Reinitializing the Secret Store with a custom GPG keypair

ENTERPRISE

Using a custom GPG keypair to reinitialize the Secret Store

You can re-initalize the Secret Store with a custom GPG pair. The steps to do this are:

  1. Edit your SECRETS_BOOTSTRAP value
  2. Stop store and vault services
  3. Stop the ZooKeeper CLI
  4. Restart Store and vault services
  5. Create new key pair
  6. Initialize store with new key

Prerequisites:

Edit your SECRETS_BOOTSTRAP value

  1. SSH into your master.

  2. Open the dcos-secrets.env file in your choice of editor.

    sudo vi /opt/mesosphere/etc/dcos-secrets.env
    
  3. Edit the SECRETS_BOOTSTRAP=true value to read false, as shown below.

    SECRETS_BOOTSTRAP=false
    
  4. Save the file and quit the editor.

Stop store and vault services

  1. Stop the Secret Store and Vault services.

    sudo systemctl stop dcos-secrets dcos-vault
    
  2. Confirm that the dcos-secrets service has shut down, using the following command.

    systemctl status dcos-secrets
    
  3. Type q to exit.

  4. Confirm that the dcos-vault service has shut down, using the following command.

    systemctl status dcos-vault
    
  5. Type q to exit.

  6. If your cluster has multiple masters, repeat steps 1 through 5 on each master before continuing.

Stop ZooKeeper CLI

  1. Launch the ZooKeeper command line interface.

    /opt/mesosphere/packages/exhibitor--*/usr/zookeeper/bin/zkCli.sh
    
  2. Execute the following ZooKeeper command to gain additional privileges, replacing super:secret if necessary with the actual user name and password of the ZooKeeper superuser.

    Note: By default, DC/OS sets the ZooKeeper superuser to super:secret but we recommend changing the default.

    addauth digest super:secret
    
  3. Remove the /dcos/vault/default and rmr /dcos/secrets directories, as shown below.

    rmr /dcos/vault/default
    rmr /dcos/secrets
    
  4. Confirm that the directories have been removed, using the following commands.

    ls /dcos/vault
    ls /dcos
    
  5. Type quit to exit the ZooKeeper command line interface.

Start Store and Vault services

  1. Start the Secret Store and Vault services.

    sudo systemctl start dcos-secrets dcos-vault
    
  2. Confirm that the dcos-secrets service has started up, using the following command.

    systemctl status dcos-secrets
    
  3. Type q to exit.

  4. Confirm that the dcos-vault service has started up, using the following command.

    systemctl status dcos-vault
    
  5. Type q to exit.

  6. If your cluster has multiple masters, repeat steps 1 through 5 on each master before continuing.

Create new key pair

You do not have to use GPG to generate the keypair. We provide these instructions as a convenience. The only requirement is that the keypair can be loaded into GPG. Should you choose to use a different tool, just import the keys into GPG afterwards and skip to step 4.

  1. Inside the secure shell of a master, use the following command to initiate the creation of a new GPG public-private key pair.

    gpg --gen-key
    
  2. At the first prompt, type 1 to select the RSA and RSA option.

  3. Complete the remainder of the prompts as desired.

  4. Use the following command to export the public key, base64-encode it, and remove the newlines. Before executing the command, replace <key-ID> below with the alphanumeric ID of the public key.

    Note: In the following line gpg: key CCE6A37D marked as ultimately trusted, CCE6A37D represents the ID of the public key.

    gpg --export <key-ID> | base64 -w 0 | tr '\n' ' '
    
  5. Copy the value returned by GPG. This is your public GPG key in a base64-encoded format.

  6. Open a new tab in your terminal prompt.

Initialize store with public key

  1. Use the following curl command to initialize the Secret Store with the new GPG public key. Replace the "pgp_keys" value with the value returned by GPG in the previous step.

    curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" -d '{"shares":1,"threshold":1,"pgp_keys":["mQIN...xQPE="]}' $(dcos config show core.dcos_url)/secrets/v1/init/default -H 'Content-Type: application/json'
    
  2. The Secret Store service returns the unseal key encrypted with the public key, indicating success.

    {"keys":["c1c14c03483...c400"],"pgp_fingerprints":["1ff31b0af...d57b464df4"],"root_token":"da8e3b55-8719-4594-5378-4a9f3498387f"}
    

Congratulations! You have successfully reinitialized your Secret Store. To unseal it, refer to Unsealing a Secret Store sealed with custom keys.