1 ===========================
2 HashiCorp Vault Integration
3 ===========================
5 HashiCorp `Vault`_ can be used as a secure key management service for
6 `Server-Side Encryption`_ (SSE-KMS).
10 +---------+ +---------+ +-------+ +-------+
11 | Client | | RadosGW | | Vault | | OSD |
12 +---------+ +---------+ +-------+ +-------+
14 | key for key ID | | |
15 |-----------------+---------------->| |
19 |---------------->| request secret | |
20 | | key for key ID | |
21 | |---------------->| |
22 | |<----------------| |
26 | | encrypt object | |
27 | | with secret key | |
28 | |--------------+ | |
30 | |<-------------+ | |
32 | | store encrypted | |
34 | |------------------------------>|
36 #. `Vault secrets engines`_
37 #. `Vault authentication`_
38 #. `Vault namespaces`_
39 #. `Create a key in Vault`_
40 #. `Configure the Ceph Object Gateway`_
43 Some examples below use the Vault command line utility to interact with
44 Vault. You may need to set the following environment variable with the correct
45 address of your Vault server to use this utility::
47 export VAULT_ADDR='http://vault-server:8200'
52 Vault provides several secrets engines, which can store, generate, and encrypt
53 data. Currently, the Object Gateway supports:
55 - `KV secrets engine`_ version 2
61 The KV secrets engine is used to store arbitrary key/value secrets in Vault. To
62 enable the KV engine version 2 in Vault, use the following command::
64 vault secrets enable kv-v2
66 The Object Gateway can be configured to use the KV engine version 2 with the
69 rgw crypt vault secret engine = kv
71 Transit secrets engine
72 ----------------------
74 The transit engine handles cryptographic functions on data in-transit. To enable
75 it in Vault, use the following command::
77 vault secrets enable transit
79 The Object Gateway can be configured to use the transit engine with the
82 rgw crypt vault secret engine = transit
87 Vault supports several authentication mechanisms. Currently, the Object
88 Gateway can be configured to authenticate to Vault using the
89 `Token authentication method`_ or a `Vault agent`_.
94 .. note:: Token authentication is not recommended for production environments.
96 The token authentication method expects a Vault token to be present in a
97 plaintext file. The Object Gateway can be configured to use token authentication
98 with the following settings::
100 rgw crypt vault auth = token
101 rgw crypt vault token file = /etc/ceph/vault.token
102 rgw crypt vault addr = http://vault-server:8200
104 For security reasons, the token file must be readable by the Object Gateway
105 only. Also, the Object Gateway should be given a Vault token with a restricted
106 policy that allows it to fetch keyrings from a specific path only. Such a policy
107 can be created in Vault using the command line utility as in the following
110 vault policy write rgw-kv-policy -<<EOF
111 path "secret/data/*" {
112 capabilities = ["read"]
116 vault policy write rgw-transit-policy -<<EOF
117 path "transit/export/encryption-key/*" {
118 capabilities = ["read"]
122 Once the policy is created, a token can be generated by a Vault administrator::
124 vault token create -policy=rgw-kv-policy
130 token s.72KuPujbc065OdWB71poOmIq
131 token_accessor jv95ZYBUFv6Ss84x7SCSy6lZ
134 token_policies ["default" "rgw-kv-policy"]
136 policies ["default" "rgw-kv-policy"]
138 The actual token, displayed in the ``Value`` column of the first line of the
139 output, must be saved in a file as plaintext.
144 The Vault agent is a client daemon that provides authentication to Vault and
145 manages token renewal and caching. It typically runs on the same host as the
146 Object Gateway. With a Vault agent, it is possible to use other Vault
147 authentication mechanism such as AppRole, AWS, Certs, JWT, and Azure.
149 The Object Gateway can be configured to use a Vault agent with the following
152 rgw crypt vault auth = agent
153 rgw crypt vault addr = http://localhost:8100
158 In the Enterprise version, Vault supports the concept of `namespaces`_, which
159 allows centralized management for teams within an organization while ensuring
160 that those teams operate within isolated environments known as tenants.
162 The Object Gateway can be configured to access Vault within a particular
163 namespace using the following configuration setting::
165 rgw crypt vault namespace = tenant1
167 Create a key in Vault
168 =====================
170 .. note:: Keys for server-side encryption must be 256-bit long and base-64
176 A key for server-side encryption can be created in the KV version 2 engine using
177 the command line utility, as in the following example::
179 vault kv put secret/myproject/mybucketkey key=$(openssl rand -base64 32)
183 ====== Metadata ======
186 created_time 2019-08-29T17:01:09.095824999Z
191 Note that in the KV secrets engine, secrets are stored as key-value pairs, and
192 the Gateway expects the key name to be ``key``, i.e. the secret must be in the
193 form ``key=<secret key>``.
195 Using the Transit engine
196 ------------------------
198 Keys created with the Transit engine must be exportable in order to be used for
199 server-side encryption with the Object Gateway. An exportable key can be created
200 with the command line utility as follows::
202 vault write -f transit/keys/mybucketkey exportable=true
204 The command above creates a keyring, which contains a key of type
205 ``aes256-gcm96`` by default. To verify that the key was correctly created, use
206 the following command::
208 vault read transit/export/encryption-key/mybucketkey/1
214 keys map[1:-gbTI9lNpqv/V/2lDcmH2Nq1xKn6FPDWarCmFM2aNsQ=]
218 Note that in order to read the key created with the Transit engine, the full
219 path must be provided including the key version.
221 Configure the Ceph Object Gateway
222 =================================
224 Edit the Ceph configuration file to enable Vault as a KMS backend for
225 server-side encryption::
227 rgw crypt s3 kms backend = vault
229 Choose the Vault authentication method, e.g.::
231 rgw crypt vault auth = token
232 rgw crypt vault token file = /etc/ceph/vault.token
233 rgw crypt vault addr = http://vault-server:8200
237 rgw crypt vault auth = agent
238 rgw crypt vault addr = http://localhost:8100
240 Choose the secrets engine::
242 rgw crypt vault secret engine = kv
246 rgw crypt vault secret engine = transit
248 Optionally, set the Vault namespace where encryption keys will be fetched from::
250 rgw crypt vault namespace = tenant1
252 Finally, the URLs where the Gateway will retrieve encryption keys from Vault can
253 be restricted by setting a path prefix. For instance, the Gateway can be
254 restricted to fetch KV keys as follows::
256 rgw crypt vault prefix = /v1/secret/data
258 Or, in the case of exportable transit keys::
260 rgw crypt vault prefix = /v1/transit/export/encryption-key
262 In the example above, the Gateway would only fetch transit encryption keys under
263 ``http://vault-server:8200/v1/transit/export/encryption-key``.
268 When uploading an object to the Gateway, provide the SSE key ID in the request.
269 As an example, using the AWS command-line client::
271 aws --endpoint=http://radosgw:8000 s3 cp plaintext.txt s3://mybucket/encrypted.txt --sse=aws:kms --sse-kms-key-id myproject/mybucketkey
273 The Object Gateway will fetch the key from Vault, encrypt the object and store
274 it in the bucket. Any request to download the object will make the Gateway
275 automatically retrieve the correspondent key from Vault and decrypt the object.
277 Note that the secret will be fetched from Vault using a URL constructed by
278 concatenating the base address (``rgw crypt vault addr``), the (optional)
279 URL prefix (``rgw crypt vault prefix``), and finally the key ID. In the example
280 above, the Gateway would fetch the secret from::
282 http://vaultserver:8200/v1/secret/data/myproject/mybucketkey
284 .. _Server-Side Encryption: ../encryption
285 .. _Vault: https://www.vaultproject.io/docs/
286 .. _Token authentication method: https://www.vaultproject.io/docs/auth/token.html
287 .. _Vault agent: https://www.vaultproject.io/docs/agent/index.html
288 .. _KV Secrets engine: https://www.vaultproject.io/docs/secrets/kv/
289 .. _Transit engine: https://www.vaultproject.io/docs/secrets/transit
290 .. _namespaces: https://www.vaultproject.io/docs/enterprise/namespaces/index.html