How can I back up my encryption keys

Hi everyone,

In order to back up my encryption keys stored on Vault, I executed the following command :
$vault read transit/keys/orders
I got a text which has something like this within it :
keys map[1:1604988997 2:1604993553 3:1604993556 4:1604993569]

To make sure that these are the actual keys used for encyption and decryption by vault, I picked key n°4 (i.e. 1604993569) and tried to programatically decrypt a text (i.e. Xyg9QD+du7knfUi5HsyrIqXpyjt20+aDEvfXAt8Vgvug1Bxk2Cw356xH9x5p6TQk) previously encrypted with this key using AES256 with GCM96 mode (i.e. vault:v4:Xyg9QD+du7knfUi5HsyrIqXpyjt20+aDEvfXAt8Vgvug1Bxk2Cw356xH9x5p6TQk), but I have got instead an error message saying the following :

  • invalid ciphertext: unable to decrypt

Could someone please correct me if I made a mistake in my thought process or did I pick the wrong key string? Thank you.

you need to have exportable value to be “true” in order to export, you can use the below command to check if the key is exportable or not

vault read transit/keys/orders
Key                       Value
---                       -----
allow_plaintext_backup    false
deletion_allowed          false
derived                   false
exportable                false
keys                      map[1:1605047136]
latest_version            1

command to decrypt is

vault write transit/decrypt/orders ciphertext="vault:v1:MytEVLQX1oUmWwZfPcGl1pvaf33lfXC/oxOfnX6Uazl1ZLgLTIjvt3QvdtAmtpkM"
Key          Value
---          -----
plaintext    InNvbWUga2V5cyBhcmUgZWFzeSI=

Are you aware of the backup functionality that can backup the entire keyring/details?

1 Like