Edit:
Seal/Unseal | Vault by HashiCorp.
Here it is explained that the encryption data is saved along the data.
Hi,
I have question regarding Vault Encryption Keys.
Is there any way to interact with the encryption keys beside rotating them or generating a new master key? If I wanted to “get” or “read” the encryption key used is there any native support? I can’t seem to find anything in the documentation.
Also where is the encryption key stored? In memory?
E.g If I am using a KV2 Secrets Engine where does it store the encryption/decryption key?
Is it some “internal magic” in action? The only reference I can find mentioning something similar ishere
If I have all the unseal keys can I view the encryption keys or the keyring used?
I have also difficulty understanding the whole encryption process after a rekey.
Scenario: Vault started
- → Master key generated and encrypts the encryption key(assuming this is randomly generated)
→ vault then internally uses the "encrypted"encryption keymasterkey(encryptionkey(data)) = key used to encrypt/decrypt
as a key.
If we rekey and therefore generate a new [“encrypted” encryption key ] would we not lose the data we already put at rest? (Or does some internal process like get data from storage , re-encrypt using new encryption key and store it again happens? )
Hope I could make my point clear! Thanks for your help!