Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Key rotation #66

Open
fear1226 opened this issue Feb 1, 2021 · 5 comments
Open

Key rotation #66

fear1226 opened this issue Feb 1, 2021 · 5 comments

Comments

@fear1226
Copy link

fear1226 commented Feb 1, 2021

Is there a feature to rotate the key pair and use the new private key to decrypt the old data encrypted with previous key.
@jdelic
Copy link

jdelic commented Feb 1, 2021
edited
Loading

@fear1226
First you have to understand that there are multiple key pairs:

  • The certification keypair (that's the key id you see on a PGP key)
  • The signing keypair (which in vault-gpg's case is the same as the certification key)
  • The encryption keypair (which in PGP is a subkey of the keyring)

Rotating an encryption key in PGP usually means: creating a new encryption keypair, signing it with the certification private key and marking the old one as expired. PGP clients commonly just use the first valid encryption key on a keyring to encrypt data. So you'll need to distribute the updated keyring to the clients.

However, the new private key can't decrypt data encrypted with the previous key.

What exactly are you looking for?

@fear1226
Copy link
Author

fear1226 commented Feb 3, 2021

Thank you for your response.
I am currently using this gpg plugin to generate gpg key (public and private key pair) and use it outside of vault for encryption and decryption of data. The requirement is not to use the same key for a long period but to rotate it after a defined period. How to achieve this using this plugin?
Any suggestions would be helpful.

@LeSuisse
Copy link
Owner

LeSuisse commented Feb 3, 2021

Hi,

The only way I can see is to generate a new key pair and to use it instead of the previous one.
To maybe try to force the transition you could maybe use a policy to restrict access to the old key. If you restrict the access to the old key it might easier to find systems that still need to transition to the new key since their access will not work anymore (also note that the Vault audit log can be helpful).

@fear1226
Copy link
Author

fear1226 commented Feb 4, 2021

@LeSuisse

The requirement is to decrypt my data using the latest key.
If we create a new key pair, the new private key wouldn't be able to decrypt the older data (as it was encrypted using old public key). To resolve this, do we have to decrypt the old data using old private key (before restricting the old key pair), then once we get the decrypted data again encrypt using new public key, so that new private key can decrypt it ?
Is this the only solution or anything if you could suggest.

If this is the only solution, considering I am using a key pair for an year after which I will create a new key pair (to manage key rotation).I need to re-encrypt the entire data I have encrypted through out the year as the new private key can't decrypt old data?

@jdelic
Copy link

jdelic commented Feb 4, 2021
edited
Loading

@fear1226

From what I wrote above:

Rotating an encryption key in PGP usually means: creating a new encryption keypair, signing it with the certification private key and marking the old one as expired.

And from what you wrote:

The requirement is to decrypt my data using the latest key.

I think there is a fundamental misunderstanding here. There is no way to "rotate" a key in such a way that the new key will decrypt data encrypted by the old key. You can achieve something like this in the way that Vault does it out of the box through an intermediary key.

Off the top of my head, PGP encrypts data by:

  • Creating a symmetric session key (using AES, IDEA, or other symmetric cipher)
  • Encrypting the plaintext with the symmetric key (and creating a authentication code)
  • Packaging up the ciphertext, symmetric key and authentication code
  • Encrypting the symmetric key with the keyring's encryption key (E)
  • Signing the package with the keyring's signing key (S)

In theory you might be able to achieve what you want in Vault-GPG by just rotating the key encrypting the session key (i.e. keeping the session key constant, therefor you don't need to reencrypt the data, just create a new keypair and reencrypt the session key)... but that would be a huge hack.

From what you are writing, I believe that you're trying to cover some regulatory or standards rule around key rotation.
Possibly you don't need Vault-GPG at all, just Vault! Vault provides easy key rotation for the Vault store through rekey and rotate. So if you can, for example, encrypt your data with the Vault API, or just store your data in the Vault Key-Value store, then that might already fulfill your requirements. If you definitely need GPG support you may be able to store the GPG private key in Vault and rotate the Vault key that governs access to the GPG keyring to solve your requirement?

I hope this helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LeSuisse @jdelic @fear1226