-
Notifications
You must be signed in to change notification settings - Fork 0
vm broker ‐ k8s ‐ kes (encrypt decrypt) vault (read secrets)
Allan Roger Reid edited this page Dec 4, 2024
·
3 revisions
Connect to https://kes-k8s-minio.lab.min.dev/ ssh -p 20050 ubuntu@1.2.3.4 -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"
Get token
curl \
--request POST \
--data '{"role_id":"ad119367-50f4-30a3-3e1b-67be2297d9d4","secret_id":"600d8ddb-d7a4-e0e4-def4-ecf44094da8c"}' \
http://127.0.0.1:8200/v1/auth/approle/login | jq .
Output
{
"request_id": "2724b4ff-f4f4-ddf4-dbc8-e8a92053285e",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": "hvs.CAESIPBpl1hhBJ2a0p81JByGiZeT1MoMLwt2HTBLV55mApZDGh4KHGh2cy5kdzAwMXN6OVF5dlMwclQ0MmpmQ0g2b0Q",
"accessor": "xWmW2n4gQE9NrUZ73UpSy6fm",
"policies": [
"default",
"kes-policy"
],
"token_policies": [
"default",
"kes-policy"
],
"metadata": {
"role_name": "kes-role"
},
"lease_duration": 300,
"renewable": true,
"entity_id": "55abbdb5-7cf7-47f5-3b4d-52cde703cfd4",
"token_type": "service",
"orphan": true,
"mfa_requirement": null,
"num_uses": 0
}
}
List and get key
export VAULT_TOKEN="hvs.CAESIPBpl1hhBJ2a0p81JByGiZeT1MoMLwt2HTBLV55mApZDGh4KHGh2cy5kdzAwMXN6OVF5dlMwclQ0MmpmQ0g2b0Q"
List
curl \
-H "X-Vault-Token: $VAULT_TOKEN" \
-X LIST \
http://127.0.0.1:8200/v1/kv/my-minio | jq
Output
{
"request_id": "c681761d-cfa1-3a79-c6ac-4f30dff958a3",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"keys": [
"my-minio-key",
"vault-1"
]
},
"wrap_info": null,
"warnings": null,
"auth": null
}
Note from within vault pod a list of possible paths can be obtained with vault secrets list i.e. the endpoint is v1/:path. This path is specified in the config.yaml of the vault as .keystore.vault.prefix
Read secret
curl \
-H "X-Vault-Token: $VAULT_TOKEN" \
-X GET \
http://127.0.0.1:8200/v1/kv/my-minio/vault-1 | jq '.data."vault-1" | fromjson' | jq .bytes
Output
"iIgJqQj1AOnlW5kd/gdtumMYTnnZ8lXpyhqc7mpTknY="
Encrypt - KES
kubectl -n tenant-kms-encrypted get secret/myminio-client-tls -o yaml
kubectl exec -it myminio-kes-0 -n tenant-kms-encrypted -- /bin/sh
echo "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUFyK2xrMXcwczJlR0JnbVVYTzIvVWhkL3haL25LcTlBNXRUcSt2K1VLbE0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=" | base64 -d> /tmp/private.key
echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3akNDQVhTZ0F3SUJBZ0lRVlFlQWNMSU1adElFVysrbzh3QXhBREFGQmdNclpYQXdOekUxTURNR0ExVUUKQXhNc2JXbHVhVzh1ZEdWdVlXNTBMV3R0Y3kxbGJtTnllWEIwWldRdWMzWmpMbU5zZFhOMFpYSXViRzlqWVd3dwpIaGNOTWpNeE1URTBNVFl4TmpJMVdoY05NalF4TVRFek1UWXhOakkxV2pBM01UVXdNd1lEVlFRREV5eHRhVzVwCmJ5NTBaVzVoYm5RdGEyMXpMV1Z1WTNKNWNIUmxaQzV6ZG1NdVkyeDFjM1JsY2k1c2IyTmhiREFxTUFVR0F5dGwKY0FNaEFCa3FwQkJKVlA3aWZteTJNaDdBTzM3elEwTzVXWThEWmNWRDhWUEdPYzlYbzRHVk1JR1NNQTRHQTFVZApEd0VCL3dRRUF3SUhnREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUCkFRSC9CQUl3QURCVEJnTlZIUkVFVERCS2draHRlVzFwYm1sdkxYQnZiMnd0TUMxN01DNHVMak45TG0xNWJXbHUKYVc4dGFHd3VkR1Z1WVc1MExXdHRjeTFsYm1OeWVYQjBaV1F1YzNaakxtTnNkWE4wWlhJdWJHOWpZV3d3QlFZRApLMlZ3QTBFQXVKQUhiaWx3OEx3MkRKVWhJcW5TZ21iK2IyOHNJM0tweXNhZ3BsU0FMSnVPTVF0YlluWjhXa2l6Cnlxa29QNG5PY29LeVUzRDhISWcrQlg5Q3Q4YlVEdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" | base64 -d > /tmp/public.crt
export KES_SERVER=https://127.0.0.1:7373
export KES_CLIENT_CERT=/tmp/public.crt
export KES_CLIENT_KEY=/tmp/private.key
Generate a new data encryption key.
./kes key dek vault-1 -k
Output
plaintext: HnlwnC/U7weiOqo0+JFkCSISMpH9+2nRCuAD5Nd5Lm4=
ciphertext: laZBRVMyNTbZIGIzOWY3NjAxZTRjMzY1MDY4ZjA4ZmNmMWM2ZTc0MjhmxBBM/n/j0CQk3JXQxiw1YkigxAzKBZwWk86Km8J0o8PEMB9aBUr+cdoDDh2H8MHgiEQmGXTRaNi4PEojOmlpg+n6waL4VW3wtE8ecGkXxpzZLg==
Show that the data encryption key can be re-obtained from its ciphertext using KES
kubectl exec -it myminio-kes-0 -n tenant-kms-encrypted -- /bin/sh
echo "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUFyK2xrMXcwczJlR0JnbVVYTzIvVWhkL3haL25LcTlBNXRUcSt2K1VLbE0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=" | base64 -d> /tmp/private.key
echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3akNDQVhTZ0F3SUJBZ0lRVlFlQWNMSU1adElFVysrbzh3QXhBREFGQmdNclpYQXdOekUxTURNR0ExVUUKQXhNc2JXbHVhVzh1ZEdWdVlXNTBMV3R0Y3kxbGJtTnllWEIwWldRdWMzWmpMbU5zZFhOMFpYSXViRzlqWVd3dwpIaGNOTWpNeE1URTBNVFl4TmpJMVdoY05NalF4TVRFek1UWXhOakkxV2pBM01UVXdNd1lEVlFRREV5eHRhVzVwCmJ5NTBaVzVoYm5RdGEyMXpMV1Z1WTNKNWNIUmxaQzV6ZG1NdVkyeDFjM1JsY2k1c2IyTmhiREFxTUFVR0F5dGwKY0FNaEFCa3FwQkJKVlA3aWZteTJNaDdBTzM3elEwTzVXWThEWmNWRDhWUEdPYzlYbzRHVk1JR1NNQTRHQTFVZApEd0VCL3dRRUF3SUhnREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUCkFRSC9CQUl3QURCVEJnTlZIUkVFVERCS2draHRlVzFwYm1sdkxYQnZiMnd0TUMxN01DNHVMak45TG0xNWJXbHUKYVc4dGFHd3VkR1Z1WVc1MExXdHRjeTFsYm1OeWVYQjBaV1F1YzNaakxtTnNkWE4wWlhJdWJHOWpZV3d3QlFZRApLMlZ3QTBFQXVKQUhiaWx3OEx3MkRKVWhJcW5TZ21iK2IyOHNJM0tweXNhZ3BsU0FMSnVPTVF0YlluWjhXa2l6Cnlxa29QNG5PY29LeVUzRDhISWcrQlg5Q3Q4YlVEdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" | base64 -d > /tmp/public.crt
export KES_SERVER=https://127.0.0.1:7373
export KES_CLIENT_CERT=/tmp/public.crt
export KES_CLIENT_KEY=/tmp/private.key
./kes key decrypt vault-1 "laZBRVMyNTbZIGIzOWY3NjAxZTRjMzY1MDY4ZjA4ZmNmMWM2ZTc0MjhmxBBM/n/j0CQk3JXQxiw1YkigxAzKBZwWk86Km8J0o8PEMB9aBUr+cdoDDh2H8MHgiEQmGXTRaNi4PEojOmlpg+n6waL4VW3wtE8ecGkXxpzZLg==" -k
Output
plaintext: HnlwnC/U7weiOqo0+JFkCSISMpH9+2nRCuAD5Nd5Lm4=
Import kes key. No its very odd to first create a key (a random one that KES picks), then generate a data encryption key, and finally import that into KES. There is no point in doing this. Use plaintext key to encrypt a large file >32KB
ssh -p 20050 ubuntu@1.2.3.4 -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"
kubectl exec -it ubuntu -- /bin/bash
curl -o /tmp/shakespeare.txt https://ocw.mit.edu/ans7870/6/6.006/s08/lecturenotes/files/t8.shakespeare.txt
GPG
gpg --no-symkey-cache --output /tmp/shakespeare.enc --symmetric --cipher-algo AES256 /tmp/shakespeare.txt
# Input "HnlwnC/U7weiOqo0+JFkCSISMpH9+2nRCuAD5Nd5Lm4="
gpg --no-symkey-cache --output /tmp/shakespeare.dec --decrypt /tmp/shakespeare.enc
OpenSSL
openssl enc -aes-256-cbc -in /tmp/shakespeare.txt -out /tmp/shakespeare.enc
# Input "HnlwnC/U7weiOqo0+JFkCSISMpH9+2nRCuAD5Nd5Lm4="
openssl enc -d -aes-256-cbc -in /tmp/shakespeare.enc -out /tmp/shakespeare.dec
Encrypt - Small files
./kes key encrypt vault-1 "minio vault demo on vm broker" -k
Output
ciphertext: laZBRVMyNTbZIGIzOWY3NjAxZTRjMzY1MDY4ZjA4ZmNmMWM2ZTc0MjhmxBDQxzbDtfhgdDcRwhtF9ACixAzkmisBdYdJvCjtU43ELZ6DtxLPd3+YauUt+uy9c2jksnhhGZpIZEXvyCZiUl2K00p7IFe+SMZdcFizkw==
./kes key encrypt vault-1 "let's implement operator API keys!" -k
Output
ciphertext: laZBRVMyNTbZIGIzOWY3NjAxZTRjMzY1MDY4ZjA4ZmNmMWM2ZTc0MjhmxBDAxcQfwSQScUU2TuwOT27WxAzq+0mEriHZmALr4OHEMkPP0yoOCu6kBjwSviNgsnrrgr9SoHo8S0Kq0xT2VFT94sZz+EhemLVruu0vzJ7TDU+O
Decrypt - KES - Small files
CIPHERTEXT="laZBRVMyNTbZIGIzOWY3NjAxZTRjMzY1MDY4ZjA4ZmNmMWM2ZTc0MjhmxBDQxzbDtfhgdDcRwhtF9ACixAzkmisBdYdJvCjtU43ELZ6DtxLPd3+YauUt+uy9c2jksnhhGZpIZEXvyCZiUl2K00p7IFe+SMZdcFizkw=="
./kes key decrypt vault-1 "$CIPHERTEXT" -k
Output
bWluaW8gdmF1bHQgZGVtbyBvbiB2bSBicm9rZXI=
echo "bWluaW8gdmF1bHQgZGVtbyBvbiB2bSBicm9rZXI=" | base64 -d
Output
minio vault demo on vm broker
CIPHERTEXT="laZBRVMyNTbZIGIzOWY3NjAxZTRjMzY1MDY4ZjA4ZmNmMWM2ZTc0MjhmxBC5s3lcZVdFjNQy67/12nmOxAxWMIUy5aXuADUdbKXEMNn200OB3jNH9dwNGYkwY65Sclgv7F0uLFf0hQqnUTgEpi8QbNXicXfZrbY2ETbIEg=="
./kes key decrypt vault-1 "$CIPHERTEXT" -k
Output
bGV0J3MgaW1wbGVtZW50IG9wZXJhdG9yIEFQSSBrZXlzIQ==
echo "bGV0J3MgaW1wbGVtZW50IG9wZXJhdG9yIEFQSSBrZXlzIQ==" | base64 -d
Output
let's implement operator API keys!
Manual Encryption - KES
kubectl -n tenant-kms-encrypted port-forward svc/myminio-kes-hl-svc 7373 &
echo "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUFyK2xrMXcwczJlR0JnbVVYTzIvVWhkL3haL25LcTlBNXRUcSt2K1VLbE0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=" | base64 -d> /tmp/private.key
echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3akNDQVhTZ0F3SUJBZ0lRVlFlQWNMSU1adElFVysrbzh3QXhBREFGQmdNclpYQXdOekUxTURNR0ExVUUKQXhNc2JXbHVhVzh1ZEdWdVlXNTBMV3R0Y3kxbGJtTnllWEIwWldRdWMzWmpMbU5zZFhOMFpYSXViRzlqWVd3dwpIaGNOTWpNeE1URTBNVFl4TmpJMVdoY05NalF4TVRFek1UWXhOakkxV2pBM01UVXdNd1lEVlFRREV5eHRhVzVwCmJ5NTBaVzVoYm5RdGEyMXpMV1Z1WTNKNWNIUmxaQzV6ZG1NdVkyeDFjM1JsY2k1c2IyTmhiREFxTUFVR0F5dGwKY0FNaEFCa3FwQkJKVlA3aWZteTJNaDdBTzM3elEwTzVXWThEWmNWRDhWUEdPYzlYbzRHVk1JR1NNQTRHQTFVZApEd0VCL3dRRUF3SUhnREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUCkFRSC9CQUl3QURCVEJnTlZIUkVFVERCS2draHRlVzFwYm1sdkxYQnZiMnd0TUMxN01DNHVMak45TG0xNWJXbHUKYVc4dGFHd3VkR1Z1WVc1MExXdHRjeTFsYm1OeWVYQjBaV1F1YzNaakxtTnNkWE4wWlhJdWJHOWpZV3d3QlFZRApLMlZ3QTBFQXVKQUhiaWx3OEx3MkRKVWhJcW5TZ21iK2IyOHNJM0tweXNhZ3BsU0FMSnVPTVF0YlluWjhXa2l6Cnlxa29QNG5PY29LeVUzRDhISWcrQlg5Q3Q4YlVEdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" | base64 -d > /tmp/public.crt
export KES_SERVER=https://127.0.0.1:7373
export KES_CLIENT_CERT=/tmp/public.crt
export KES_CLIENT_KEY=/tmp/private.key
echo "minio vault demo on vm broker" | base64
Output
bWluaW8gdmF1bHQgZGVtbyBvbiB2bSBicm9rZXIK
curl \
--key $KES_CLIENT_KEY \
--cert $KES_CLIENT_CERT \
--request POST \
--data '{"plaintext":"bWluaW8gdmF1bHQgZGVtbyBvbiB2bSBicm9rZXIK"}' \
"$KES_SERVER/v1/key/encrypt/vault-1" -k
Output
{"ciphertext":"laZBRVMyNTbZIGIzOWY3NjAxZTRjMzY1MDY4ZjA4ZmNmMWM2ZTc0MjhmxBB3OBirTz6Qumvj3KVWbe20xAzqe1kJ5CWbuG2Q8MfELse7urYwoH9jVdwfb4pL5KvMywBttWpJEDH7YaguvfJgqwpKz5Go6RO5PKldWxE="}
Manual Decryption - KES
curl \
--key $KES_CLIENT_KEY \
--cert $KES_CLIENT_CERT \
--request POST \
--data '{"ciphertext":"laZBRVMyNTbZIGIzOWY3NjAxZTRjMzY1MDY4ZjA4ZmNmMWM2ZTc0MjhmxBB3OBirTz6Qumvj3KVWbe20xAzqe1kJ5CWbuG2Q8MfELse7urYwoH9jVdwfb4pL5KvMywBttWpJEDH7YaguvfJgqwpKz5Go6RO5PKldWxE="}' \
"$KES_SERVER/v1/key/decrypt/vault-1" -k
Output
{"plaintext":"bWluaW8gdmF1bHQgZGVtbyBvbiB2bSBicm9rZXIK"}
echo "bWluaW8gdmF1bHQgZGVtbyBvbiB2bSBicm9rZXIK" | base64 -d
Output
minio vault demo on vm broker