This code shows the steps to enable the transit secret engine, configure a key, and use the sign leveraging Vault.
vault secrets enable transit
# Default key type doesn't support signing
vault write -f transit/keys/my-key type=rsa-4096
# Encode a string as base64
echo -n 'This was created by Stenio, you can trust me!' | openssl base64
# VGhpcyB3YXMgY3JlYXRlZCBieSBTdGVuaW8sIHlvdSBjYW4gdHJ1c3QgbWUh
# Sign the string
vault write transit/sign/my-key input=VGhpcyB3YXMgY3JlYXRlZCBieSBTdGVuaW8sIHlvdSBjYW4gdHJ1c3QgbWUh
# Key Value
# --- -----
# signature vault:v1:I4qAHruYs.....
Now to verify the key:
Client with access to Vault:
# Verify on the receiving end
vault write transit/verify/my-key input=VGhpcyB3YXMgY3JlYXRlZCBieSBTdGVuaW8sIHlvdSBjYW4gdHJ1c3QgbWUh signature=vault:v1:I4qAHruYs.....
Offline client
First, export the PUBLIC key (which can only be using for verification, so not sensitive)
vault read -field=keys transit/keys/my-key
# Output:
# map[1:map[name:rsa-4096 public_key:-----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw8tAveSMeeRvpqpsahMi
# nEA+CXgHTA4SX5tSFhS5
# ....
# asqmrdS6jA3FStUs8r5ItOECAwEAAQ==
# -----END PUBLIC KEY-----
# Create a file public.key with the content between (and including) "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----"
TODO - openssl command that works
openssl dgst -sha256 -verify public.key -signature in.txt.sha256 in.txt
Alternative way of making it work with OpenSSL is to make Vault sign with
signature_algorithm=pkcs1v15
, then OpenSSL command doesn't need to be changed.