transit Seal

The Transit configures Boundary to use Vault’s Transit Secret Engine for key management.

The Transit KMS is activated by the presence of a kms "transit" block in Boundary’s configuration file

transit Example

This example shows configuring Transit KMS through the Boundary configuration file by providing all the required values:

  1. kms "transit" {
  2.   purpose            = "root"
  3.   address            = "https://vault:8200"
  4.   token              = "s.Qf1s5zigZ4OX6akYjQXJC1jY"
  5.   disable_renewal    = "false"
  7.   // Key configuration
  8.   key_name           = "transit_key_name"
  9.   mount_path         = "transit/"
  10.   namespace          = "ns1/"
  12.   // TLS Configuration
  13.   tls_ca_cert        = "/etc/vault/ca_cert.pem"
  14.   tls_client_cert    = "/etc/vault/client_cert.pem"
  15.   tls_client_key     = "/etc/vault/ca_cert.pem"
  16.   tls_server_name    = "vault"
  17.   tls_skip_verify    = "false"
  18. }

transit Parameters

These parameters apply to the kms stanza in the Vault configuration file:

  • purpose - Purpose of this KMS, acceptable values are: worker-auth, root, recovery, or config.

  • address (string: <required>): The full address to the Vault cluster. This may also be specified by the VAULT_ADDR environment variable.

  • token (string: <required>): The Vault token to use. This may also be specified by the VAULT_TOKEN environment variable.

  • key_name (string: <required>): The transit key to use for encryption and decryption. This may also be supplied using the TRANSIT_WRAPPER_KEY_NAME environment variable.

  • mount_path (string: <required>): The mount path to the transit secret engine.
    This may also be supplied using the TRANSIT_WRAPPER_MOUNT_PATH environment variable.

  • namespace (string: ""): The namespace path to the transit secret engine.
    This may also be supplied using the VAULT_NAMESPACE environment variable.

  • disable_renewal (string: "false"): Disables the automatic renewal of the token in case the lifecycle of the token is managed with some other mechanism outside of Vault, such as Vault Agent. This may also be specified using the TRANSIT_WRAPPER_DISABLE_RENEWAL environment variable.

  • tls_ca_cert (string: ""): Specifies the path to the CA certificate file used for communication with the Vault server. This may also be specified using the VAULT_CA_CERT environment variable.

  • tls_client_cert (string: ""): Specifies the path to the client certificate for communication with the Vault server. This may also be specified using the VAULT_CLIENT_CERT environment variable.

  • tls_client_key (string: ""): Specifies the path to the private key for communication with the Vault server. This may also be specified using the VAULT_CLIENT_KEY environment variable.

  • tls_server_name (string: ""): Name to use as the SNI host when connecting to the Vault server via TLS. This may also be specified via the VAULT_TLS_SERVER_NAME environment variable.

  • tls_skip_verify (bool: "false"): Disable verification of TLS certificates. Using this option is highly discouraged and decreases the security of data transmissions to and from the Vault server. This may also be specified using the VAULT_SKIP_VERIFY environment variable.

Authentication

Authentication-related values must be provided, either as environment variables or as configuration parameters.

Note: Although the configuration file allows you to pass in VAULT_TOKEN as part of the KMS’s parameters, it is strongly recommended to set these values via environment variables.

The Vault token used to authenticate needs the following permissions on the transit key:

  1. path "<mount path>/encrypt/<key name>" {
  2.   capabilities = ["update"]
  3. }
  5. path "<mount path>/decrypt/<key name>" {
  6.   capabilities = ["update"]
  7. }