Hashicorp Vault encryption key rotation support #490
Comments
|
@Hattivat KES does not use the Vault tranist engine but the K/V engine. Keys are generated by KES itself, not by Vault. Hence, Vault key rotation does not apply. Further, KES implements key generation/encryption such that these limits do not apply. You cannot exceed the cryptographic bounds on how often you can call the The limits you are referring to arise from a sub-optimal implementation that puts the mental overhead / burden on the user of the KMS instead of solving this problem within the KMS. KES does not require you to rotate keys. If you have to rotate for compliance reasons - which don't really care whether there is tech. reason - simply create a new key. E.g. Internally this is how most KMS implementations - e.g. Vault - do it anyway. They simply store some sort of map |
What is the problem you want to solve?
It's unclear whether key rotation for Hashicorp Vault is supported. This is important because Vault expires its keys by default after a certain number of operations ( https://developer.hashicorp.com/vault/tutorials/operations/rekeying-and-rotating ).
How do you want to solve it?
Clear documentation stating whether or not this is supported. If it is supported this needs to be clearly stated in documentation. If it is not, there needs to be a warning in documentation about needing to disable it or a tutorial on how to work around it. Would obviously also be nice if support could be added if it is missing.
Additional context
Are there alternative solutions?
No
Would your solution cause a major breaking API change?
No
Anything else that is important?
No
The text was updated successfully, but these errors were encountered: