-
Notifications
You must be signed in to change notification settings - Fork 2
/
backend.go
63 lines (49 loc) · 2.42 KB
/
backend.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
package main
// SealConfig is used to describe the seal configuration
type SealConfig struct {
// The type, for sanity checking
Type string `json:"type" mapstructure:"type"`
// SecretShares is the number of shares the secret is split into. This is
// the N value of Shamir.
SecretShares int `json:"secret_shares" mapstructure:"secret_shares"`
// SecretThreshold is the number of parts required to open the vault. This
// is the T value of Shamir.
SecretThreshold int `json:"secret_threshold" mapstructure:"secret_threshold"`
// PGPKeys is the array of public PGP keys used, if requested, to encrypt
// the output unseal tokens. If provided, it sets the value of
// SecretShares. Ordering is important.
PGPKeys []string `json:"pgp_keys" mapstructure:"pgp_keys"`
// Nonce is a nonce generated by Vault used to ensure that when unseal keys
// are submitted for a rekey operation, the rekey operation itself is the
// one intended. This prevents hijacking of the rekey operation, since it
// is unauthenticated.
Nonce string `json:"nonce" mapstructure:"nonce"`
// Backup indicates whether or not a backup of PGP-encrypted unseal keys
// should be stored at coreUnsealKeysBackupPath after successful rekeying.
Backup bool `json:"backup" mapstructure:"backup"`
// How many keys to store, for seals that support storage. Always 0 or 1.
StoredShares int `json:"stored_shares" mapstructure:"stored_shares"`
// Stores the progress of the rekey operation (key shares)
RekeyProgress [][]byte `json:"-"`
// VerificationRequired indicates that after a rekey validation must be
// performed (via providing shares from the new key) before the new key is
// actually installed. This is omitted from JSON as we don't persist the
// new key, it lives only in memory.
VerificationRequired bool `json:"-"`
// VerificationKey is the new key that we will roll to after successful
// validation
VerificationKey []byte `json:"-"`
// VerificationNonce stores the current operation nonce for verification
VerificationNonce string `json:"-"`
// Stores the progress of the verification operation (key shares)
VerificationProgress [][]byte `json:"-"`
}
const (
recoveryKeyPath = "core/recovery-key"
recoverySealConfigPlaintextPath = "core/recovery-config"
)
type BackendProvider interface {
// GetRecoveryKey return encrypted Envelop from underlying backend
GetRecoveryKey() ([]byte, error)
RecoveryConfig() (*SealConfig, error)
}