Appendix: Rekeying and rotating Vault

6min

If you install and configure HashiCorp Vault without HSM Auto Unseal, Vault employs Shamir's Secret Sharing Algorithm to prevent one person from having complete access to the system. This process divides a secret into a subset of parts so that you need a subset of those parts to reconstruct the original secret. Vault makes heavy use of this algorithm as part of the unsealing process.
When you initialize a Vault server, Vault generates a root key (previously known as master key) and splits this root key into a series of key shares following Shamir's Secret Sharing Algorithm. The root key decrypts the underlying encryption key. Vault uses the encryption key to encrypt data at rest in a storage backend such as Integrated Storage.
Distribute each of these key shares to trusted parties in the organization. These parties must then come together to unseal the Vault by entering their key share.
In some cases, such as the following ones, you might want to re-generate the root key and its key shares:
Someone joins or leaves the organization.
Security wants to change the number of shares or threshold.
Compliance mandates the keys be rotated at regular intervals.
In addition to rekeying the root key, you might need to rotate the underlying encryption key Vault uses to encrypt data at rest.
In Vault, rekeying and rotating are two separate operations. Rekeying is the process of generating a new root key and applying Shamir's algorithm. Key rotation is the process of generating a new encryption key for Vault.
When you deploy Vault with HSM Auto Unseal, the initial Vault server setup involves generating a root key on the KMES Series 3 and a set of recovery keys. With Auto Unseal, you create recovery keys instead of unseal keys.
Rekeying Vault
To rekey the Vault with HSM Auto Unseal configured, use the vault operator rekey command with the -target=recovery flag. This command generates a new set of recovery keys. It does not generate a new root key on the KMES Series 3. The process can optionally modify the total number of recovery key shares or the recovery key threshold required. Note that recovery keys cannot decrypt the root key; they are purely for authorization purposes.
1
Run the following command to initialize the rekeying operation, modifying the key shares and key threshold values: 
Shell
vault operator rekey -target=recovery -init -key-shares=3 -key-threshold=2
vault operator rekey -target=recovery -init -key-shares=3 -key-threshold=2
﻿
This command generates a nonce value and starts the rekeying process, as shown in the following example output. All other unseal keys must also provide this nonce value. This nonce value is not a secret, so it is safe to distribute over insecure channels like chat or email.
Shell
Key                      Value
---                      -----
Nonce                    52bd8754-07f8-7ec9-811c-3bc23bbaee6b
Started                  true
Rekey Progress           0/2
New Shares               3
New Threshold            2
Verification Required    false
Key                      Value
---                      -----
Nonce                    52bd8754-07f8-7ec9-811c-3bc23bbaee6b
Started                  true
Rekey Progress           0/2
New Shares               3
New Threshold            2
Verification Required    false
﻿
2
Each key holder runs the following command, specifying their unique recovery key in the last field instead of this example recovery key ( 8iJCZkAqmFcIh7KyTQcyH7p/dPVFOUsEnSq/p5E1g9KX):
Shell
vault operator rekey -target=recovery -nonce="52bd8754-07f8-7ec9-811c-3bc23bbaee6b" 8iJCZkAqmFcIh7KyTQcyH7p/dPVFOUsEnSq/p5E1g9KX
vault operator rekey -target=recovery -nonce="52bd8754-07f8-7ec9-811c-3bc23bbaee6b" 8iJCZkAqmFcIh7KyTQcyH7p/dPVFOUsEnSq/p5E1g9KX
﻿
Example output:
Shell
Key                      Value
---                      -----
Nonce                    52bd8754-07f8-7ec9-811c-3bc23bbaee6b
Started                  true
Rekey Progress           1/2
New Shares               3
New Threshold            2
Verification Required    false
Key                      Value
---                      -----
Nonce                    52bd8754-07f8-7ec9-811c-3bc23bbaee6b
Started                  true
Rekey Progress           1/2
New Shares               3
New Threshold            2
Verification Required    false
﻿
3
Repeat the step to complete the rekey operation. When the final unseal key holder enters their key, Vault outputs the new recovery keys. 
Example output:
Shell
Key 1: 0e9TjZQOiVQp7mk0nK0y564oLyB3GbtqrObhSOQ4h54b
Key 2: GQc6jEVQoAslc5l9/Z6ErIfuV6l6TaOrHzuXBj/6H3rp
Key 3: /hF1PBAmFs0k3o3DRVHkaTFzXQfLt6ELOW/nheaR9G2G

Operation nonce: 52bd8754-07f8-7ec9-811c-3bc23bbaee6b

Vault recovery keys rekeyed with 3 key shares and a key threshold of 2. Please
securely distribute the key shares printed above.
Key 1: 0e9TjZQOiVQp7mk0nK0y564oLyB3GbtqrObhSOQ4h54b
Key 2: GQc6jEVQoAslc5l9/Z6ErIfuV6l6TaOrHzuXBj/6H3rp
Key 3: /hF1PBAmFs0k3o3DRVHkaTFzXQfLt6ELOW/nheaR9G2G

Operation nonce: 52bd8754-07f8-7ec9-811c-3bc23bbaee6b

Vault recovery keys rekeyed with 3 key shares and a key threshold of 2. Please
securely distribute the key shares printed above.
﻿
Rotating the encryption key
Unlike rekeying the Vault, rotating the Vault encryption key does not require a quorum of recovery keys. Anyone with the proper permissions in Vault can perform the encryption key rotation. You can rotate keys automatically or manually.
With Vault 1.7 and later, Vault automatically rotates the backend encryption key before reaching 232 encryption operations, in adherence with NIST SP800-32D guidelines. 
Adjust automatic key rotation
1
Run the following command to view the current automatic rotation policy:
Shell
vault read sys/rotate/config
vault read sys/rotate/config
﻿
This returns the current status and configuration of automatic encryption key rotation, as shown in the following output example.
Example output:
Shell
Key               Value
---               -----
enabled           true
interval          0
max_operations    3865470566
Key               Value
---               -----
enabled           true
interval          0
max_operations    3865470566
﻿
2
Run the following command to configure a time interval for automatic key rotation:
Shell
vault write sys/rotate/config interval=2160h
vault write sys/rotate/config interval=2160h
﻿
Example output:
Shell
Success! Data written to: sys/rotate/config
Success! Data written to: sys/rotate/config
﻿
3
Run the following command to configure the maximum number of encryption operations per key: 
Shell
vault write sys/rotate/config max_operations=123456789
vault write sys/rotate/config max_operations=123456789
﻿
Example output:
Shell
Success! Data written to: sys/rotate/config
Success! Data written to: sys/rotate/config
﻿
Perform manual key rotation
1
Run the following command to trigger a key rotation:
Shell
vault operator rotate
vault operator rotate
﻿
Example output: The output displays the key version and installation time.
Shell
Success! Rotated key

Key Term            2
Install Time        14 Nov 23 21:47 UTC
Encryption Count    1
Success! Rotated key

Key Term            2
Install Time        14 Nov 23 21:47 UTC
Encryption Count    1
﻿
This adds a new key to the keyring. This new key encrypts all new values written to the storage backend.
Continuity of operations
Similar to the process with Shamir's Secret Sharing, both rekeying and rotating operations with HSM Auto Unseal are fully online operations. Vault continues to service requests uninterrupted during these processes.

Updated 11 Feb 2024

Did this page help you?

Configure the Futurex PKCS #11 library with Vault

PKCS #12 Secret Export