Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

config security issue: vault-root and vault-recovery keys are available as plaintext when using unseal feature in certain config #1660

Open
maratsh opened this issue Jul 22, 2022 · 1 comment
Open

config security issue: vault-root and vault-recovery keys are available as plaintext when using unseal feature in certain config #1660

maratsh opened this issue Jul 22, 2022 · 1 comment
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. lifecycle/keep Denotes an issue or PR that should be preserved from going stale.

Comments

@maratsh
Copy link

maratsh commented Jul 22, 2022
edited
Loading

Bugs should be filed for issues encountered whilst operating bank-vaults.
You should first attempt to resolve your issues through the community support
channels, e.g. Slack, in order to rule out individual configuration errors.
Please provide as much detail as possible.

Describe the bug:
As an engineer, I want to make sure vault installation is secure.

when autounseal stanza is present, vault-root and vault-recovery keys are available as plaintext for any user that have access to s3 bucket. As well as for users without access to KMS.
Turns out, it is possible to configure both kmsid and s3sse options, which will lead to vault-* objects not encrypted.
If I remove s3sse option from config, vault-* objects are uploaded encrypted.

Expected behavior:
It is expected to vault-root, vault-recover-xx be encrypted KMS cipher texts when KMS key is specified. Or throw error when both kmsid and s3sse options are provided. I'm not sure what s3sse option supposed to do. I've expected it enables S3 sse.

Steps to reproduce the bug:
Create vault with awskms autounseal. Try to download vault-root from autounseal s3 bucket

Additional context:
Add any other context about the problem here.

Environment details:

  • Kubernetes version : v1.21
  • Cloud-provider/provisioner: EKS
  • bank-vaults version: : 1.15.3
  • Install method (e.g. helm or static manifests): terraform + helm for operator, terraform k8s manifest for vault crd
  • Logs from the misbehaving component (and any other relevant logs): n/a
  • Resource definition (possibly in YAML format) that caused the issue, without sensitive data:
apiVersion: v1
items:
- apiVersion: vault.banzaicloud.com/v1alpha1
  kind: Vault
  metadata:

    generation: 4
    name: hashicorp-vault
    namespace: 

  spec:
    bankVaultsImage: banzaicloud/bank-vaults:1.15.3
    config:
      listener:
        tcp:
          address: 0.0.0.0:8200
          tls_cert_file: /vault/tls/server.crt
          tls_key_file: /vault/tls/server.key
      seal:
        awskms:
          kms_key_id: xxxx-xxx-xxx-xxx-xxx
          region: eu-west-1
      storage:
        dynamodb:
          ha_enabled: "true"
          region: eu-west-1
          table: storage-backend
      telemetry:
        statsd_address: localhost:9125
      ui: true
    credentialsConfig:
      env: ""
      path: ""
      secretName: ""
    externalConfig:
      policies:
      - name: allow_secrets
        rules: path "secret/*" { capabilities = ["create", "read", "update", "delete",
          "list"] }
      - name: allow_pki
        rules: path "pki/*" { capabilities = ["create", "read", "update", "delete",
          "list"] }
      secrets:
      - description: General secrets.
        options:
          version: 2
        path: secret
        type: kv
    image: docker.io/library/vault:1.11.0
    nodeAffinity: {}
    securityContext: {}
    serviceAccount: hashicorp-vault
    serviceType: ClusterIP
    size: 3
    unsealConfig:
      aws:
        kmsKeyId: xxxx-xxx-xxx-xxx-xxx
        s3Bucket: autounseal
        s3Prefix: ""
        s3SSE: AES256
      kubernetes: {}
      options:
        preFlightChecks: true
    vaultAnnotations:
      type/instance: vault
    vaultConfigurerAnnotations:
      type/instance: vaultconfigurer
    vaultContainerSpec:
      name: ""
      resources: {}
    vaultEnvsConfig:
    - name: VAULT_LOG_LEVEL
      value: debug
    - name: VAULT_API_ADDR
      value: https://vault
  status:
    conditions:
    - status: "True"
      type: Healthy
    leader: hashicorp-vault-2
    nodes:
    - hashicorp-vault-0
    - hashicorp-vault-1
    - hashicorp-vault-2
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

/kind bug
@maratsh maratsh changed the title vault-root and vault-recovery keys are available as plaintext when using unseal feature docs issue: vault-root and vault-recovery keys are available as plaintext when using unseal feature in certain config Jul 22, 2022
@maratsh maratsh changed the title docs issue: vault-root and vault-recovery keys are available as plaintext when using unseal feature in certain config config security issue: vault-root and vault-recovery keys are available as plaintext when using unseal feature in certain config Jul 22, 2022
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Jan 28, 2024
@ramizpolic ramizpolic added kind/bug Categorizes issue or PR as related to a bug. area/security and removed lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. labels Feb 9, 2024
@ramizpolic
Copy link
Member

Thanks for reporting @maratsh! We will look into this and verify if it's still present

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Apr 14, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Apr 14, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot May 2, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot May 2, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Jul 7, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Jul 7, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Jul 7, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Sep 8, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Sep 8, 2024
@csatib02 csatib02 added lifecycle/keep Denotes an issue or PR that should be preserved from going stale. and removed lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. labels Sep 8, 2024
@github-project-automation github-project-automation bot moved this to 🆕 New in Project backlog Sep 8, 2024
@csatib02 csatib02 moved this from 🆕 New to 🔖 Ready for work in Project backlog Sep 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. lifecycle/keep Denotes an issue or PR that should be preserved from going stale.
Projects
Project backlog
Status: 🔖 Ready for work
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maratsh @ramizpolic @csatib02