Configure the HashiCorp Vault Transit secret engine (transit) so you can
create a key for use with the Ceph Object Gateway. Creating keys with the Transit secret engine must
be exportable to be used for server-side encryption with the Ceph Object Gateway.
Before you begin
Before you begin, make sure that you have the
following prerequisites in place:
- A running IBM Storage
Ceph cluster.
- Installation of the HashiCorp Vault software.
- Root-level access to the HashiCorp Vault node.
Procedure
- Enable the Transit secret engine.
vault secrets enable transit
For
example,
[root@vault ~]# vault secrets enable transit
- Create a new exportable key
vault write -f transit/keys/BUCKET_NAME exportable=true
Note: By default this command creates a aes256-gcm96 type key.
For
example,
[root@vault ~]# vault write -f transit/keys/mybucketkey exportable=true
- Verify the creation of the key.
Note: Providing the full key path, including the key version, is required.
vault read transit/export/encryption-key/BUCKET_NAME/VERSION_NUMBER
For
example,
[root@vault ~]# vault read transit/export/encryption-key/mybucketkey/1
Key Value
--- -----
keys map[1:-gbTI9lNpqv/V/2lDcmH2Nq1xKn6FPDWarCmFM2aNsQ=]
name mybucketkey
type aes256-gcm96