-
Notifications
You must be signed in to change notification settings - Fork 3
Shamir Secret Sharing
Shamir Secret Sharing is an algorithm in cryptography, backed by mathematics, where no single person should be able to hold enough keys to unseal the Vault kingdom. A group of trustees is each given an individual unseal key by the dealer. A preset treshold of key holders is needed to unseal the Vault.
The essential idea of Adi Shamir's threshold scheme is that 2 points are sufficient to define a line, 3 points are sufficient to define a parabola, 4 points to define a cubic curve and so forth. Fun fact: Shamir is the S in RSA, he is a well-known cryptographer.
This Ansible role automates the dealer. All trusted users should publish their public PGP key on Keybase.io
The JSON file vault.json is the same as the output of vault operator init ...:
having PGP encrypted unseal keys, each one encrypted with the public key of one of
the team members. Each team member is only authorized to their part, they should
team-up to unseal Vault. This four-eyes, six-eyes, or n-eyes principle governs
the capability to unseal Hashicorp Vault.
And that valuable principle is called Shamir Secret Sharing