Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PGP decryption seal keys fails since version 1.13.0 #25965

Closed
rvos-73 opened this issue Mar 15, 2024 · 0 comments · Fixed by #27767
Closed

PGP decryption seal keys fails since version 1.13.0 #25965

rvos-73 opened this issue Mar 15, 2024 · 0 comments · Fixed by #27767
Labels
core/seal

Comments

@rvos-73
Copy link

rvos-73 commented Mar 15, 2024

Describe the bug
Since version 1.13.0 we are unable to decrypt the pgp encrypted seal keys generated by Vault. This change seems to be the culprit: #16224

To Reproduce
Initialising vault with on the v1/sys/init endpoint with pgp keys configured returns keys_base64 which we cannot decrypt anymore.

echo "<key>" |base64 -d |gpg -dvvv
gpg: using character set 'utf-8'
# off=0 ctb=c1 tag=1 hlen=2 plen=94 new-ctb
:pubkey enc packet: version 3, algo 18, keyid 09F9C9B784CF56AE
	data: [263 bits]
	data: [392 bits]
gpg: public key is 0x09F9C9B784CF56AE
gpg: using subkey 0x09F9C9B784CF56AE instead of primary key 0xAF43259C18181A3F
gpg: pinentry launched (17986 gnome3 1.1.0 - xterm-256color :100)
# off=96 ctb=d2 tag=18 hlen=2 plen=113 new-ctb
:encrypted data packet:
	length: 113
	mdc_method: 2
gpg: using subkey 0x09F9C9B784CF56AE instead of primary key 0xAF43259C18181A3F
gpg: encrypted with 256-bit ECDH key, ID 0x09F9C9B784CF56AE, created 2024-03-15
      "<my identity>"
gpg: public key decryption failed: Wrong secret key used
gpg: decryption failed: No secret key

Expected behavior
If i perform the exact same procedure on version 1.12.x

echo -n "<key>" |base64 -d|gpg -dvvv
gpg: using character set 'utf-8'
# off=0 ctb=c1 tag=1 hlen=2 plen=78 new-ctb
:pubkey enc packet: version 3, algo 18, keyid 09F9C9B784CF56AE
	data: [263 bits]
	data: [264 bits]
gpg: public key is 0x09F9C9B784CF56AE
gpg: using subkey 0x09F9C9B784CF56AE instead of primary key 0xAF43259C18181A3F
gpg: public key encrypted data: good DEK
# off=80 ctb=d2 tag=18 hlen=2 plen=0 partial new-ctb
:encrypted data packet:
	length: unknown
	mdc_method: 2
gpg: using subkey 0x09F9C9B784CF56AE instead of primary key 0xAF43259C18181A3F
gpg: encrypted with 256-bit ECDH key, ID 0x09F9C9B784CF56AE, created 2024-03-15
      "<my identity>"
gpg: AES encrypted data
# off=101 ctb=cb tag=11 hlen=2 plen=0 partial new-ctb
:literal data packet:
	mode t (74), created 0, name="",
	raw data: unknown length
gpg: original file name=''
<unseal key>: decryption okay

Environment:
Working version 1.12.x
Failing versions: everything after

the deployment is on k8s with https://helm.releases.hashicorp.com/vault
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core/seal
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Docs: PGP & gpg version requirements with ECDH & Vault 1.13.x or higher hashicorp/vault
2 participants
@ccapurso @rvos-73