the unseal keys, root key, and the
|
||||||
backend encryption key. We split this into two separate operations, `rekey` and `rotate`.
|
backend encryption key. We split this into two separate operations, `rekey` and `rotate`.
|
||||||
|
|||||||
BIN
website/public/img/vault-auto-unseal.png
Normal file
BIN
website/public/img/vault-auto-unseal.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 21 KiB |
BIN
website/public/img/vault-key-rotate.png
Normal file
BIN
website/public/img/vault-key-rotate.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 30 KiB |
BIN
website/public/img/vault-shamir-seal.png
Normal file
BIN
website/public/img/vault-shamir-seal.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 27 KiB |
Reference in New Issue
Block a user