KMIP Secrets Engine
Note: This secret engine requires Vault Enterprise with the Advanced Data Protection Module.
The KMIP secrets engine allows Vault to act as a Key Management Interoperability Protocol (KMIP) server provider and handle the lifecycle of its KMIP managed objects. KMIP is a standardized protocol that allows services and applications to perform cryptographic operations without having to manage cryptographic material, otherwise known as managed objects, by delegating its storage and lifecycle to a key management server.
Setup
The KMIP secrets engine must be configured before it can start accepting KMIP requests.
Enable the KMIP secrets engine
Configure the secrets engine with the desired listener addresses to use and TLS parameters, or leave unwritten to use default values
Usage
Scopes and Roles
The KMIP secrets engine uses the concept of scopes to partition KMIP managed object storage into multiple named buckets. Within a scope, roles can be created which dictate the set of allowed operations that the particular role can perform. TLS client certificates can be generated for a role, which services and applications can then use when sending KMIP requests against Vault's KMIP secret engine.
In order to generate client certificates for KMIP clients to interact with Vault's KMIP server, we must first create a scope and role and specify the desired set of allowed operations for it.
Create a scope:
Create a role within the scope, specifying the set of operations to allow or deny.
Client Certificate Generation
Once a scope and role has been created, client certificates can be generated for that role. The client certificate can then be provided to applications and services that support KMIP to establish communication with Vault's KMIP server. Scope and role identifiers are embedded in the certificate, which will be used when evaluating permissions during a KMIP request.
Generate a client certificate. This returns the CA Chain, the certificate, and the private key.
Client Certificate Signing
As an alternative to the above section on generating client certificates, the KMIP secrets engine supports signing of Certificate Signing Requests (CSRs). Normally the above generation process is simpler, but some KMIP clients prefer (or only support) retaining the private key associated with their client certificate.
In this workflow the first step is KMIP-client dependent: use the KMIP client's UI or CLI to create a client certificate CSR in PEM format.
Sign the client certificate. This returns the CA Chain and the certificate, but not the private key, which never leaves the KMIP client.
Supported KMIP Operations
The KMIP protocol supports a wide variety of operations that can be issued by clients to perform certain actions, such as key management, encryption, signing, etc. The KMIP secrets engine currently supports a subset of KMIP operations.
Supported KMIP operations:
Additionally, there are two pseudo-operations that can be used to allow or deny all operation capabilities to a role. These operations are mutually exclusive to all other operations. That is, if it's provided during role creation or update, no other operations can be provided. Similarly, if an existing role contains a pseudo-operation, and it is then updated with a set supported operation, it will be overwritten with the newly set of provided operations.
Pseudo-operations:
Tutorial
Refer to the KMIP Secrets Engine guide for a step-by-step tutorial.