diff --git a/changelog/29402.txt b/changelog/29402.txt new file mode 100644 index 0000000000..3f12457a1f --- /dev/null +++ b/changelog/29402.txt @@ -0,0 +1,3 @@ +```release-note:improvement +core: add support for reading certain sensitive seal wrap and managed key (enterprise) configuration values from the environment or files. +``` diff --git a/go.mod b/go.mod index b6abf2bf3b..9f55e1ee2f 100644 --- a/go.mod +++ b/go.mod @@ -92,14 +92,14 @@ require ( github.com/hashicorp/go-gcp-common v0.9.1 github.com/hashicorp/go-hclog v1.6.3 github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.1 - github.com/hashicorp/go-kms-wrapping/v2 v2.0.16 - github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.9 - github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.3 - github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.9 - github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.11 - github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.12 - github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.7 - github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.12 + github.com/hashicorp/go-kms-wrapping/v2 v2.0.18 + github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.10 + github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.4 + github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.11 + github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.12 + github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.13 + github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.9 + github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.13 github.com/hashicorp/go-memdb v1.3.4 github.com/hashicorp/go-multierror v1.1.1 github.com/hashicorp/go-plugin v1.6.1 @@ -112,7 +112,7 @@ require ( github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.2 github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 github.com/hashicorp/go-secure-stdlib/nonceutil v0.1.0 - github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 + github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9 github.com/hashicorp/go-secure-stdlib/password v0.1.1 github.com/hashicorp/go-secure-stdlib/permitpool v1.0.0 github.com/hashicorp/go-secure-stdlib/reloadutil v0.1.1 diff --git a/go.sum b/go.sum index 5749079365..5c55db2693 100644 --- a/go.sum +++ b/go.sum @@ -1419,22 +1419,22 @@ github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJ github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.1 h1:KIge4FHZEDb2/xjaWgmBheCTgRL6HV4sgTfDsH876L8= github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.1/go.mod h1:aHO1EoFD0kBYLBedqxXgalfFT8lrWfP7kpuSoaqGjH0= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.16 h1:WZeXfD26QMWYC35at25KgE021SF9L3u9UMHK8fJAdV0= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.16/go.mod h1:ZiKZctjRTLEppuRwrttWkp71VYMbTTCkazK4xT7U/NQ= -github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.9 h1:HpGOHc0Vd3aacMAEtAUVe38zMcq7BfYQSjrGCmtRNx0= -github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.9/go.mod h1:ygxw8l40DbAQQ587OzoB3bsBWVpB0e/BOWKlXgYkfG8= -github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.3 h1:36Pxy8BQd7DAJ2Mk6vuJlIjqQ80e20vlO7a4Ep3RTOg= -github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.3/go.mod h1:heY2PS1SGU0cMamgv+zId/sKT+XFHaf61bLOSnP1Gb8= -github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.9 h1:qdxeZvDMRGZ3YSE4Oz0Pp7WUSUn5S6cWZguEOkEVL50= -github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.9/go.mod h1:DcXbvVpgNWbxGmxgmu3QN64bEydMu14Cpe34RRR30HY= -github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.11 h1:/7SKkYIhA8cr3l8m1EKT6Q90bPoSVqqVBuQ6HgoMIkw= -github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.11/go.mod h1:LepS5s6ESGE0qQMpYaui5lX+mQYeiYiy06VzwWRioO8= -github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.12 h1:PCqWzT/Hii0KL07JsBZ3lJbv/wx02IAHYlhWQq8rxRY= -github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.12/go.mod h1:HSaOaX/lv3ShCdilUYbOTPnSvmoZ9xtQhgw+8hYcZkg= -github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.7 h1:KeG3QGrbxbr2qAqCJdf3NR4ijAYwdcWLTmwSbR0yusM= -github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.7/go.mod h1:rXxYzjjGw4HltEwxPp9zYSRIo6R+rBf1MSPk01bvodc= -github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.12 h1:E8pzzF7i44OZCYDol+U7VbTBmHe65/6dx1nYxS0P1k0= -github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.12/go.mod h1:YRqguGarF7kbHeojTPkanH3qvjbEP2pelq5b0ifaQ1M= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.18 h1:DLfC677GfKEpSAFpEWvl1vXsGpEcSHmbhBaPLrdDQHc= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.18/go.mod h1:t/eaR/mi2mw3klfl1WEAuiLKrlZ/Q8cosmsT+RIPLu0= +github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.10 h1:am7ai27sEGpfOefHhUShbWAOa6EvkBaiMpB7zZ/PUyo= +github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2 v2.0.10/go.mod h1:sYX07HI7wMCFe9+FmxMOCwJ7q5CD4aq3VI+KoB8FYZY= +github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.4 h1:8XgCt3ZDfE0MPBLJsUE4ZnPkFAF4K13Zxqyjx1lA22A= +github.com/hashicorp/go-kms-wrapping/wrappers/alicloudkms/v2 v2.0.4/go.mod h1:Inx0DLGr58Un5TerS8je0SGZwKKihotqaxqoAKHpSmk= +github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.11 h1:J9zGa9SlcOHT3SQTj0Vv3shHo0anWbs58weURGCgChI= +github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2 v2.0.11/go.mod h1:iAOCu7/lG5eugg8+k7NVvQt0IpWT8s2Q9wnMtC/guM4= +github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.12 h1:ZL6jMQVOOvtog9/L9MLR1J7VssliIBVEFQlzKC9nn2c= +github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 v2.0.12/go.mod h1:qAc0pzuhbesYKpFUmCWCPiOo6XdgpGEeYSE7Y7EXfgM= +github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.13 h1:NGBZnF+yPRZ3gjFl69Y2m58/U0iyB2oH9HaznL9tekA= +github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2 v2.0.13/go.mod h1:4Xb+6d8VPeDcUNuh4toPqJlDpkajeJyIQeg36TtWhKw= +github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.9 h1:rlKOPHzZ41QeV/H6UIX2wVkPhLzVK+nKhLRIbIAZ0Yc= +github.com/hashicorp/go-kms-wrapping/wrappers/ocikms/v2 v2.0.9/go.mod h1:pHJfTvq97FAKCWxIJOHZWQmVfRXmUN6tmgEcgj3nC+M= +github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.13 h1:UuDeq3nr0e+H9CrZM3dvpDGkWFSJYTtuTqVekn2za2k= +github.com/hashicorp/go-kms-wrapping/wrappers/transit/v2 v2.0.13/go.mod h1:E2dYgXYNkvKe84PIxD9eJqqhFRA4guCTDweJR4i0gds= github.com/hashicorp/go-memdb v1.3.4 h1:XSL3NR682X/cVk2IeV0d70N4DZ9ljI885xAEU8IoK3c= github.com/hashicorp/go-memdb v1.3.4/go.mod h1:uBTr1oQbtuMgd1SSGoR8YV27eT3sBHbYiNm53bMpgSg= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= @@ -1474,8 +1474,8 @@ github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 h1:kH3Rhiht36xhAfhuHyWJDgdXXE github.com/hashicorp/go-secure-stdlib/mlock v0.1.3/go.mod h1:ov1Q0oEDjC3+A4BwsG2YdKltrmEw8sf9Pau4V9JQ4Vo= github.com/hashicorp/go-secure-stdlib/nonceutil v0.1.0 h1:iJG9Q3iUme12yH+wzBMGYrw/Am4CfX3sDcA8m5OGfhQ= github.com/hashicorp/go-secure-stdlib/nonceutil v0.1.0/go.mod h1:s28ohJ0kU6tersf0it/WsBCyZSdziPlP+G1FRA3ar28= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 h1:iBt4Ew4XEGLfh6/bPk4rSYmuZJGizr6/x/AEizP0CQc= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8/go.mod h1:aiJI+PIApBRQG7FZTEBx5GiiX+HbOHilUdNxUZi4eV0= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9 h1:FW0YttEnUNDJ2WL9XcrrfteS1xW8u+sh4ggM8pN5isQ= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9/go.mod h1:Ll013mhdmsVDuoIXVfBtvgGJsXDYkTw1kooNcoCXuE0= github.com/hashicorp/go-secure-stdlib/password v0.1.1 h1:6JzmBqXprakgFEHwBgdchsjaA9x3GyjdI568bXKxa60= github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo= github.com/hashicorp/go-secure-stdlib/permitpool v1.0.0 h1:U6y5MXGiDVOOtkWJ6o/tu1TxABnI0yKTQWJr7z6BpNk= diff --git a/sdk/go.mod b/sdk/go.mod index f17b8268e8..17c98eb1d9 100644 --- a/sdk/go.mod +++ b/sdk/go.mod @@ -22,14 +22,14 @@ require ( github.com/hashicorp/go-hclog v1.6.3 github.com/hashicorp/go-immutable-radix v1.3.1 github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.1 - github.com/hashicorp/go-kms-wrapping/v2 v2.0.16 + github.com/hashicorp/go-kms-wrapping/v2 v2.0.18 github.com/hashicorp/go-multierror v1.1.1 github.com/hashicorp/go-plugin v1.6.1 github.com/hashicorp/go-retryablehttp v0.7.7 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.0 github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 - github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 + github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9 github.com/hashicorp/go-secure-stdlib/password v0.1.1 github.com/hashicorp/go-secure-stdlib/permitpool v1.0.0 github.com/hashicorp/go-secure-stdlib/plugincontainer v0.4.1 diff --git a/sdk/go.sum b/sdk/go.sum index 412a1d871f..ed708a5dc3 100644 --- a/sdk/go.sum +++ b/sdk/go.sum @@ -182,8 +182,8 @@ github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJ github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.1 h1:KIge4FHZEDb2/xjaWgmBheCTgRL6HV4sgTfDsH876L8= github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.1/go.mod h1:aHO1EoFD0kBYLBedqxXgalfFT8lrWfP7kpuSoaqGjH0= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.16 h1:WZeXfD26QMWYC35at25KgE021SF9L3u9UMHK8fJAdV0= -github.com/hashicorp/go-kms-wrapping/v2 v2.0.16/go.mod h1:ZiKZctjRTLEppuRwrttWkp71VYMbTTCkazK4xT7U/NQ= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.18 h1:DLfC677GfKEpSAFpEWvl1vXsGpEcSHmbhBaPLrdDQHc= +github.com/hashicorp/go-kms-wrapping/v2 v2.0.18/go.mod h1:t/eaR/mi2mw3klfl1WEAuiLKrlZ/Q8cosmsT+RIPLu0= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-plugin v1.6.1 h1:P7MR2UP6gNKGPp+y7EZw2kOiq4IR9WiqLvp0XOsVdwI= @@ -199,8 +199,8 @@ github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.0 h1:4B46+S65WqQUlp0rX2F7T github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.0/go.mod h1:hH8rgXHh9fPSDPerG6WzABHsHF+9ZpLhRI1LPk4JZ8c= github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 h1:kH3Rhiht36xhAfhuHyWJDgdXXEx9IIZhDGRk24CDhzg= github.com/hashicorp/go-secure-stdlib/mlock v0.1.3/go.mod h1:ov1Q0oEDjC3+A4BwsG2YdKltrmEw8sf9Pau4V9JQ4Vo= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 h1:iBt4Ew4XEGLfh6/bPk4rSYmuZJGizr6/x/AEizP0CQc= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8/go.mod h1:aiJI+PIApBRQG7FZTEBx5GiiX+HbOHilUdNxUZi4eV0= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9 h1:FW0YttEnUNDJ2WL9XcrrfteS1xW8u+sh4ggM8pN5isQ= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9/go.mod h1:Ll013mhdmsVDuoIXVfBtvgGJsXDYkTw1kooNcoCXuE0= github.com/hashicorp/go-secure-stdlib/password v0.1.1 h1:6JzmBqXprakgFEHwBgdchsjaA9x3GyjdI568bXKxa60= github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo= github.com/hashicorp/go-secure-stdlib/permitpool v1.0.0 h1:U6y5MXGiDVOOtkWJ6o/tu1TxABnI0yKTQWJr7z6BpNk= diff --git a/website/content/docs/configuration/seal/alicloudkms.mdx b/website/content/docs/configuration/seal/alicloudkms.mdx index 28eff85cd4..43a074fcff 100644 --- a/website/content/docs/configuration/seal/alicloudkms.mdx +++ b/website/content/docs/configuration/seal/alicloudkms.mdx @@ -70,6 +70,8 @@ These parameters apply to the `seal` stanza in the Vault configuration file: - `disabled` `(string: "")`: Set this to `true` if Vault is migrating from an auto seal configuration. Otherwise, set to `false`. +`access_key` and `secret_key` can be [indirect value references](/vault/docs/configuration/seal#indirect-value-references). + Refer to the [Seal Migration](/vault/docs/concepts/seal#seal-migration) documentation for more information about the seal migration process. ## Authentication diff --git a/website/content/docs/configuration/seal/awskms.mdx b/website/content/docs/configuration/seal/awskms.mdx index 0c0b73c72f..c84dcf6c48 100644 --- a/website/content/docs/configuration/seal/awskms.mdx +++ b/website/content/docs/configuration/seal/awskms.mdx @@ -55,7 +55,7 @@ These parameters apply to the `seal` stanza in the Vault configuration file: - `access_key` `(string: )`: The AWS access key ID to use. May also be specified by the `AWS_ACCESS_KEY_ID` environment variable or as part of the - AWS profile from the AWS CLI or instance profile. + AWS profile from the AWS CLI or instance profile. - `session_token` `(string: "")`: Specifies the AWS session token. This can also be provided via the environment variable `AWS_SESSION_TOKEN`. @@ -76,6 +76,8 @@ These parameters apply to the `seal` stanza in the Vault configuration file: Endpoint](https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html). If not set, Vault will use the default API endpoint for your region. +`access_key`, `session_token`, and `secret_key` can be [indirect value references](/vault/docs/configuration/seal#indirect-value-references). + Refer to the [Seal Migration](/vault/docs/concepts/seal#seal-migration) documentation for more information about the seal migration process. ## Authentication diff --git a/website/content/docs/configuration/seal/azurekeyvault.mdx b/website/content/docs/configuration/seal/azurekeyvault.mdx index 40b62f3721..6e6daa62f3 100644 --- a/website/content/docs/configuration/seal/azurekeyvault.mdx +++ b/website/content/docs/configuration/seal/azurekeyvault.mdx @@ -72,6 +72,8 @@ These parameters apply to the `seal` stanza in the Vault configuration file: - `disabled` `(string: "")`: Set this to `true` if Vault is migrating from an auto seal configuration. Otherwise, set to `false`. +`client_id`, `client_secret`, and `tenant_id` can be [indirect value references](/vault/docs/configuration/seal#indirect-value-references). + Refer to the [Seal Migration](/vault/docs/concepts/seal#seal-migration) documentation for more information about the seal migration process. diff --git a/website/content/docs/configuration/seal/gcpckms.mdx b/website/content/docs/configuration/seal/gcpckms.mdx index 8483a0b7e1..dac5b72b98 100644 --- a/website/content/docs/configuration/seal/gcpckms.mdx +++ b/website/content/docs/configuration/seal/gcpckms.mdx @@ -69,6 +69,8 @@ These parameters apply to the `seal` stanza in the Vault configuration file: - `disabled` `(string: "")`: Set this to `true` if Vault is migrating from an auto seal configuration. Otherwise, set to `false`. +`credentials` can be an [indirect value reference](/vault/docs/configuration/seal#indirect-value-references). + Refer to the [Seal Migration](/vault/docs/concepts/seal#seal-migration) documentation for more information about the seal migration process. ## Authentication & permissions diff --git a/website/content/docs/configuration/seal/index.mdx b/website/content/docs/configuration/seal/index.mdx index 405abfb957..52afe0f1ed 100644 --- a/website/content/docs/configuration/seal/index.mdx +++ b/website/content/docs/configuration/seal/index.mdx @@ -43,4 +43,16 @@ seal "pkcs11" { For configuration options which also read an environment variable, the environment variable will take precedence over values in the configuration file. +### Indirect value references + +Some configuration options, considered sensitive, may use a special syntax +in the value of the option that indicates the final value should be sourced +from the environment or a file. Two URL style forms are supported: + +* `env://name`: The final value will be the contents of the environment + variable with key `name`. +* `file://path`: The final value will be the contents of the file at + `path`. Path may be absolute or relative, and if relative, is relative to + the working directory of the Vault process. + [sealwrap]: /vault/docs/enterprise/sealwrap \ No newline at end of file diff --git a/website/content/docs/configuration/seal/ocikms.mdx b/website/content/docs/configuration/seal/ocikms.mdx index 1697fe21be..00bc25f031 100644 --- a/website/content/docs/configuration/seal/ocikms.mdx +++ b/website/content/docs/configuration/seal/ocikms.mdx @@ -60,6 +60,8 @@ These parameters apply to the `seal` stanza in the Vault configuration file: - `disabled` `(string: "")`: Set this to `true` if Vault is migrating from an auto seal configuration. Otherwise, set to `false`. +`key_id` can be an [indirect value reference](/vault/docs/configuration/seal#indirect-value-references). + Refer to the [Seal Migration](/vault/docs/concepts/seal#seal-migration) documentation for more information about the seal migration process. ## Authentication diff --git a/website/content/docs/configuration/seal/pkcs11.mdx b/website/content/docs/configuration/seal/pkcs11.mdx index 4f7fa3f87e..7b31b2c5a1 100644 --- a/website/content/docs/configuration/seal/pkcs11.mdx +++ b/website/content/docs/configuration/seal/pkcs11.mdx @@ -170,6 +170,8 @@ These parameters apply to the `seal` stanza in the Vault configuration file: - `disabled` `(string: "")`: Set this to `true` if Vault is migrating from an auto seal configuration. Otherwise, set to `false`. +`pin` can be an [indirect value reference](/vault/docs/configuration/seal#indirect-value-references). + Refer to the [Seal Migration](/vault/docs/concepts/seal#seal-migration) documentation for more information about the seal migration process. ### Mechanism specific flags diff --git a/website/content/docs/configuration/seal/transit.mdx b/website/content/docs/configuration/seal/transit.mdx index d6b9d666bb..cffa505245 100644 --- a/website/content/docs/configuration/seal/transit.mdx +++ b/website/content/docs/configuration/seal/transit.mdx @@ -105,6 +105,8 @@ These parameters apply to the `seal` stanza in the Vault configuration file: - `disabled` `(string: "")`: Set this to `true` if Vault is migrating from an auto seal configuration. Otherwise, set to `false`. +`token` and `tls_client_key` can be [indirect value references](/vault/docs/configuration/seal#indirect-value-references). + Refer to the [Seal Migration](/vault/docs/concepts/seal#seal-migration) documentation for more information about the seal migration process. ## Authentication