Sealing/Unsealing

WIP description of sealing unsealing a vault instance

A Vault instance contains a number of individual vaults. These vaults in turn store a number of cryptographic keys (AES, ChaCha), key pairs (SECP256k1, Ed25519, BabyJubJub, RSA) or secrets (API strings etc.). Each vault instance has an individual master key, which is used to in-memory encrypt/decrypt the key/keypair seed/ private key or secret to perform cryptographic operations (sign, verify, encrypt, decrypt) or (store/retrive in the case of secrets).

The master key for each vault is stored encrypted in the database and is only decrypted in-memory within the vault application when required. Each master key for each vault is encrypted and decrypted with the vault instance sealing/unsealing key. As this sealing/unsealing key is used to encrypt and decrypt the master keys for each vault, in the event of multiple vault instances existing (for scaling/resilience), every vault instance is connecting to the same underlying database and therefore uses the same sealing/unsealing key.

Currently, the sealing/unsealing operation is called using the following code:

Additional examples forthcoming.

In its initial state, the vault instance is sealed and keys/secrets cannot be decrypted/retrieved. Once a vault is unsealed, normal operation can take place.

To ensure a single sealing/unsealing key is valid for a vault instance, an additional environment variable (seal_validation) will be added. This environment variable will contain an encrypted and signed string of random text. This string of random text will be signed by the ident key and encrypted with the sealing key. When the sealing key is presented to the vault, the vault will use the key to decrypt the seal_validation string and ensure that it represents a 32-byte secret signed by the ident public key. If this is valid, the sealing key will be considered valid and stored (encrypted with a random one-time cloaking key) in memory.

Note that the challenge around this implementation is the potential difficulty of bootstrapping this environment variable without having a vault instance and thus causing an infinite turtles problem!