Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault HSM Vault-Root Token #430

Open
l4z41 opened this issue Apr 9, 2024 · 1 comment
Open

Vault HSM Vault-Root Token #430

l4z41 opened this issue Apr 9, 2024 · 1 comment
Labels
kind/support Categorizes issue or PR as support questions.

Comments

@l4z41
Copy link

l4z41 commented Apr 9, 2024

Hi folks,
I'm testing the HSM integration from vault-operator with a Nitrokey HSM which works with following example of yours.
Here is a logs excerpt kubectl logs -f vault-0 bank-vaults

time=2024-04-09T17:45:46.209Z level=INFO msg="HSM Information {CryptokiVersion:{Major:2 Minor:20} ManufacturerID:OpenSC Project Flags:0 LibraryDescription:OpenSC smartcard framework LibraryVersion:{Major:0 Minor:24}}"
time=2024-04-09T17:45:46.212Z level=INFO msg="HSM Searching for slot in HSM slots [{ctx:0xc00088ce88 id:0}]"
time=2024-04-09T17:45:46.212Z level=INFO msg="found HSM slot 0 in HSM by slot ID"
time=2024-04-09T17:45:46.252Z level=INFO msg="HSM TokenInfo {Label:SmartCard-HSM (UserPIN) ManufacturerID:www.CardContact.de Model:PKCS#15 emulated SerialNumber:DENK0300782 Flags:1037 MaxSessionCount:0 SessionCount:0 MaxRwSessionCount:0 RwSessionCount:0 MaxPinLen:15 MinPinLen:6 TotalPublicMemory:18446744073709551615 FreePublicMemory:18446744073709551615 TotalPrivateMemory:18446744073709551615 FreePrivateMemory:18446744073709551615 HardwareVersion:{Major:24 Minor:13} FirmwareVersion:{Major:3 Minor:5} UTCTime:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}"
time=2024-04-09T17:45:46.254Z level=INFO msg="HSM SlotInfo for slot 0: {SlotDescription:Nitrokey Nitrokey HSM (DENK03007820000         ) 00 00 ManufacturerID: Flags:7 HardwareVersion:{Major:0 Minor:0} FirmwareVersion:{Major:0 Minor:0}}"
time=2024-04-09T17:45:46.358Z level=INFO msg="found objects with label \"bank-vaults\" in HSM"
time=2024-04-09T17:45:46.358Z level=INFO msg="this HSM doesn't support on-device encryption, extracting public key and doing encryption on the computer"
time=2024-04-09T17:45:46.358Z level=INFO msg="no storage backend specified for HSM, using on device storage"
2024/04/09 17:45:46 INFO joining leader vault...
2024/04/09 17:45:46 INFO vault metrics exporter enabled: :9091/metrics
2024/04/09 17:45:47 INFO joining raft cluster...
2024/04/09 17:45:47 INFO vault is already initialized, skipping raft join
2024/04/09 17:45:47 INFO vault is sealed, unsealing
2024/04/09 17:45:51 INFO successfully unsealed vault

Data is written to HSM pkcs11-tool --list-objects


Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
  label:      bank-vaults
  ID:         00f066a87ba8511fffb0382d4650aeda5b0709e9
  Usage:      encrypt, verify, wrap
  Access:     none
Profile object 1333124656
  profile_id:          CKP_PUBLIC_CERTIFICATES_TOKEN (4)
Data object 1333119184
  label:          'vault-test'
  application:    'vault-test'
  app_id:         <empty>
  flags:           modifiable
Data object 1333119280
  label:          'vault-unseal-0'
  application:    'vault-unseal-0'
  app_id:         <empty>
  flags:           modifiable
Data object 1333119376
  label:          'vault-unseal-1'
  application:    'vault-unseal-1'
  app_id:         <empty>
  flags:           modifiable
Data object 1333119472
  label:          'vault-unseal-2'
  application:    'vault-unseal-2'
  app_id:         <empty>
  flags:           modifiable
Data object 1333119568
  label:          'vault-unseal-3'
  application:    'vault-unseal-3'
  app_id:         <empty>
  flags:           modifiable
Data object 1333119664
  label:          'vault-unseal-4'
  application:    'vault-unseal-4'
  app_id:         <empty>
  flags:           modifiable
Data object 1333119760
  label:          'vault-root'
  application:    'vault-root'
  app_id:         <empty>
  flags:           modifiable

Additional thing is I switched the serviceType: LoadBalancer which exposes vault to external IP address so that I have an UI available.

Now to the my main question: How do I login with new vault instance as vault-root is saved to HSM or create an admin token for further configuration? Any pointer in the right direction is much appreciated.

I tried to read out the value which gives me gibberish
pkcs15-tool --read-data-object vault-root -o vault-root
pkcs11-tool --read-object --type data --label vault-root --pin XXXXXXX --output-file vault-root
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 9, 2024

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Jun 9, 2024
@ramizpolic ramizpolic added kind/support Categorizes issue or PR as support questions. and removed lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/support Categorizes issue or PR as support questions.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@l4z41 @ramizpolic