Passkey Management
The Passkey Management feature in Veeam Kasten provides an interface for managing encryption passkeys used to securely encrypt and decrypt the primary Kasten encryption key responsible for protecting backup data. This feature allows administrators to create, view, and manage multiple passkeys from different key management stores via both the Kasten UI and kubectl commands.
Overview
These passkeys use envelope encryption to protect the primary Kasten key used to derive keys for all application backup data and metadata. The primary key performs the encryption of backup data, while passkeys encrypt and protect the primary key itself.
A passkey is considered valid when Kasten can successfully access and use it to decrypt the primary key. Invalid passkeys may result from issues connection to external services, missing Kubernetes secrets, or other configuration errors.
Each Kasten instance requires a minimum of one valid passkey to function. It is not possible to delete the last remaining valid passkey.
Veeam Kasten supports the following types of passkeys:
- Passphrase: Uses a passphrase specified in a Kubernetes Secret
- AWS Key Management Service: Uses AWS Customer Managed Keys (CMK)
- HashiCorp Vault: Uses Vault Transit Secrets Engine
Passkey Management Via the UI
Admin users can view all valid passkeys under Settings > Passkey Management. This allows you to see all valid passkeys for Kasten.
Create a Passkey
- Create New Passkey: Click the "Create New Passkey" button
- Configure Passkey Details:
- Passkey Name: Enter a unique name for the passkey
- Passkey Type: Select from AWS Key Management Service, HashiCorp Vault, or Passphrase
Passphrase Configuration
- Passphrase: Enter a secure passphrase for encrypting backup data
- Confirm Passphrase: Re-enter the passphrase for confirmation
Store the passphrase securely outside of the cluster, as it will be required for disaster recovery operations.
Passphrases are less secure than using a managed key service like AWS Key Management Service or HashiCorp Vault.
AWS Key Management Service Configuration
- AWS CMK Key ID: Provide the AWS Customer Master Key ID
- Format:
arn:aws:kms:region:account:key/key-id - Example:
arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
- Format:
Using AWS Key Management Service requires that an AWS Infrastructure Profile exists with the required permissions
HashiCorp Vault Configuration
- Vault Transit Key Name: Specify the name of the Vault transit encryption key
- Vault Transit Path: Enter the Vault transit engine path for encryption operations
- Default path is typically
/transit
- Default path is typically
Using HashiCorp Vault requires that Veeam Kasten is configured to access Vault.
Delete a Passkey
To delete a passkey via the UI, select the passkey and click the delete option. A confirmation popup will appear to confirm the deletion. Note that you cannot delete a passkey if there is only one passkey remaining, as each Kasten instance requires a minimum of one valid passkey to function.
Passkey Management Via the CLI
Passkeys can be managed programmatically using kubectl commands with the passkeys.vault.kio.kasten.io resource.
Creating Passkeys
Passphrase Passkey
A Passkey that represents a passphrase expects a Kubernetes Secret to be provided which contains the passphrase. This can be done via the creation of a Kubernetes secret in the Veeam Kasten namespace:
kubectl create secret generic <secret-name> \
--namespace kasten-io \
--from-literal passphrase=<key>
As shown below, this secret can then be used to create a Passkey. Note that Passkeys are non-namespaced.
cat > sample-passkey.yaml <<EOF
apiVersion: vault.kio.kasten.io/v1alpha1
kind: Passkey
metadata:
name: passkey1
spec:
secret:
## Reference to the passkey secret
name: <secret-name>
namespace: kasten-io
EOF
kubectl create -f sample-passkey.yaml
AWS KMS Passkey
A Passkey can also be used to represent an AWS KMS Customer Managed Key(CMK). The AWS CMK key ID can be provided directly in the passkey.
cat > sample-passkey.yaml <<EOF
apiVersion: vault.kio.kasten.io/v1alpha1
kind: Passkey
metadata:
name: passkey2
spec:
awscmkkeyid: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
EOF
kubectl create -f sample-passkey.yaml
HashiCorp Vault Passkey
A Passkey can also be used to represent a HashiCorp Vault Transit Secrets Engine. The Vault Transit key name and mount path can be provided directly in the passkey, as shown below.
In addition, a vault authentication role and path to the service account token used for Vault's Kubernetes Authentication method can be passed in, vaultauthrole and vaultk8sserviceaccounttokenpath, respectively. This will override those values originally set via the helm install Kubernetes Auth.
If using Token Auth, passing in these two values will have the effect of upgrading the authentication method from Token to Kubernetes. Please ensure your vault server is properly configured as shown in Configuring Vault Server for Kubernetes Auth before adding these to the Passkey.
cat > sample-passkey.yaml <<EOF
apiVersion: vault.kio.kasten.io/v1alpha1
kind: Passkey
metadata:
name: passkey3
spec:
vaulttransitkeyname: my-key
vaulttransitpath: my-transit-path
vaultauthrole: my-auth-role
vaultk8sserviceaccounttokenpath: /var/run/secrets/kubernetes.io/serviceaccount/token
EOF
kubectl create -f sample-passkey.yaml
Listing Passkeys
To list all Passkeys, simply run:
kubectl get passkeys.vault.kio.kasten.io
Getting Passkeys
To get a specific Passkey, run:
kubectl get passkeys.vault.kio.kasten.io passkey1 -o yaml
Deleting Passkeys
You can delete existing Passkeys if they are no longer required. If only a single valid Passkey exists, it cannot be deleted.
kubectl delete passkeys.vault.kio.kasten.io passkey1