So, when I start a server with SSL, I get a wrapped token from vault, and the server uses that token to pull in its private key (or the passphrase for the private key, as the case may be).
Obviously, this isn’t an option with vault. I need vault running to pull its SSL key, but I need the SSL key in order to start vault so that remote admins can provide their unseal key.
Obviously, this is a case of either storing the private key encrypted or manually entering the passphrase for the private key on start up.
If I was OK with storing the private key unencrypted, then I probably wouldn’t care about storing secrets in an encrypted vault in the first place, so I’ll skip that one.
So, on startup, I am providing the passphrase for the private key. It is easy enough to make sure all of the admins have this key; it is the unseal that really matters.
The problem is that this means that I am running vault in the foreground so that I can interact with it on startup. So, I could start it in a screen or tmux session, but I don’t like leaving servers attached to a reattachable tty like that.
How are other people solving this? My current thoughts are along the lines of decrypting the public key into a tmpfs, and then shredding it after starting vault. Ideally, I’d like a solution where maybe vault pulls the private key or private key passphrase from the kernel keyring. I can then just enter it there before starting.