Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Transit Secret Engine rewrap with a specific key version

See original GitHub issue

Describe the bug Not able to rewrap keys using a specific key version. The rewrap operation always rewraps with the latest key version.

I have 3 versions of a named key. I want to rewrap the some ciphertext using version 2, but in the currently, I’m not able to rewrap it with key version 2, instead it’s rewrapping with the latest key (version 3).

VaultSharp Version 1.6.0.3

Vault Version 1.6.2

Does this work with Vault CLI? Yes

Sample Code Snippet

var rewrapOptions = new RewrapRequestOptions
{
        BatchedRewrapItems = new List<DecryptionItem>
        {
            new RewrapItem { CipherText = keys[0] },
            new RewrapItem { CipherText = keys[1] },
            new RewrapItem { CipherText = keys[2] }
        },
        KeyVersion = 2
};
Secret<EncryptionResponse> rewrapResponse = vaultClient.V1.Secrets.Transit.RewrapAsync(encryptionKeyName, rewrapOptions,mountPoint).GetAwaiter().GetResult();

Exception Details/Stack Trace/Error Message No Error Message or Exception Thrown

Any additional info I believe the issue lies in how the RewrapItem and RewrapRequestOptions are written. According to the api-docs of Vault, the RewrapItem should contain the key_version instead of the RewrapRequestOptions. KeyVersion in RewrapRequestOptions is simply being ignored at the moment.

Please refer: https://www.vaultproject.io/api-docs/secret/transit#rewrap-data

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
rajanadarcommented, Feb 22, 2021
1reaction
rajanadarcommented, Feb 22, 2021

thanks for the detailed bug description @konidev20 .

I understood my mistake. The root level KeyVersion field is useless. Vault doesn’t care about it, and VaultSharp is not propagating it to the individual RewrapItems.

I will release a fix to this, by removing the root level KeyVersion as the only change. This is because, the individual RewrapItem class already has a KeyVersion field that you can specify PER item.

So please use the following to get unblocked. As a nice to have, I will remove the root level version field and release a cleaner library later with other critical changes.

        var rewrapOptions = new RewrapRequestOptions
        {
            BatchedRewrapItems = new List<DecryptionItem>
            {
                // Add specific KeyVersion at the Item level.
                new RewrapItem { CipherText = keys[0], KeyVersion = 2 },
                new RewrapItem { CipherText = keys[1], KeyVersion = 2 },
                new RewrapItem { CipherText = keys[2], KeyVersion = 2 }
            },

            // KeyVersion = 2  -- Remove this line
        };

Let me know if any issues.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Transit - Secrets Engines | Vault
The transit secrets engine handles cryptographic functions on data in-transit. Vault doesn't store the data sent to the secrets engine.
Read more >
Using HashiCorp Vault's Transit Secret Engine
Vault's Transit Secret Engine offers an "encryption as a service" functionality. ... rewrap: reencrypt a cipher text using the most recent key version....
Read more >
Vault Transit Rewrap Record After Key Rotation Example
The goal of this guide is to demonstrate one possible way to re-wrap data after rotating an encryption key in the transit engine...
Read more >
Transit Secrets Engine - Encryption as a Service - #7 - YouTube
Hashicorp Vault - Transit Secrets Engine - Encryption as a ... Recap 02:00 Transit Secret Engine 06:22 Transit Secret Key types 06:42 ...
Read more >
Transit — hvac 1.0.2 documentation - Read the Docs
The keys object shows the value of the key for each version. If version is specified, the specific version will be returned. If...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Transit Secrets Engine BatchedEncryption key_version field throws a Vault casting error from Json.Number to int

Next page

App Role : Vault configuration failed: One or more errors occurred. ({"errors":["1 error occurred:\n\t* permission denied\n\n"]}