While trying to import a private RSA key into the Vault transit engine (following Key Wrapping for Transit Key Import - Transit - Secrets Engines | Vault | HashiCorp Developer), I fail to understand how the AES key wrap should work with a private RSA key.
I’m using python to wrap the private key with the cryptography library to perform the key manipulation operations.
According to the guide, the key wrap should “wrap the PKCS8 encoded format of this key, in raw DER/binary form”.
But I get the following error (from the aes_key_wrap function while doing so:
ValueError: The key to wrap must be a multiple of 8 bytes
I’ve tried to pad accordingly, but then, it is the Vault server that is complaining:
1 error occurred:
* kwp: unwrap failed integrity check
How is the private key supposed to be wrapped for the Vault transit engine to correctly accept the key?