Hi everyone, we are currently using HSM for card data encryption, but this device is not very reliable so we are considering switching to Vault Transit engine. The problem is, in the docs I did not find any detailed description on how Vault is storing the keys, which algorithms are used etc. So here are some questions:
-
I was able to find that Encryption Key is AES-256-GCM. What about Root and Unseal keys? Are they the same?
-
How the keys are generated? What libraries and random number generators are used?
-
PCI DSS requires that key-encrypting keys are stored separately from card data encryption keys. In our case, key-encrypting keys are the keys that live in Vault internal keyring and card data encryption keys are those that are created by the application via the Transit API and are stored in the Vault storage. Is it possible to somehow store keyring and the main storage separately? The PCI DSS requires storing them “physically and/or logically separate locations”.