Imported ed25519 private key into fails to sign data using the vault secrets transit engine #31575
Description
Describe the bug
When I try to use a private ed25519 key that has been imported into vault it causes vault to produce a bad key length error for valid keys.
To Reproduce
Steps to reproduce the behavior:
-
Generate a private key (I have tried various methods, but this is a simple example)
openssl genpkey -algorithm Ed25519 -out private_key.der -outform DER
-
Import key into vault in any way (I have tried both the manual and the helper function methods)
vault transit import transit/keys/my-key "$(cat private_key.der | base64)" type="ed25519" derived=true- this step succeeds!
-
try to sign data with imported key
vault write transit/sign/my-key input="$(echo hello | base64)" context="$(echo world | base64)"
-
See error
Error writing data to transit/sign/my-key: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/transit/sign/my-key
Code: 500. Errors:
- 1 error occurred:
- ed25519: bad private key length: 32
- No logs relating to this error are output by vault, this is different than behavior in this issue, where we saw vault panic and show logs relating to the failure
Expected behavior
- I would expect the data to be successfully signed with the imported ed25519 keys
- If there was an issue with the key, I would expect the import step to fail (not the sign step)
Environment:
- Vault Server Version (retrieve with
vault status): 1.20.4 - Vault CLI Version (retrieve with
vault version): v1.20.4 - Server Operating System/Architecture:
- linu x86 (ubuntu latest) running in docker v27.3.1
- and arm7 (nixos latest) running in k3s v1.32.0,
Vault server configuration file(s):
for my local running in docker
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}for my remote server running on k3s
cluster_name = "vault-integrated-storage"
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/tls-server/tls.crt"
tls_key_file = "/vault/userconfig/tls-server/tls.key"
}
seal "transit" {
address = "https://vault-unseal.vault-unseal.svc.cluster.local:8200"
disable_renewal = "false"
key_name = "autounseal"
mount_path = "transit/"
tls_skip_verify = "false"
tls_server_name = "vault-unseal"
tls_ca_cert = "/vault/userconfig/tls-ca/ca.crt"
tls_client_cert = "/vault/userconfig/tls-server/tls.crt"
tls_client_key = "/vault/userconfig/tls-server/tls.key"
}
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "https://vault-0.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
}
retry_join {
leader_api_addr = "https://vault-1.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
}
retry_join {
leader_api_addr = "https://vault-2.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
}
autopilot {
server_stabilization_time = "10s"
last_contact_threshold = "10s"
min_quorum = 2
cleanup_dead_servers = true
dead_server_last_contact_threshold = "10m"
max_trailing_logs = 500
disable_upgrade_migration = false
}
}