1 ===========================
2 HashiCorp Vault Integration
3 ===========================
5 HashiCorp `Vault`_ can be used as a secure key management service for
6 `Server-Side Encryption`_ (SSE-KMS).
8 .. ditaa:: +---------+ +---------+ +-------+ +-------+
9 | Client | | RadosGW | | Vault | | OSD |
10 +---------+ +---------+ +-------+ +-------+
12 | key for key ID | | |
13 |-----------------+---------------->| |
17 |---------------->| request secret | |
18 | | key for key ID | |
19 | |---------------->| |
20 | |<----------------| |
24 | | encrypt object | |
25 | | with secret key | |
26 | |--------------+ | |
28 | |<-------------+ | |
30 | | store encrypted | |
32 | |------------------------------>|
34 #. `Vault secrets engines`_
35 #. `Vault authentication`_
36 #. `Vault namespaces`_
37 #. `Create a key in Vault`_
38 #. `Configure the Ceph Object Gateway`_
41 Some examples below use the Vault command line utility to interact with
42 Vault. You may need to set the following environment variable with the correct
43 address of your Vault server to use this utility::
45 export VAULT_ADDR='http://vault-server:8200'
50 Vault provides several secrets engines, which can store, generate, and encrypt
51 data. Currently, the Object Gateway supports:
53 - `KV secrets engine`_ version 2
59 The KV secrets engine is used to store arbitrary key/value secrets in Vault. To
60 enable the KV engine version 2 in Vault, use the following command::
62 vault secrets enable kv-v2
64 The Object Gateway can be configured to use the KV engine version 2 with the
67 rgw crypt vault secret engine = kv
69 Transit secrets engine
70 ----------------------
72 The transit engine handles cryptographic functions on data in-transit. To enable
73 it in Vault, use the following command::
75 vault secrets enable transit
77 The Object Gateway can be configured to use the transit engine with the
80 rgw crypt vault secret engine = transit
85 Vault supports several authentication mechanisms. Currently, the Object
86 Gateway can be configured to authenticate to Vault using the
87 `Token authentication method`_ or a `Vault agent`_.
92 .. note:: Token authentication is not recommended for production environments.
94 The token authentication method expects a Vault token to be present in a
95 plaintext file. The Object Gateway can be configured to use token authentication
96 with the following settings::
98 rgw crypt vault auth = token
99 rgw crypt vault token file = /etc/ceph/vault.token
100 rgw crypt vault addr = http://vault-server:8200
102 For security reasons, the token file must be readable by the Object Gateway
103 only. Also, the Object Gateway should be given a Vault token with a restricted
104 policy that allows it to fetch keyrings from a specific path only. Such a policy
105 can be created in Vault using the command line utility as in the following
108 vault policy write rgw-kv-policy -<<EOF
109 path "secret/data/*" {
110 capabilities = ["read"]
114 vault policy write rgw-transit-policy -<<EOF
115 path "transit/export/encryption-key/*" {
116 capabilities = ["read"]
120 Once the policy is created, a token can be generated by a Vault administrator::
122 vault token create -policy=rgw-kv-policy
128 token s.72KuPujbc065OdWB71poOmIq
129 token_accessor jv95ZYBUFv6Ss84x7SCSy6lZ
132 token_policies ["default" "rgw-kv-policy"]
134 policies ["default" "rgw-kv-policy"]
136 The actual token, displayed in the ``Value`` column of the first line of the
137 output, must be saved in a file as plaintext.
142 The Vault agent is a client daemon that provides authentication to Vault and
143 manages token renewal and caching. It typically runs on the same host as the
144 Object Gateway. With a Vault agent, it is possible to use other Vault
145 authentication mechanism such as AppRole, AWS, Certs, JWT, and Azure.
147 The Object Gateway can be configured to use a Vault agent with the following
150 rgw crypt vault auth = agent
151 rgw crypt vault addr = http://localhost:8100
156 In the Enterprise version, Vault supports the concept of `namespaces`_, which
157 allows centralized management for teams within an organization while ensuring
158 that those teams operate within isolated environments known as tenants.
160 The Object Gateway can be configured to access Vault within a particular
161 namespace using the following configuration setting::
163 rgw crypt vault namespace = tenant1
165 Create a key in Vault
166 =====================
168 .. note:: Keys for server-side encryption must be 256-bit long and base-64
174 A key for server-side encryption can be created in the KV version 2 engine using
175 the command line utility, as in the following example::
177 vault kv put secret/myproject/mybucketkey key=$(openssl rand -base64 32)
181 ====== Metadata ======
184 created_time 2019-08-29T17:01:09.095824999Z
189 Note that in the KV secrets engine, secrets are stored as key-value pairs, and
190 the Gateway expects the key name to be ``key``, i.e. the secret must be in the
191 form ``key=<secret key>``.
193 Using the Transit engine
194 ------------------------
196 Keys created with the Transit engine must be exportable in order to be used for
197 server-side encryption with the Object Gateway. An exportable key can be created
198 with the command line utility as follows::
200 vault write -f transit/keys/mybucketkey exportable=true
202 The command above creates a keyring, which contains a key of type
203 ``aes256-gcm96`` by default. To verify that the key was correctly created, use
204 the following command::
206 vault read transit/export/encryption-key/mybucketkey/1
212 keys map[1:-gbTI9lNpqv/V/2lDcmH2Nq1xKn6FPDWarCmFM2aNsQ=]
216 Note that in order to read the key created with the Transit engine, the full
217 path must be provided including the key version.
219 Configure the Ceph Object Gateway
220 =================================
222 Edit the Ceph configuration file to enable Vault as a KMS backend for
223 server-side encryption::
225 rgw crypt s3 kms backend = vault
227 Choose the Vault authentication method, e.g.::
229 rgw crypt vault auth = token
230 rgw crypt vault token file = /etc/ceph/vault.token
231 rgw crypt vault addr = http://vault-server:8200
235 rgw crypt vault auth = agent
236 rgw crypt vault addr = http://localhost:8100
238 Choose the secrets engine::
240 rgw crypt vault secret engine = kv
244 rgw crypt vault secret engine = transit
246 Optionally, set the Vault namespace where encryption keys will be fetched from::
248 rgw crypt vault namespace = tenant1
250 Finally, the URLs where the Gateway will retrieve encryption keys from Vault can
251 be restricted by setting a path prefix. For instance, the Gateway can be
252 restricted to fetch KV keys as follows::
254 rgw crypt vault prefix = /v1/secret/data
256 Or, in the case of exportable transit keys::
258 rgw crypt vault prefix = /v1/transit/export/encryption-key
260 In the example above, the Gateway would only fetch transit encryption keys under
261 ``http://vault-server:8200/v1/transit/export/encryption-key``.
266 When uploading an object to the Gateway, provide the SSE key ID in the request.
267 As an example, using the AWS command-line client::
269 aws --endpoint=http://radosgw:8000 s3 cp plaintext.txt s3://mybucket/encrypted.txt --sse=aws:kms --sse-kms-key-id myproject/mybucketkey
271 The Object Gateway will fetch the key from Vault, encrypt the object and store
272 it in the bucket. Any request to download the object will make the Gateway
273 automatically retrieve the correspondent key from Vault and decrypt the object.
275 Note that the secret will be fetched from Vault using a URL constructed by
276 concatenating the base address (``rgw crypt vault addr``), the (optional)
277 URL prefix (``rgw crypt vault prefix``), and finally the key ID. In the example
278 above, the Gateway would fetch the secret from::
280 http://vaultserver:8200/v1/secret/data/myproject/mybucketkey
282 .. _Server-Side Encryption: ../encryption
283 .. _Vault: https://www.vaultproject.io/docs/
284 .. _Token authentication method: https://www.vaultproject.io/docs/auth/token.html
285 .. _Vault agent: https://www.vaultproject.io/docs/agent/index.html
286 .. _KV Secrets engine: https://www.vaultproject.io/docs/secrets/kv/
287 .. _Transit engine: https://www.vaultproject.io/docs/secrets/transit
288 .. _namespaces: https://www.vaultproject.io/docs/enterprise/namespaces/index.html