This code shows the steps to enable the transit secret engine, configure a key, and use the sign leveraging Vault.
vault secrets enable transit
# Default key type doesn't support signing
vault write -f transit/keys/my-key type=rsa-4096
# Encode a string as base64
echo -n 'This was created by Stenio, you can trust me!' | openssl base64
# VGhpcyB3YXMgY3JlYXRlZCBieSBTdGVuaW8sIHlvdSBjYW4gdHJ1c3QgbWUh
# Sign the string
vault write transit/sign/my-key input=VGhpcyB3YXMgY3JlYXRlZCBieSBTdGVuaW8sIHlvdSBjYW4gdHJ1c3QgbWUh
# Key Value
# --- -----
# signature vault:v1:I4qAHruYs.....
Now to verify the key:
Client with access to Vault:
# Verify on the receiving end
vault write transit/verify/my-key input=VGhpcyB3YXMgY3JlYXRlZCBieSBTdGVuaW8sIHlvdSBjYW4gdHJ1c3QgbWUh signature=vault:v1:I4qAHruYs.....
Offline client
First, export the PUBLIC key (which can only be using for verification, so not sensitive)
vault read -field=keys transit/keys/my-key
# Output:
# map[1:map[name:rsa-4096 public_key:-----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw8tAveSMeeRvpqpsahMi
# nEA+CXgHTA4SX5tSFhS5
# ....
# asqmrdS6jA3FStUs8r5ItOECAwEAAQ==
# -----END PUBLIC KEY-----
# Create a file public.key with the content between (and including) "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----"
TODO - openssl command that works
openssl dgst -sha256 -verify public.key -signature in.txt.sha256 in.txt
Why am i not able to decode the signature generated by Vault.
My signature looks like this-
vault:v1:Yo5+IGy0waxGvqXouQ8TKAmSVqMbz8FT8IqB1f8DNhMSSVjqNdy0rTc2LMt/qivI98lW5k42VRgzo4F9Rs6/RMu+PZWoJkjtprxqafxbb8j763vDIOP/UkL3emzL8deNJt37A/8s0Yx5AcsfTAIdNBoleM6KFolq0HBNN2xKg3nDsUy+ZoDobnogNGPMBKKApq5w/hORwWQhrZCg0jtpJSSyLlsqEN9det00i4GeI8Oa6dPRasH9QH/uFM+Ciq3vzrbBxSsLjU02kBbz1qu6dewx+jDhl6CEp5EN3zzoq95XHVrwajvlf+kzhHDWNDzbj+s65lW8+gBfXxDSJMC5VQ==
I am trimming vault:v1: and then try to decode the signature to binary, but i am getting weird characters, and I am not able to verify my signature. Happy to provide more details around this.