Add Vault transit docs to vault integrations page #4904
Conversation
Committing Dan's changes. Co-authored-by: Dan Heath <[email protected]>
Co-authored-by: Dan Heath <[email protected]>
| ### Boundary supported key types from Vault transit | ||
|
|
||
| The Vault transit secrets engine provides the following key types which support the necessary operations for Boundary KMS: |
There was a problem hiding this comment.
To me this feels like it's extraneous information; you could link to the transit docs for key types and say "any type that supports encryption". If those aren't spelled out in the transit docs they probably should be.
| The Vault transit secrets engine supports both automatic and manual rotation of configured keys. | ||
|
|
||
| You can configure the Vault transit secrets engine with an [`auto_rotate_period`](https://developer.hashicorp.com/vault/api-docs/secret/transit#auto_rotate_period) to enable the automatic rotation of the configured keys. Boundary automatically rotates the keys in the backend. |
There was a problem hiding this comment.
Boundary does not do this so far as I know. @jimlambrt has more state on our KMS system at this point but I don't think the config-created KMS keys get rotated in any automatic way (and I don't remember if we support it manually at this point).
| You can configure the Vault transit secrets engine with an [`auto_rotate_period`](https://developer.hashicorp.com/vault/api-docs/secret/transit#auto_rotate_period) to enable the automatic rotation of the configured keys. Boundary automatically rotates the keys in the backend. | ||
|
|
||
| You can also [manually rotate](/boundary/docs/concepts/security/data-encryption#key-version-lifecycle-management) keys from the Boundary API or CLI. |
There was a problem hiding this comment.
This rotates the internal KMS keys in Boundary, not the key in Vualt's transit engine. I believe if necessary it will re-encrypt with the external KMS, but I really don't remember if you can rotate the root KMS key. Again @jimlambrt probably has more state.
No description provided.