v1.2.0 Latest

HashiCorp Vault's Transit secrets engine is a KMS-as-a-service you run yourself. No SDK dependency -- Sealcraft uses Laravel's HTTP client.

Configure

SEALCRAFT_PROVIDER=vault_transit
SEALCRAFT_VAULT_ADDR=https://vault.internal:8200
SEALCRAFT_VAULT_TOKEN=s.xxxxxxxxxxxxxxxx
SEALCRAFT_VAULT_KEY_NAME=app-kek
SEALCRAFT_VAULT_MOUNT=transit

Token rotation

Do not put a long-lived root token in SEALCRAFT_VAULT_TOKEN. Use one of:

  • AppRole with short-lived tokens; rotate via a sidecar or Vault Agent
  • Kubernetes auth if you run on K8s
  • AWS IAM auth if you run on EC2/EKS

Bind a token resolver in a service provider for dynamic tokens:

Config::set(
    'sealcraft.providers.vault_transit.token_resolver',
    fn (): string => VaultAgent::token(),
);

Transit key policy

Your token needs:

path "transit/encrypt/app-kek" { capabilities = ["update"] }
path "transit/decrypt/app-kek" { capabilities = ["update"] }
path "transit/keys/app-kek"    { capabilities = ["read"] }

The read on transit/keys/app-kek is required for sealcraft:rotate-kek to discover the latest key version.

AAD

Vault Transit's encrypt / decrypt endpoints accept a context field which Sealcraft uses as AAD. Synthetic AAD is not required.

Key rotation

vault write -f transit/keys/app-kek/rotate

Then:

php artisan sealcraft:rotate-kek

Vault retains old key versions indefinitely by default, so rotation is zero-downtime. Configure min_decryption_version on the transit key to retire old versions once all DEKs have been rewrapped.