At current if the plugin is mounted and there are no keys stored in the backend, then use of the list /gpg/keys endpoint returns a 404. This feels like a misuse of the status code, and the response should be successful, just with an empty list.

Due to the inability to upsert keys being able to list the keys currently present within the mount is how I've been checking to see if an existing key is present and avoid attempting to update it in place (due to the error response), however if all of the keys are removed then this no longer functions as expected, and I cannot disambiguate this error case from the plugin not existing at all.

version: 0.3.0 (commit a027d04)

Compare the file list of v0.5.0:

[vagrant@saltmaster ~]$ unzip -l linux_amd64-0.5.0.zip
Archive:  linux_amd64-0.5.0.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
       83  2021-12-29 19:23   linux_amd64.sha256sum
 25688745  2021-12-29 19:23   vault-gpg-plugin
---------                     -------
 25688828                     2 files

to the file list of 0.6.1:

[vagrant@saltmaster ~]$ unzip -l linux_amd64-0.6.1.zip
Archive:  linux_amd64-0.6.1.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
       83  2023-06-17 09:46   /vault-gpg-plugin.sha256sum
     1075  2023-06-17 09:38   LICENSE
     2098  2023-06-17 09:38   README.md
    13451  2023-06-17 09:38   docs/http-api.md
 20508672  2023-06-17 09:37   vault-gpg-plugin
---------                     -------
 20525379                     5 files

The root path included in the zip unfortunately wreaks havoc with my tooling as unzipping will fail because of missing write privileges and using -j will return an exit code != 0. But even if this didn't create mundane problems with my server automations, it's also just bad form :).

It would be great if you could find the time to create a release without the path. Thank you for the great plugin, though.

Hi,

Just curious if you have any plans to port this to be an official Vault Secret Engine?

Hi,

We have an existing vault cluster running in, and gpg plugin was installed and keys were created and being used for encryption.
Now a new vault node is introduced as leader, we have successfully registered gpg plugin on this one too. However we are unable to read/list the existing keys.
We are able to create new gpg engine however unable to read keys of existing gpg engine.

Please advise what could be the issue and solution for this.

Kalyan

Decrypting a fairly large GPG encrypted message (~700MB) crashes the plugin with the following debug log:

Jun 07 10:43:57 vault.gateway.semla.dfki.dev vault[11817]: 2022-06-07T10:43:57.371+0200 [DEBUG] secrets.vault-gpg-plugin.vault-gpg-plugin_3c840356.vault-gpg-plugin: starting plugin: path=/etc/vault.d/plugins/vault-gpg-plugin args=["/etc/vault.d/plugins/vault-gpg-plugin"]
Jun 07 10:43:57 vault.gateway.semla.dfki.dev vault[11817]: 2022-06-07T10:43:57.372+0200 [DEBUG] secrets.vault-gpg-plugin.vault-gpg-plugin_3c840356.vault-gpg-plugin: plugin started: path=/etc/vault.d/plugins/vault-gpg-plugin pid=11834
Jun 07 10:43:57 vault.gateway.semla.dfki.dev vault[11817]: 2022-06-07T10:43:57.372+0200 [DEBUG] secrets.vault-gpg-plugin.vault-gpg-plugin_3c840356.vault-gpg-plugin: waiting for RPC address: path=/etc/vault.d/plugins/vault-gpg-plugin
Jun 07 10:43:57 vault.gateway.semla.dfki.dev vault[11817]: 2022-06-07T10:43:57.410+0200 [DEBUG] secrets.vault-gpg-plugin.vault-gpg-plugin_3c840356.vault-gpg-plugin.vault-gpg-plugin: plugin address: network=unix address=/tmp/plugin262060118 timestamp="2022-06-07T10:43:57.410+0200"
Jun 07 10:43:57 vault.gateway.semla.dfki.dev vault[11817]: 2022-06-07T10:43:57.410+0200 [DEBUG] secrets.vault-gpg-plugin.vault-gpg-plugin_3c840356.vault-gpg-plugin: using plugin: version=4
Jun 07 10:43:57 vault.gateway.semla.dfki.dev vault[11817]: 2022-06-07T10:43:57.437+0200 [DEBUG] secrets.vault-gpg-plugin.vault-gpg-plugin_3c840356.vault-gpg-plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unimplemented desc = unknown service plugin.GRPCStdio"

What i tried:
I started with the vault CLI, which due to the ARG_MAX limit for parameter size did not work client side, so i created a small python script, that reads the file and sends it to the vault server via HTTPS request (using the requests package). For small files that worked, but at a certain threshold the plugin crashes.
Based on previous issues (#4 and #9), i increased the limits in the vault config:

max_request_size = -1
max_request_duration = "999s"

and i also gave the machine more than enough RAM to process the file (vault runs on a VM with 32G of RAM).

Hi,
I have just started with this gpg plugin and wanted to have some clarifications.
1.What will be the output of create key endpoint? Will it generate a key pair ( public/private key).
2.if it's creating a key pair, can we export both public and private key pair outside of vault using the export endpoint.
3. What is the use of show session key endpoint?
4.Can I use this plugin to generate a gpg key and use that key to encrypt data outside of vault?

Hello,

I am just getting started with vault and gpg plugin and I get the following error when I try to create a key. Hope I am not missing something obvious. Vault started in server -dev mode.

curl --header "X-Vault-Token:$VAULT_TOKEN" --request POST --data @payload.json http://127.0.0.1:8200/v1/
vault-gpg-plugin/keys/my-key

and the response I get is

{"errors":["1 error occurred:\n\n* internal error"]}

On the vault server side, I see the following messages

2018/01/31 03:08:07.585993 [INFO ] core: successful mount: path=vault-gpg-plugin/ type=plugin
2018/01/31 03:10:21.703524 [ERROR] core: failed to run existence check: error=gob: type not registered for interface: json.Number
2018/01/31 03:11:12.182289 [ERROR] rollback: error rolling back: path=vault-gpg-plugin/ error=unexpected EOF

Vault: 0.9.3
vault-gpg-plugin: 0.1.3

I was able import and enable plugin as you can see from the first log message.

Hi,

Are there examples/howto available on howto use this to sign docker images?

cheers,

--
staf

Can the updated vault/api dependabot commits be already released so the plugin is compatible with the latest Vault versions?

Is there a feature to rotate the key pair and use the new private key to decrypt the old data encrypted with previous key.

Hello,

I generated a gpg key and try to import with curl api. To do that I use this json file:
{ "generate": "false", "key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINBGR5l5oBEAC8p4O/c6a/ktP9ckJRP9FvLYZVHM15PK8gy8JJm2DU4SpiMcZW\nw5peMeXlh2uRbiS/bhSoN9nV4E8KZaZ45ywgvaSeS/u5US9zG6+Uocj27qjptR2U\ng7GUYafGAHCcsDf5CLXsGzE9S2AB8Oskbsq2P8vlVHHy5Ls4KCGyMfWEp7UwCzYp\nwlTahRcHNQUFS7LJDHTD/0cn2IfXfnqlkkytB/n3v+2bs3yAa0pWpmNJyO9iWbRm\ndSP5lYlKiu4F5VqDshLE4A0YBO7wzRV59LWyUqvt84lNZcO1jRsy8lUj2SJgo19Q\npTbb4+1eKzQeZIGJLGSyPDzCvUgoa9Ue/sXwkFUk9lOChMTyEsLneCCdljZ+aGsO\nxvW1+jzclYl8ILIr2oazu0hNz1WXgx4yHFJhpQS2udvodL1ZEFgW3GVwLTJ8q0s1\nmzUIHxJ53fS4n4DV3WkMzLjMZtHku5DSVa8Gy6gQhAbknt7IfW3N30qIZk5jm/ph\neO3VSohR/iBEkSXNqlhVBGDoLeSg/5sGFTp6TvSmHiub9G3GXLOOc+ON46si3WMz\nVYFXyR03xQA7N2eLYdLTLB2zI7RSsjXtt3TXey6JeggRgxH8STYAAchAHXUC+6G0\nmgKnJ28duT0VS4kdCYDqrdIxj4wx7YWalRTY3ZNTQz3fzsRQq6SjpgjPPwARAQAB\ntCF0ZXN0MSAoY29tbWVudCkgPHRlc3QxQGVtYWlsLmNvbT6JAk4EEwEKADgWIQS5\nMDDCf14orKOmFjKuecvzok1xFwUCZHmXmgIbAQULCQgHAgYVCgkICwIEFgIDAQIe\nAQIXgAAKCRCuecvzok1xF80pD/0Sry3X4VNaVOz4egNdFEDmMEqW4uZczr41uPAY\nqs4+/FT7mvapMwwEasT3tNmgMmeKrS1aHGXDqIZktfpp6wfj4fYE50P/KHQFZOuG\nGe1L1y9u/jTZaXYJEDninNaiNrIUfUfz7LGLgjQ3FJcTNhFYigK/3tPvV5l64nMz\nszYYoiF7zBjbn0cVxfrYz1+tMqmexdfxWyFmL4r7LmqBM9v6kkwV7zfAcxXn3MKR\nFYBDbcJobtPjsbkTskrpi/BOozOgJkbGP4Q6ZidchzEX4Dd4d7+f0rF5al7OVhO9\nMSspYwPopsciKJCsgsshbGlppW65pWAlw1m210uLtNYF8gX2aAhNMoegF1+pGPwi\nkV+nO+8GTVL/Xxa24y/o7R3AfaBSJtYzx8oJLAOSaNn72sFHUE2XU4qBRCTqMwmT\n+Su0yiOt4oYOrrLFwqTNowiv3Wp5lBNUsHyDYMitwh5f/1sqiEX05ARR+hHv7C1o\n1V0BFFGvKiM93L/d7ZWcjU88SGO3J9TLCZPgNs2gxcJl0+RA8OFi/zJOl1ScuYG+\nQTYgDMjGYrrE8dLcW9CiqYNcWL2Ee9P6aBgWr3EZpTC1W3lcTVMSKZUXdDP2nwRC\nBLqtBXpaG1s/VJdPCebrTCjWDr03c4GLLyFMIyD4IByYTN+TLgHNvPCStP5icu5x\nJmrfIrkCDQRkeZedARAAzfchCj9HLxxWd9UsKXisbqm/Zzfq0uw+FKiIFKdQ32+L\nR9gzheSa5Tr4i9jm1+tWr56mwWExvNxGJeDG23vLWNS9k2IENIl31hd1B4Ptl/dA\n9bbUg+m8hp4ww82Vb5+4ZykpF82UuLNOtV1/1MjEE15QpCrNRS2yiTb7JEpLPn9M\no/2eAP+RUQJeE6HhmlVqDLvDrjPgg/Oa1M1LF86qAUzEMHYo31iECvESB3O3le10\nNOay+I33dKjyO0T1RhYKqxyIMYEse0cyt9r5tSma+6gqE83XHNhJwvp0yHRAd1lf\nBuo7KMn0Sru0LE4Q0MFSQJasXD/ZQIAtk9+i+fMlTAXk3Vce8lC+qXXHADYPS0j1\nG9K1m6mseC1PIYiof89NSGisLAShwTVCAkxoZ/vD4dF/WZxrEkbrKfgap/+JfIeW\nInIR1w6wlddzA9Q6zjwsV4la2zhkLy5YdGkwllS9+imAG8irIRmyGem30ffZOUEt\nAhLw8KC2luDaXHREHDkMQWwsucxTcr1BVCAcJ6k/mGflGCr4Co/1YLRCgpmJTl4e\n3WhdG5H3N8Iaew2/vhzuxaCV/AQrPuq5dZwV/WiuH1hCCOqY8yEDQonqNlz/Rv5J\nnkzTJIURVfQbMAEq6uuZgBdbPsxk6/rivq0u1qZIhiOhSuxEBZuKy1oal03lgu0A\nEQEAAYkEbAQYAQoAIBYhBLkwMMJ/Xiiso6YWMq55y/OiTXEXBQJkeZedAhsCAkAJ\nEK55y/OiTXEXwXQgBBkBCgAdFiEEGgXBJ87suvHTunIzr8Sd1nxEQ7gFAmR5l50A\nCgkQr8Sd1nxEQ7hRAw/5ATlQonw1SNil+WiN8Da8HaAEabuwp/Po35ZAVASKwtnW\nEhyWbfNQ/M1z99Tmo5yWDw5NLeJT9rTxns2siRZWrgxUzRbaG/y7HZ4eMX3uXCId\nn3uGbNzLFm/XF/FpddYT/0xcfwKmZfmoOGn4tvhF+kASJ/Pe65Nk7xFFwXJuJ9Qx\nc+jNQtLRCJkuvoDIuhNTujruGuRMfy3Zi6dbV1KtHQdnXV8p6wxG/95PnIIg5vpt\nQGrqRHABfep1X20vARL348D8vc7TJSMBhrOZcMSFE4f+XTD1PPNmzR8j+l2mNl8y\nza7S4/96e9P83FMONvnzULUzGVcokgyKGmYwTqEMgXpfMRD/PyAUjTP1L+eVjoET\nxlv0xFIBcZDidO75dWL/WBoCJ0k/ikUcRhtmwRiy6NKHP/5ebvCzsSYm6/+WEuHP\nM5hwvDo9T3A9QqeVnp724UvZnApj9t0B5UQWrQK56oCRWhdeVsYLUWgNGTDicgvf\nJGmqX9gnndDQbyidms0SkkSooamcKMMGdb4hB7fWKa7VNggWTZDkNBvreZjeS8mo\neGU8GW7YVCbXM8XCH4LEsqxJZvFDPoGJ4dxn78hXJWEps1KJhnGG2YZtX6J8v+9o\nbvot8IIq7Lc/5Ad/2xhodpPOh3pUr6Cs2VFfJv1Gu5VVrNFQBoVIvye2H9W/IYO1\nsQ/7BHEd4LeoKb11yc2BuGxHiQUEnM7gSsNE9TjCxuXrTn5WgaBY46676oLY4Lzg\n2Py3hBOebhPnHOc+0DsWGtpBh7qZig9n1YDr4ZS1eJbYo+OaJIaZBIp6q3QlXNbG\nSvD7D+mY88iyNox3sabSy1cl2lubSrhKabYidK93PJ3J6Xjai12cOdDRxR+aQBeL\nKu0QQMPmR29TXlX/nn2AHYMfA9wqpIJjjjXbZtljT+FBaT9QqF1gm3PNKQdqzaTE\n5PsXPGBvadUi3AXArlV7wuEnF6/CoaFiO8ORF55AyDRwJrqgyrK69TDfSo2dAn+s\nttUFCsEQCUz74J4WZr+F3p6a70WaQ6NsFBrjEQb/5yYCjxbBmSIRRjfsaWZubZPa\ns8EtfJ/wt/gjo2CyfGhuJ9t6sL7KLMPjC6Dn0ABHi31qxPoxCWwqNL3ZAJMVm1i5\nvDssPjDFYmSSxgKg2Chl2ilxP6v0VbokJmuDBr+PEf10DkOlIzD3eFw7Vm4rZFRr\nd5vXKlQpPa7vjxAgs8xQR7/Mswbifs/EiNBZHPQ4TJO8RLSvAWHbGLgt6SVQr2lf\nuMPRF6kbaMTOPBzU9S2inmXJ/ce5HmbhBufmrKZskU9wTvX/KfSnepJBM+DgMO2e\n4SuBri19i1b1ajMgK1NUVJ6RFFZ3EWzkOquxikPRHdXZiPO5Ag0EZHmXoAEQANQn\n+EfV9w4TrG/XBuW2Kes6RbpvRDwnmiqG/3BaClGU3HKvoVyWYfhcO4Hmeb1jz3Jn\nwkk64tjRT/XXjPU0JsCvNoX2saOS7nx0eiKEUiTdiql8hs78NU3wpx6wLU8rmefF\neKSfs/T3b2fyCl4vu7EI+/XqnRs7n1pZpL8DQoUeHH4xuIw7pY68ONVmOSTWmwSB\nGcGeJpGEGFbO5ZF6M2hXMX92tGhn05PH8LTR0OdmqFwm+cRMzq9rIagDam0b4GWN\nE0g7Tm8NgXVZfeZ6y6SpdSvIBTpCYXD7zHJtHFbbA3TkGzu+MZ+g3W94xKobp2D1\n/vf3oPiyCoS1ekfhnq6ownwVtgerbZHuqZGgLccWiM+SNHtLBQA69iwJh829j5IW\nkNHIQ3+y7JYrTxNJNvrLLMPK5HfSigWhU6JPYYBsaTiWTuax/xwhlP6jCm+mTvuv\nigYvnNpY/BVbtTzTGE3iDqwQWJElA3XhM8Svi823Ep9350sz6rwIbJjkE5YfVz2G\nUbZ6XT4WK2tPbV3k6RnvgAbCQI76GLXqHKMf2NRzJbK+cfP3mqvpU55mMHDyJEDZ\nzsFpEB9c6pVkNyNzYSKTKXjFhsi1D+pBR4rY0hWwIcMJNdaIudbdk5t9JYrNgKVB\nbQk1HgRcs/FxCdi09qqGRVk7RN5MTT/B6uZzjg0RABEBAAGJAjYEGAEKACAWIQS5\nMDDCf14orKOmFjKuecvzok1xFwUCZHmXoAIbDAAKCRCuecvzok1xF+pVD/90dkbb\ndA6tulQf3HldPvuoPIh7feGsOKBjKkSxf9Z1Mu3skHQ4fOBtWVEfCy9CysxdixJB\n+u848vlWWAhrY2CHdWzkFgli9bli04fXElY6Z2QhUqVd/Qkj4yfh0JZuf9CUzK+F\nldpvlhtwlAuMwULoCzwytCFC8DUvhNDGvbQ49oHrSOOr6rgjr3FtGOwdqqGfHu5v\n9NB8DMcruPqnlhamnr74S2K5aZHm3UVuwDmN8N13QREME7vJLeY90+JHA8/EO7SD\nYvLyBt5UolQZ07eTGrfu+roaohFGwxx88ZiTWp9GEVLKyG8cpIcWtbvvrDom6+4q\nylv3+HEeTE6F5tq2AvsjKPyKRBOtVzhtjgvZWZHh00tJQI+LwUW1Z3uoqwTawN5o\n02YREVDy51cQ56ywYkewvIBRAq5aBZCkcmkMa0ODZzpp6xMxUFMiBYiQvGXVBN0t\nmxHVUX1zzbxtv6jEsR3ah7gUIyC35+Nuie/5l6AFU9Nbu32T+0/JmKTH1BDej39C\nGmmt9HM/VV7NtXMLLLNJcNkTvjs1H/OJoz6EAjyqJ8NxOLFz2pe/rOQy+uYO2Pec\nSWsUlwGQhohBMM8k8liiHEEV8Cx2c5NwZZVH0xpeOoDboOWh9cSl8VBPEOhQ/GSN\n5WllcoNhn+P+r/teWkK43MjyDU3iEMxVdvwxSbkCDQRkeZehARAA20u9rzz0ACwv\nS3XBD0TOmbf7h3w+jaemw2x2c+VfirkqLIiwzFnzzNhI3EzvDFacUGTKGLalHPFX\nHhLT1MmaF2Uz3rv3Y2qycoSlKjCp9wGSANUaTJRkMWzX0RX5hnc6N7QkOBE9G3lN\njLuMi5ur2Dr6gzIZy6M8TlXPqsZcUJgl9TKhKoCLzgyRbaQN9h8pm1bvzIbJ9HPV\nE8AhKMZcNDx4cIkNZWySnmD/f4TMS36/c9WIGDwb6q82Wm/Xv2LH2Cx14rhsBcI+\nZFcEArmasgyHVxdLKUYXPODHCitPbXq6eTYtcD+ckr2PHL00cuAPcKZu06UMg9j5\nhVT78pzwWKGX6A2kZXku1S/owCZRoIlQ47jXt74C96XBMw5FXoxbiAUbSMAXc21p\nouDAm8dQGWRdJe2tm4wkDlWSgh5M+ywiKlDIMWJFiJ8FcSBKZtgMS3FswJPl589u\nEvlwFN/lX1FB2N/FU27uEpTL53hJ4dW0AsNKqteGMCRWoejAaNaiKXvgS18Ttnlj\nBgoDIBpiZxy3UAya7zvvgHedOlc1+vY46glYEDbLcS20IOhI/hIvblH0t/fZi3P+\nKSFoNOwPyiY9IrSXa/ya0km21pBtv6PYh7hPhnm3peF4Tr5DoWZd3SbuJZVHQeUg\ndluGFdMGMBrvY574B9tVjoT+s3MGuekAEQEAAYkCNgQYAQoAIBYhBLkwMMJ/Xiis\no6YWMq55y/OiTXEXBQJkeZehAhsgAAoJEK55y/OiTXEXZhwP/isQ7upV0sQPsJSC\nSGNMoasbmK5v4K6YpbdaRT5QXVuH3ujzeRMA5z8M7eyIyI2OWnAuDdLac11pupVW\nxxfACIr9PyNi8pluAdqTT2uvw8Ff9mvwJ9EVeCW9JaHaH6qBVvdjoFC2iG8rH67/\nEIX064Mp0mbu/Y8ZuycVHsSPUeSVZONr/V8JVGXeyptKbpnv+2d+10ZvXMvBZkgv\nj1Dlxy7mfva8UThWDcDW9QPGb9mmZrrnRneBzaTZJRGpI4mU/6mtNPomao/ySv42\njf249BZ8oe0t/itsRHvbrrG3feH86Axf2geO/tImjjBnXjTGgRZrBinnea7iw+L7\n+bWsKwx2HCvg3tyGMaK2GHA4ql6hlS0SeOJ63hjqC3GcdI1Kbu52F7rXfYNQuGqi\nV4mUWdK3+gmxGNw8+pjVcQxXdmMEkRYEpkgv5LfbH2Logx8aD+TFERQdS5hRPmJu\nUCgT/QZQnI0S+4figzhNByYIHraaXjwrnioe+38eXMa2fCOa7GCmsvgxj5bmX4av\nmu639l4nIyTIHp498n3G143M5bQI0jjikplZ1kDu2lyLYl6vArDXqpKdT0s6PrFF\nIZHGQvGAkuM+gpz7D1f5ymJ9WYAByX3Usd7ZygilqMhK5j8TuG4QgqAqtY9sKOtE\nKGRwNEMQI6p3xxlbAR0o7PTYhcXJ\n=2+MK\n-----END PGP PUBLIC KEY BLOCK-----\n", "exportable": "true" }

And the command:
curl --header "X-Vault-Token: hvs.B2oGz1YaL8hWclxXKQlTwoLi" --request POST --data @requests/import_key.json http://127.0.0.1:8200/v1/gpg/keys/test1

But I get this result:
{"errors":["the key could not be serialized, is a private key present?"]}

Also when i delete "generate": "false", from the json it seem to works.

I don't understand what it going wrong.
Thank you

Currently it's hard to have a reproducible build of the plugin since the dependencies for this plugin are not vendored. Normally go repositories use a dependency management tool like dep to ensure stable dependencies.

I've been using dep to handle dependencies when I'm building this plugin locally. @LeSuisse Would it be okay to send out a PR for vendoring the dependencies of this plugin so that others can benefit from this as well?

Would you be open to a pull request that allows one to upload his public key only to this GPG plugin?

Obviously, not all operations would work, because there would not be a private key to do operations like signature. On the other hand, it would enable a new "Encrypt" use case. Current Transit public-key encryption uses OEAP and SHA256 which gives only a few hundreds bits worth of plaintext data that can be encrypted, barely enough for an AES256 key, not to mention that you would have to do the decryption by hand after that...

(This is different than issue #85 where the private key is imported.)

It would simplify adoption for teams that already have a key pair, many of them on a Yubikey, with the private key hard/impossible to export.

The plugin doesn't work in Vault Docker image based on Alpine Linux

/etc/vault/plugins # wget https://github.com/LeSuisse/vault-gpg-plugin/releases/download/v0.2.2/linux_amd64.zip
...
linux_amd64.zip      100% |********************************************************************************************************************************************************************| 7401k  0:00:00 ETA
/etc/vault/plugins # unzip linux_amd64.zip 
Archive:  linux_amd64.zip
  inflating: linux_amd64.sha256sum
  inflating: vault-gpg-plugin
/etc/vault/plugins # ls -la vault-gpg-plugin 
-rwxr-xr-x    1 root     root      16041188 Mar 23 16:02 vault-gpg-plugin
/etc/vault/plugins # ./vault-gpg-plugin 
sh: ./vault-gpg-plugin: not found
/etc/vault/plugins # 

It seems a problem with a build. Can you check, please?

Hi,

We are using this plugin to generate gpg keys in vault and import the keys to encrypt/sign data outside of Vault.

We have one application server where the key import fails because it expects this text "Version: GnuPG v2" in the key block.

Do we have to make changes to the GPG version installed on our server or is there a possibility to generate key with this text?

Thank you.

If I'm correct, here is missed the command to encrypt. Do you have some plans to add it? It would be great to have it in one place with an optional possibility to use Keybase.io (like in this https://www.vaultproject.io/docs/concepts/pgp-gpg-keybase) or any other public available keys

This will avoid issues when signing large payloads and, in most cases, it is likely to be faster since the expensive checksum computation will be done locally and it will avoid having to upload the whole data to the Rekor instance

See sigstore/rekor#481 and sigstore/rekor#501 for more information.

This may be obvious, but I have configured the plugin and been able to generate signatures, but I don't understand how to actually "attach" those signatures to the rpm's I want to sign. Is there a way to configure rpmsign to use the vault server as the source of the signature?

Thanks!

Hello, I wish there is a discuss tab on github. This is not an issue perse but a question - Is there any way to sign large files with this plugin ? If not, please can you recommend a way to do it ?

I am trying to submit a large json file with base64 encoded data which needs to be signed (300MB) using curl and I get "* failed to parse JSON input: http: request body too large".

Would it be possible to extend the API, such that you can upload keys to a key server directly from the API?

The problem i currently have is, when getting the public key via the read request , you don't get any deposited metadata like email or real name back from it. In order to upload a key to a key server I have to manually re-enter the key with metadata into the gpg cli and export it from there.

Maybe i'm missing something, but i don't see why some of the parameters, like email and real_name are needed at all, if i can't really use them.

First, thanks for your plugin!

I wonder if you would be interested in a HVAC-like Python API?

You can take a look at my WIP, which extends HVAC to include an API to your plugin. WDYT?

This might be interesting new feature for very large file decryption....

would it be possible to pass INTO the vault encrypted session key only (can be manually pulled from the encrypred file using for example head ) and decrypt only the session-key?

This would be really interesting in cases where the files are really large, in theory you really need to decrypt only the session key using private key kept in vault and then override the session key when calling gpg locally like gpg -d -o myverylargefile --override-session-key XXXXX

this way you can decrypt very large files locally but still keep the private key in the vault only

I am currently implementing this plugin to distribute GPG keys in my cluster to be used with duplicity. While doing that I came up with the following idea. Unfortunately, I don't speak Go yet, so I'll settle for filing an issue here.

The basics

GPG keyrings consist of a certification key (C) which can be equivalent to the signing key (S), which is the default in GnuPG and an encryption subkey (E). For obvious reasons, the signing key and encryption key shouldn't be the same. For the certification and signing keys that is debatable and great things can be accomplished when they're not the same. Unfortunately the library underlying this plugin seems to only create this type of keyring and doesn't expose an API to create a certification-only key, which I think is a bug, that I'll report over there.

Still, it's perfectly viable for a keyring to have multiple signing subkeys and encryption subkeys, which is especially useful when combined with expiry dates.

The request

So it would be fantastic if the plugin would expose additional API endpoints to manage subkeys for the keyrings stored in Vault, allowing users to create new ones, perhaps even with permissions scoped to types of subkeys.

Future outlook

Even better would be, when crypto.openpgp starts supporting it, to have an API model that supports the keyring-structure described in the article linked above, where only Vault holds the certification key and can create new subkeys, but an API exists to export the keyring with the certification private key removed, leaving only the private keys for the subkeys in there.

Thank you for writing this plugin in the first place 👍

Hello,

Was curious as to why the plugin would want to allocate more memory than vault itself. Any insight appreciated.

The screenshot below shows the usage as reported by top(sorted by memory) after starting up vault and getting LISTING GPG keys.

Thank you.

I just realized that, when creating a new key its preferences default to 3DES as its cipher algorithm and there is no parameter in the API to change that. Does this come from the vault plugin itself or does the plugin read the gpg config for defaults?

Hello,

First I would like to thank for you this plugin. Amazing work

My issue is just a question/doubt that I'm facing to use it. I don't know how to import a external pgp key on vault. What should I do? I already exported on GPG and I have the ascii armored key in a file. I tried on that ways:

vault write gpg/keys/test --generate=false --key=./file_private.key

Can you help me on that?

Thanks,
Lucas.

Hi @LeSuisse ,

I am able to register the plugin in the catalog. Here is a command that shows that it is there -

 curl \
    --header "X-Vault-Token: a928f80a-933f-2b5a-3ebc-0db2bbccea89" \
    --request GET \
    http://localhost:8200/v1/sys/plugins/catalog/gpg
{"name":"gpg","command":"/Users/ksachdeva/Desktop/Dev/exp/vaultexp/plugindir/vault-gpg-plugin","args":[],"sha256":"hwiYXMWbljdYehy4mX5I0XmPNQmVKMubJF/86kgJ6As=","builtin":false,"request_id":"34a59bed-6a2e-a117-e44e-bef6a118dca3","lease_id":"","renewable":false,"lease_duration":0,"data":{"args":[],"builtin":false,"command":"/Users/ksachdeva/Desktop/Dev/exp/vaultexp/plugindir/vault-gpg-plugin","name":"gpg","sha256":"hwiYXMWbljdYehy4mX5I0XmPNQmVKMubJF/86kgJ6As="},"wrap_info":null,"warnings":null,"auth":null}

However when I try to mount I get following error -

> vault mount gpg
Mount error: Error making API request.

URL: POST http://127.0.0.1:8200/v1/sys/mounts/gpg
Code: 400. Errors:

* unknown backend type: gpg

Most likely making an error in issuing the mount command.

Would appreciate if you can guide on how to mount your plugin

Regards & thanks
Kapil

Multiple session packets can be encountered in one message. The first is not always the one we can decrypt.

I'm not sure exactly where this error comes from, but I'm having a problem importing existing private keys generated with gpg2. I played around a bit with it by generating a private key in vault using exportable:true and then importing it on my desktop. However when I export the same private key and upload it to vault I get a "openpgp: incorrect key" error.

At the same time I also noticed that the timestamps of keys generated by vault was about ~9.5h off from what keys generated at the same time on my laptop were, not sure it's related.

To reproduce:

1. Generate a new key using /v1/gpg/keys/:name, make sure it's exportable
2. Export key using /v1/gpg/export/:name
3. Import locally using gpg or gpg2
4. Export private key using -armor --export-secret-key
5. Compare initial private key to exported key - looks different
6. Import key using /v1/gpg/keys/:name
7. Try decrypting with key - error

Hi, as the title states, I receive this error upon testing a create example in the README. I loaded in the linuxamd64 build with no issue. Other vault api commands work fine.

Also, if I try a GET on /gpg/keys I receive:
{ "errors": [ "1 error occurred:\n\n* plugin exited before we could connect" ] }

Any help is appreciated.