diff --git a/vault/init.go b/vault/init.go index 4e12261e0041..28ff05743736 100644 --- a/vault/init.go +++ b/vault/init.go @@ -319,6 +319,32 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes SecretShares: [][]byte{}, } + // If we are storing shares, pop them out of the returned results and push + // them through the seal + switch c.seal.StoredKeysSupported() { + case seal.StoredKeysSupportedShamirRoot: + keysToStore := [][]byte{barrierKey} + if err := c.seal.GetAccess().SetShamirSealKey(sealKey); err != nil { + c.logger.Error("failed to set seal key", "error", err) + return nil, fmt.Errorf("failed to set seal key: %w", err) + } + if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil { + c.logger.Error("failed to store keys", "error", err) + return nil, fmt.Errorf("failed to store keys: %w", err) + } + results.SecretShares = sealKeyShares + case seal.StoredKeysSupportedGeneric: + keysToStore := [][]byte{barrierKey} + if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil { + c.logger.Error("failed to store keys", "error", err) + return nil, fmt.Errorf("failed to store keys: %w", err) + } + default: + // We don't support initializing an old-style Shamir seal anymore, so + // this case is only reachable by tests. + results.SecretShares = barrierKeyShares + } + // Perform initial setup if err := c.setupCluster(ctx); err != nil { c.logger.Error("cluster setup failed during init", "error", err) @@ -330,12 +356,6 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes initPTCleanup() } - // Save in a variable whether stored keys are supported before calling postUnsea(), as postUnseal() - // clears the barrier config. For a defaultSeal with a "legacy seal" (i.e. barrier config has StoredShares == 0), - // this will cause StoredKeysSupported() to go from StoredKeysNotSupported to StoredKeysSupportedShamirRoot. - // This would be a problem below when we determine whether to call SetStoredKeys. - storedKeysSupported := c.seal.StoredKeysSupported() - activeCtx, ctxCancel := context.WithCancel(namespace.RootContext(nil)) if err := c.postUnseal(activeCtx, ctxCancel, standardUnsealStrategy{}); err != nil { c.logger.Error("post-unseal setup failed during init", "error", err) @@ -393,32 +413,6 @@ func (c *Core) Initialize(ctx context.Context, initParams *InitParams) (*InitRes } } - // If we are storing shares, pop them out of the returned results and push - // them through the seal - switch storedKeysSupported { - case seal.StoredKeysSupportedShamirRoot: - keysToStore := [][]byte{barrierKey} - if err := c.seal.GetAccess().SetShamirSealKey(sealKey); err != nil { - c.logger.Error("failed to set seal key", "error", err) - return nil, fmt.Errorf("failed to set seal key: %w", err) - } - if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil { - c.logger.Error("failed to store keys", "error", err) - return nil, fmt.Errorf("failed to store keys: %w", err) - } - results.SecretShares = sealKeyShares - case seal.StoredKeysSupportedGeneric: - keysToStore := [][]byte{barrierKey} - if err := c.seal.SetStoredKeys(ctx, keysToStore); err != nil { - c.logger.Error("failed to store keys", "error", err) - return nil, fmt.Errorf("failed to store keys: %w", err) - } - default: - // We don't support initializing an old-style Shamir seal anymore, so - // this case is only reachable by tests. - results.SecretShares = barrierKeyShares - } - // Prepare to re-seal if err := c.preSeal(); err != nil { c.logger.Error("pre-seal teardown failed", "error", err)