Provide our own custom unseal/root key to Vault

vj68 · August 21, 2023, 6:05am

Hello.

Is there a way to provide our own unseal/root key to Vault?

Right now I understand the unsealing process(using Shamir’s algorithm) is this:

Generate unseal keys
vault operator init (Generates N unseal keys)
Unseal vault (Use unseal keys to generate root key)
vault operator unseal <unseal-key> (do this N times, provide different unseal key each time)

Unseal keys → Root key → Encryption keys.

Is there a way I can provide my own Unseal keys/Root key?
I have an algorithm to generate the key of my own and I want to provide it to unseal the vault.

Something like
vault operator init <my-unseal-key>

To clarify, my aim is to provide/control the mastery key to the vault.

maxb · August 21, 2023, 6:09am

No, this is but supported.

vj68 · August 21, 2023, 6:12am

Sorry @maxb , didn’t get you.

Is this not supported currently? Is there any way we can achieve this?
Is there any future plan to support user-provided root/unseal keys?
And what algorithms are used currently to generate these keys?

maxb · August 21, 2023, 6:27am

No, user-provided unseal keys are not supported.

I do not work for HashiCorp, but I would not expect them to ever be supported.

Topic		Replies	Views
Vault UI to accept unseal keys when generating root token Vault vault	3	482	February 12, 2022
Rekey a specific unseal Key Vault	1	338	November 26, 2020
Vault rekey not revoke previous unseal keys Vault	1	381	September 20, 2019
Rekey without unseal keys Vault	0	36	September 20, 2024
Auto-Unseal to Shamir, as Vault destroyed Vault vault	4	430	May 6, 2022

Provide our own custom unseal/root key to Vault

Related topics