This code shows the steps to enable the transit secret engine, configure a key, and use the sign leveraging Vault.
vault secrets enable transit
# Default key type doesn't support signing
vault write -f transit/keys/my-key type=rsa-4096
# Encode a string as base64
echo -n 'This was created by Stenio, you can trust me!' | openssl base64
# VGhpcyB3YXMgY3JlYXRlZCBieSBTdGVuaW8sIHlvdSBjYW4gdHJ1c3QgbWUh
# Sign the string
vault write transit/sign/my-key input=VGhpcyB3YXMgY3JlYXRlZCBieSBTdGVuaW8sIHlvdSBjYW4gdHJ1c3QgbWUh
# Key Value
# --- -----
# signature vault:v1:I4qAHruYs.....
Now to verify the key:
Client with access to Vault:
# Verify on the receiving end
vault write transit/verify/my-key input=VGhpcyB3YXMgY3JlYXRlZCBieSBTdGVuaW8sIHlvdSBjYW4gdHJ1c3QgbWUh signature=vault:v1:I4qAHruYs.....
Offline client
First, export the PUBLIC key (which can only be using for verification, so not sensitive)
vault read -field=keys transit/keys/my-key
# Output:
# map[1:map[name:rsa-4096 public_key:-----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw8tAveSMeeRvpqpsahMi
# nEA+CXgHTA4SX5tSFhS5
# ....
# asqmrdS6jA3FStUs8r5ItOECAwEAAQ==
# -----END PUBLIC KEY-----
# Create a file public.key with the content between (and including) "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----"
TODO - openssl command that works
openssl dgst -sha256 -verify public.key -signature in.txt.sha256 in.txt
Hi @stevenzamborsky , Appreciate your prompt reply.
I am providing more details about this to see if we can point out what's wrong with my understanding here.
Key Details -
bash-4.4# vault read basePath/keys/3a3f5988-3550-44ad-8eaa-73d5bda6f0fb
Signature generation -
Input here is base64 encoded string.
vault write basePath/sign/3a3f5988-3550-44ad-8eaa-73d5bda6f0fb input=dXRrYXJzaA== hash_algorithm=sha2-256 signature_algorithm=pss
Signature generated by Vault -
vault:v1:Z3xOWcqdSxJeVeEwLxPlmjoPHk+VEWCpCae1YafFRecZaffVcIDoTU2a+ZatwYqxMxYE6x+KZuud0M2qB0Uhz+GwsmLGke47PZ4qHQQzKeylggUNf++Ige7WFKiF4rBQd+Ijvv008iqvYahxiaQjlRonbJWPyVeANgYrUpSMJkRNjPRnuFAlyK37x9gRXq/iFnRPg4gsTD3R257ijICI8JuSUly7Ic1Vs6s3Kvi9EUV9uby81LdN1x6B57JDO0eXPE5qO/43lTJW/ONDjgRjfLHidUeNIlnyIEa6g6rKYFAE2xD+rMPmYIj771e3COAYrfhys4gfzy7SIAl9o8WNFQ==
Signature is supposed to be Base64 encoded -
I am trimming vault:v1: and then using an online tool to decode this base64 encoded signature to be passed to openssl.
This is what I am getting on decoding this. The tool being used is - https://www.base64decode.org/
I apologize in advance if I am doing something terribly wrong.