@ -1574,30 +1574,23 @@ func fetchVaultStatus(cfg config.Config) madmin.Vault {
} else {
} else {
vault . Status = "online"
vault . Status = "online"
kmsContext := crypto . Context { "MinIO admin API" : "KMSKeyStatus Handler" } // Context for a test key operation
kmsContext := crypto . Context { "MinIO admin API" : "ServerInfo Handler" } // Context for a test key operation
// 1. Generate a new key using the KMS.
// 1. Generate a new key using the KMS.
key , sealedKey , err := GlobalKMS . GenerateKey ( keyID , kmsContext )
key , sealedKey , err := GlobalKMS . GenerateKey ( keyID , kmsContext )
if err != nil {
if err != nil {
vault . Encrypt = "Encryption failed"
vault . Encrypt = fmt . Sprintf ( "Encryption failed: %v " , err )
} else {
} else {
vault . Encrypt = "Ok"
vault . Encrypt = "Ok"
}
}
// 2. Check whether we can update / re-wrap the sealed key.
// 2. Verify that we can indeed decrypt the (encrypted) key
sealedKey , err = GlobalKMS . UpdateKey ( keyID , sealedKey , kmsContext )
decryptedKey , err := GlobalKMS . UnsealKey ( keyID , sealedKey , kmsContext )
if err != nil {
switch {
vault . Update = "Re-wrap failed:"
case err != nil :
} else {
vault . Decrypt = fmt . Sprintf ( "Decryption failed: %v" , err )
vault . Update = "Ok"
case subtle . ConstantTimeCompare ( key [ : ] , decryptedKey [ : ] ) != 1 :
}
vault . Decrypt = "Decryption failed: decrypted key does not match generated key"
default :
// 3. Verify that we can indeed decrypt the (encrypted) key
decryptedKey , decryptErr := GlobalKMS . UnsealKey ( keyID , sealedKey , kmsContext )
// 4. Compare generated key with decrypted key
if subtle . ConstantTimeCompare ( key [ : ] , decryptedKey [ : ] ) != 1 || decryptErr != nil {
vault . Decrypt = "Re-wrap failed:"
} else {
vault . Decrypt = "Ok"
vault . Decrypt = "Ok"
}
}
}
}