Creating a key using the transit engine

Edit online

Configure the HashiCorp Vault Transit secret engine (transit) so you can create a key for use with the Ceph Object Gateway. Creating keys with the Transit secret engine must be exportable to be used for server-side encryption with the Ceph Object Gateway.

Before you begin

Before you begin, make sure that you have the following prerequisites in place:
  • A running IBM Storage Ceph cluster.
  • Installation of the HashiCorp Vault software.
  • Root-level access to the HashiCorp Vault node.

Procedure

  1. Enable the Transit secret engine.
    vault secrets enable transit
    For example,
    [root@vault ~]# vault secrets enable transit
  2. Create a new exportable key
    vault write -f transit/keys/BUCKET_NAME exportable=true
    Note: By default this command creates a aes256-gcm96 type key.
    For example,
    [root@vault ~]# vault write -f transit/keys/mybucketkey exportable=true
    1. Enable key rotation.
      vault write -f transit/keys/BUCKET_NAME/rotate exportable=true
      For example,
      [root@vault ~]# vault write -f transit/keys/mybucketkey/rotate exportable=true
    2. Specify the duration for key rotation.
      vault write -f transit/keys/BUCKET_NAME/config auto_rotate_period=DURATION
      For example,
      [root@vault ~]# vault write -f transit/keys/mybucketkey/config auto_rotate_period=30d
      In this example, 30d specifies that the key is rotated after 30 days. To specify the key rotation duration in hours, use auto_rotate_period=1h. 1h specifies that the key rotates every 1 hour.
    3. Verify that the key rotation is successful by checking the value of latest_version parameter. The value must be incremented.
      vault read transit/export/encryption-key/BUCKET_NAME
      For example,
      [root@vault ~]# vault read transit/export/encryption-key/mybucketkey
  3. Verify the creation of the key.
    Note: Providing the full key path, including the key version, is required.
    vault read transit/export/encryption-key/BUCKET_NAME/VERSION_NUMBER
    For example,
    [root@vault ~]# vault read transit/export/encryption-key/mybucketkey/1

Key     Value
---     -----
keys    map[1:-gbTI9lNpqv/V/2lDcmH2Nq1xKn6FPDWarCmFM2aNsQ=]
name    mybucketkey
type    aes256-gcm96