mirror of
https://github.com/hashicorp/vault.git
synced 2026-05-22 10:21:53 -04:00
2ffe49aab0
* wip * wip * Got it 'working', but not happy about cleanliness yet * Switch to a dedicated defaultSeal with recovery keys This is simpler than trying to hijack SealAccess as before. Instead, if the operator has requested recovery unseal mode (via a flag in the seal stanza), we new up a shamir seal with the recovery unseal key path instead of the auto seal. Then everything proceeds as if you had a shamir seal to begin with. * Handle recovery rekeying * changelog * Revert go.mod redirect * revert multi-blob info * Dumb nil unmarshal target * More comments * Update vault/seal.go Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> * Update changelog/18683.txt Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> * pr feedback * Fix recovery rekey, which needs to fetch root keys and restore them under the new recovery split * Better comment on recovery seal during adjustSealMigration * Make it possible to migrate from an auto-seal in recovery mode to shamir * Fix sealMigrated to account for a recovery seal * comments * Update changelog/18683.txt Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> * Address PR feedback * Refactor duplicated migration code into helpers, using UnsealRecoveryKey/RecoveryKey where appropriate * Don't shortcut the reast of seal migration * get rid of redundant transit server cleanup Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> |
||
|---|---|---|
| .. | ||
| config.go | ||
| config_util.go | ||
| encrypt_decrypt.go | ||
| encrypt_decrypt_test.go | ||
| hcp_link.go | ||
| http_response_headers.go | ||
| kms.go | ||
| lint.go | ||
| listener.go | ||
| listener_test.go | ||
| merge.go | ||
| telemetry.go | ||
| telemetry_test.go | ||
| userlockout.go | ||
| userlockout_test.go | ||