add minio/keys KMS integration (#8631)

This commit adds support for the minio/kes KMS.
See: https://github.com/minio/kes

In particular you can configure it as KMS by:
 - `export MINIO_KMS_KES_ENDPOINT=`  // Server URL
 - `export MINIO_KMS_KES_KEY_FILE=`  // TLS client private key
 - `export MINIO_KMS_KES_CERT_FILE=` // TLS client certificate
 - `export MINIO_KMS_KES_CA_PATH=`   // Root CAs issuing server cert
 - `export MINIO_KMS_KES_KEY_NAME=`  // The name of the (default)
master key

cmd/crypto/config.go

@@ -29,6 +29,7 @@ import (
 type KMSConfig struct {
 	AutoEncryption bool        `json:"-"`
 	Vault          VaultConfig `json:"vault"`
+	Kes            KesConfig   `json:"kes"`
 }
 
 // KMS Vault constants.
@@ -43,9 +44,18 @@ const (
 	KMSVaultAppRoleSecret = "auth_approle_secret"
 )
 
+// KMS kes constants.
+const (
+	KMSKesEndpoint = "endpoint"
+	KMSKesKeyFile  = "key_file"
+	KMSKesCertFile = "cert_file"
+	KMSKesCAPath   = "capath"
+	KMSKesKeyName  = "key_name"
+)
+
 // DefaultKVS - default KV crypto config
 var (
-	DefaultKVS = config.KVS{
+	DefaultVaultKVS = config.KVS{
 		config.KV{
 			Key:   KMSVaultEndpoint,
 			Value: "",
@@ -79,6 +89,29 @@ var (
 			Value: "",
 		},
 	}
+
+	DefaultKesKVS = config.KVS{
+		config.KV{
+			Key:   KMSKesEndpoint,
+			Value: "",
+		},
+		config.KV{
+			Key:   KMSKesKeyName,
+			Value: "",
+		},
+		config.KV{
+			Key:   KMSKesCertFile,
+			Value: "",
+		},
+		config.KV{
+			Key:   KMSKesKeyFile,
+			Value: "",
+		},
+		config.KV{
+			Key:   KMSKesCAPath,
+			Value: "",
+		},
+	}
 )
 
 const (
@@ -132,19 +165,125 @@ const (
 	EnvKMSVaultNamespace = "MINIO_KMS_VAULT_NAMESPACE"
 )
 
-var defaultCfg = VaultConfig{
+const (
+	// EnvKMSKesEndpoint is the environment variable used to specify
+	// the kes server HTTPS endpoint.
+	EnvKMSKesEndpoint = "MINIO_KMS_KES_ENDPOINT"
+
+	// EnvKMSKesKeyFile is the environment variable used to specify
+	// the TLS private key used by MinIO to authenticate to the kes
+	// server HTTPS via mTLS.
+	EnvKMSKesKeyFile = "MINIO_KMS_KES_KEY_FILE"
+
+	// EnvKMSKesCertFile is the environment variable used to specify
+	// the TLS certificate used by MinIO to authenticate to the kes
+	// server HTTPS via mTLS.
+	EnvKMSKesCertFile = "MINIO_KMS_KES_CERT_FILE"
+
+	// EnvKMSKesCAPath is the environment variable used to specify
+	// the TLS root certificates used by MinIO to verify the certificate
+	// presented by to the kes server when establishing a TLS connection.
+	EnvKMSKesCAPath = "MINIO_KMS_KES_CA_PATH"
+
+	// EnvKMSKesKeyName is the environment variable used to specify
+	// the (default) key at the kes server. In the S3 context it's
+	// referred as customer master key ID (CMK-ID).
+	EnvKMSKesKeyName = "MINIO_KMS_KES_KEY_NAME"
+)
+
+var defaultVaultCfg = VaultConfig{
 	Auth: VaultAuth{
 		Type: "approle",
 	},
 }
 
-// Enabled returns if HashiCorp Vault is enabled.
-func Enabled(kvs config.KVS) bool {
+var defaultKesCfg = KesConfig{}
+
+// EnabledVault returns true if HashiCorp Vault is enabled.
+func EnabledVault(kvs config.KVS) bool {
 	endpoint := kvs.Get(KMSVaultEndpoint)
 	return endpoint != ""
 }
 
-// LookupConfig extracts the KMS configuration provided by environment
+// EnabledKes returns true if kes as KMS is enabled.
+func EnabledKes(kvs config.KVS) bool {
+	endpoint := kvs.Get(KMSKesEndpoint)
+	return endpoint != ""
+}
+
+// LookupKesConfig lookup kes server configuration.
+func LookupKesConfig(kvs config.KVS) (KesConfig, error) {
+	kesCfg := KesConfig{}
+
+	endpointStr := env.Get(EnvKMSKesEndpoint, kvs.Get(KMSKesEndpoint))
+	if endpointStr != "" {
+		// Lookup kes configuration & overwrite config entry if ENV var is present
+		endpoint, err := xnet.ParseHTTPURL(endpointStr)
+		if err != nil {
+			return kesCfg, err
+		}
+		endpointStr = endpoint.String()
+	}
+
+	kesCfg.Endpoint = endpointStr
+	kesCfg.KeyFile = env.Get(EnvKMSKesKeyFile, kvs.Get(KMSKesKeyFile))
+	kesCfg.CertFile = env.Get(EnvKMSKesCertFile, kvs.Get(KMSKesCertFile))
+	kesCfg.CAPath = env.Get(EnvKMSKesCAPath, kvs.Get(KMSKesCAPath))
+	kesCfg.DefaultKeyID = env.Get(EnvKMSKesKeyName, kvs.Get(KMSKesKeyName))
+
+	if reflect.DeepEqual(kesCfg, defaultKesCfg) {
+		return kesCfg, nil
+	}
+
+	// Verify all the proper settings.
+	if err := kesCfg.Verify(); err != nil {
+		return kesCfg, err
+	}
+	kesCfg.Enabled = true
+	return kesCfg, nil
+}
+
+func lookupAutoEncryption() (bool, error) {
+	autoBool, err := config.ParseBool(env.Get(EnvAutoEncryptionLegacy, config.EnableOff))
+	if err != nil {
+		return false, err
+	}
+	if !autoBool {
+		autoBool, err = config.ParseBool(env.Get(EnvKMSAutoEncryption, config.EnableOff))
+		if err != nil {
+			return false, err
+		}
+	}
+	return autoBool, nil
+}
+
+// LookupConfig lookup vault or kes config, returns KMSConfig
+// to configure KMS object for object encryption
+func LookupConfig(c config.Config, defaultRootCAsDir string) (KMSConfig, error) {
+	vcfg, err := LookupVaultConfig(c[config.KmsVaultSubSys][config.Default])
+	if err != nil {
+		return KMSConfig{}, err
+	}
+	kesCfg, err := LookupKesConfig(c[config.KmsKesSubSys][config.Default])
+	if err != nil {
+		return KMSConfig{}, err
+	}
+	if kesCfg.Enabled && kesCfg.CAPath == "" {
+		kesCfg.CAPath = defaultRootCAsDir
+	}
+	autoEncrypt, err := lookupAutoEncryption()
+	if err != nil {
+		return KMSConfig{}, err
+	}
+	kmsCfg := KMSConfig{
+		AutoEncryption: autoEncrypt,
+		Vault:          vcfg,
+		Kes:            kesCfg,
+	}
+	return kmsCfg, nil
+}
+
+// LookupVaultConfig extracts the KMS configuration provided by environment
 // variables and merge them with the provided KMS configuration. The
 // merging follows the following rules:
 //
@@ -157,44 +296,43 @@ func Enabled(kvs config.KVS) bool {
 //
 // It sets the global KMS configuration according to the merged configuration
 // on succes.
-func LookupConfig(kvs config.KVS) (KMSConfig, error) {
-	if err := config.CheckValidKeys(config.KmsVaultSubSys, kvs, DefaultKVS); err != nil {
-		return KMSConfig{}, err
-	}
-	kmsCfg, err := lookupConfigLegacy(kvs)
-	if err != nil {
-		return kmsCfg, err
-	}
-	if !kmsCfg.AutoEncryption {
-		kmsCfg.AutoEncryption, err = config.ParseBool(env.Get(EnvKMSAutoEncryption, config.EnableOff))
-		if err != nil {
-			return kmsCfg, err
-		}
-	}
-	if kmsCfg.Vault.Enabled {
-		return kmsCfg, nil
+func LookupVaultConfig(kvs config.KVS) (VaultConfig, error) {
+	if err := config.CheckValidKeys(config.KmsVaultSubSys, kvs, DefaultVaultKVS); err != nil {
+		return VaultConfig{}, err
 	}
 
-	vcfg := VaultConfig{
+	vcfg, err := lookupConfigLegacy(kvs)
+	if err != nil {
+		return vcfg, err
+	}
+
+	if vcfg.Enabled {
+		return vcfg, nil
+	}
+
+	vcfg = VaultConfig{
 		Auth: VaultAuth{
 			Type: "approle",
 		},
 	}
+
 	endpointStr := env.Get(EnvKMSVaultEndpoint, kvs.Get(KMSVaultEndpoint))
 	if endpointStr != "" {
 		// Lookup Hashicorp-Vault configuration & overwrite config entry if ENV var is present
 		endpoint, err := xnet.ParseHTTPURL(endpointStr)
 		if err != nil {
-			return kmsCfg, err
+			return vcfg, err
 		}
 		endpointStr = endpoint.String()
 	}
+
 	vcfg.Endpoint = endpointStr
 	vcfg.CAPath = env.Get(EnvKMSVaultCAPath, kvs.Get(KMSVaultCAPath))
 	vcfg.Auth.Type = env.Get(EnvKMSVaultAuthType, kvs.Get(KMSVaultAuthType))
 	if vcfg.Auth.Type == "" {
 		vcfg.Auth.Type = "approle"
 	}
+
 	vcfg.Auth.AppRole.ID = env.Get(EnvKMSVaultAppRoleID, kvs.Get(KMSVaultAppRoleID))
 	vcfg.Auth.AppRole.Secret = env.Get(EnvKMSVaultAppSecretID, kvs.Get(KMSVaultAppRoleSecret))
 	vcfg.Key.Name = env.Get(EnvKMSVaultKeyName, kvs.Get(KMSVaultKeyName))
@@ -202,31 +340,33 @@ func LookupConfig(kvs config.KVS) (KMSConfig, error) {
 	if keyVersion := env.Get(EnvKMSVaultKeyVersion, kvs.Get(KMSVaultKeyVersion)); keyVersion != "" {
 		vcfg.Key.Version, err = strconv.Atoi(keyVersion)
 		if err != nil {
-			return kmsCfg, fmt.Errorf("Unable to parse VaultKeyVersion value (`%s`)", keyVersion)
+			return vcfg, fmt.Errorf("Unable to parse VaultKeyVersion value (`%s`)", keyVersion)
 		}
 	}
 
-	if reflect.DeepEqual(vcfg, defaultCfg) {
-		return kmsCfg, nil
+	if reflect.DeepEqual(vcfg, defaultVaultCfg) {
+		return vcfg, nil
 	}
 
 	// Verify all the proper settings.
 	if err = vcfg.Verify(); err != nil {
-		return kmsCfg, err
+		return vcfg, err
 	}
 
 	vcfg.Enabled = true
-	kmsCfg.Vault = vcfg
-	return kmsCfg, nil
+	return vcfg, nil
 }
 
 // NewKMS - initialize a new KMS.
 func NewKMS(cfg KMSConfig) (kms KMS, err error) {
-	// Lookup KMS master keys - only available through ENV.
+	// Lookup KMS master kes - only available through ENV.
 	if masterKeyLegacy := env.Get(EnvKMSMasterKeyLegacy, ""); len(masterKeyLegacy) != 0 {
 		if cfg.Vault.Enabled { // Vault and KMS master key provided
 			return kms, errors.New("Ambiguous KMS configuration: vault configuration and a master key are provided at the same time")
 		}
+		if cfg.Kes.Enabled {
+			return kms, errors.New("Ambiguous KMS configuration: kes configuration and a master key are provided at the same time")
+		}
 		kms, err = ParseMasterKey(masterKeyLegacy)
 		if err != nil {
 			return kms, err
@@ -235,15 +375,25 @@ func NewKMS(cfg KMSConfig) (kms KMS, err error) {
 		if cfg.Vault.Enabled { // Vault and KMS master key provided
 			return kms, errors.New("Ambiguous KMS configuration: vault configuration and a master key are provided at the same time")
 		}
+		if cfg.Kes.Enabled {
+			return kms, errors.New("Ambiguous KMS configuration: kes configuration and a master key are provided at the same time")
+		}
 		kms, err = ParseMasterKey(masterKey)
 		if err != nil {
 			return kms, err
 		}
+	} else if cfg.Vault.Enabled && cfg.Kes.Enabled {
+		return kms, errors.New("Ambiguous KMS configuration: vault configuration and kes configuration are provided at the same time")
 	} else if cfg.Vault.Enabled {
 		kms, err = NewVault(cfg.Vault)
 		if err != nil {
 			return kms, err
 		}
+	} else if cfg.Kes.Enabled {
+		kms, err = NewKes(cfg.Kes)
+		if err != nil {
+			return kms, err
+		}
 	}
 
 	if cfg.AutoEncryption && kms == nil {

cmd/crypto/help.go

@@ -20,7 +20,7 @@ import "github.com/minio/minio/cmd/config"
 
 // Help template for KMS vault
 var (
-	Help = config.HelpKVS{
+	HelpVault = config.HelpKVS{
 		config.HelpKV{
 			Key:         KMSVaultEndpoint,
 			Description: `API endpoint e.g. "http://vault-endpoint-ip:8200"`,
@@ -28,7 +28,7 @@ var (
 		},
 		config.HelpKV{
 			Key:         KMSVaultKeyName,
-			Description: `unique transit key name e.g. "my-minio-key"`,
+			Description: `unique transit key name - e.g. "my-minio-key"`,
 			Type:        "string",
 		},
 		config.HelpKV{
@@ -71,4 +71,39 @@ var (
 			Type:        "sentence",
 		},
 	}
+
+	HelpKes = config.HelpKVS{
+		config.HelpKV{
+			Key:         KMSKesEndpoint,
+			Description: `API endpoint - e.g. "https://kes-endpoint:7373"`,
+			Type:        "url",
+		},
+		config.HelpKV{
+			Key:         KMSKesKeyName,
+			Description: `unique key name - e.g. "my-minio-key"`,
+			Type:        "string",
+		},
+		config.HelpKV{
+			Key:         KMSKesCertFile,
+			Description: `path to client certificate for TLS auth - e.g. /etc/keys/public.crt`,
+			Type:        "path",
+		},
+		config.HelpKV{
+			Key:         KMSKesKeyFile,
+			Description: `path to client private key for TLS auth - e.g. /etc/keys/private.key`,
+			Type:        "path",
+		},
+		config.HelpKV{
+			Key:         KMSKesCAPath,
+			Description: `path to PEM-encoded cert(s) to verify kes server cert - e.g. /etc/keys/CAs`,
+			Optional:    true,
+			Type:        "path",
+		},
+		config.HelpKV{
+			Key:         config.Comment,
+			Description: config.DefaultComment,
+			Optional:    true,
+			Type:        "sentence",
+		},
+	}
 )

cmd/crypto/kes.go

@@ -0,0 +1,255 @@
+// MinIO Cloud Storage, (C) 2019 MinIO, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package crypto
+
+import (
+	"bytes"
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/minio/kes"
+)
+
+// KesConfig contains the configuration required
+// to initialize and connect to a kes server.
+type KesConfig struct {
+	Enabled bool
+
+	// The kes server endpoint.
+	Endpoint string
+
+	// The path to the TLS private key used
+	// by MinIO to authenticate to the kes
+	// server during the TLS handshake (mTLS).
+	KeyFile string
+
+	// The path to the TLS certificate used
+	// by MinIO to authenticate to the kes
+	// server during the TLS handshake (mTLS).
+	//
+	// The kes server will also allow or deny
+	// access based on this certificate.
+	// In particular, the kes server will
+	// lookup the policy that corresponds to
+	// the identity in this certificate.
+	CertFile string
+
+	// Path to a file or directory containing
+	// the CA certificate(s) that issued / will
+	// issue certificates for the kes server.
+	//
+	// This is required if the TLS certificate
+	// of the kes server has not been issued
+	// (e.g. b/c it's self-signed) by a CA that
+	// MinIO trusts.
+	CAPath string
+
+	// The default key ID returned by KMS.KeyID().
+	DefaultKeyID string
+}
+
+// Verify verifies if the kes configuration is correct
+func (k KesConfig) Verify() (err error) {
+	switch {
+	case k.Endpoint == "":
+		err = errors.New("crypto: missing kes endpoint")
+	case k.CertFile == "":
+		err = errors.New("crypto: missing cert file")
+	case k.KeyFile == "":
+		err = errors.New("crypto: missing key file")
+	case k.DefaultKeyID == "":
+		err = errors.New("crypto: missing default key id")
+	}
+	return err
+}
+
+type kesService struct {
+	client *kes.Client
+
+	endpoint     string
+	defaultKeyID string
+}
+
+// NewKes returns a new kes KMS client. The returned KMS
+// uses the X.509 certificate to authenticate itself to
+// the kes server available at address.
+//
+// The defaultKeyID is the key ID returned when calling
+// KMS.KeyID().
+func NewKes(cfg KesConfig) (KMS, error) {
+	cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile)
+	if err != nil {
+		return nil, err
+	}
+	certPool, err := loadCACertificates(cfg.CAPath)
+	if err != nil {
+		return nil, err
+	}
+	return &kesService{
+		client: kes.NewClient(cfg.Endpoint, &tls.Config{
+			Certificates: []tls.Certificate{cert},
+			RootCAs:      certPool,
+		}),
+		endpoint:     cfg.Endpoint,
+		defaultKeyID: cfg.DefaultKeyID,
+	}, nil
+}
+
+// KeyID returns the default key ID.
+func (kes *kesService) KeyID() string {
+	return kes.defaultKeyID
+}
+
+// Info returns some status information about the KMS.
+func (kes *kesService) Info() KMSInfo {
+	return KMSInfo{
+		Endpoint: kes.endpoint,
+		Name:     kes.KeyID(),
+		AuthType: "TLS",
+	}
+}
+
+// GenerateKey returns a new plaintext key, generated by the KMS,
+// and a sealed version of this plaintext key encrypted using the
+// named key referenced by keyID. It also binds the generated key
+// cryptographically to the provided context.
+func (kes *kesService) GenerateKey(keyID string, ctx Context) (key [32]byte, sealedKey []byte, err error) {
+	var context bytes.Buffer
+	ctx.WriteTo(&context)
+
+	var plainKey []byte
+	plainKey, sealedKey, err = kes.client.GenerateDataKey(keyID, context.Bytes())
+	if err != nil {
+		return key, nil, err
+	}
+	if len(plainKey) != len(key) {
+		return key, nil, errors.New("crypto: received invalid plaintext key size from KMS")
+	}
+	copy(key[:], plainKey)
+	return key, sealedKey, nil
+}
+
+// UnsealKey returns the decrypted sealedKey as plaintext key.
+// Therefore it sends the sealedKey to the KMS which decrypts
+// it using the named key referenced by keyID and responses with
+// the plaintext key.
+//
+// The context must be same context as the one provided while
+// generating the plaintext key / sealedKey.
+func (kes *kesService) UnsealKey(keyID string, sealedKey []byte, ctx Context) (key [32]byte, err error) {
+	var context bytes.Buffer
+	ctx.WriteTo(&context)
+
+	var plainKey []byte
+	plainKey, err = kes.client.DecryptDataKey(keyID, sealedKey, context.Bytes())
+	if err != nil {
+		return key, err
+	}
+	if len(plainKey) != len(key) {
+		return key, errors.New("crypto: received invalid plaintext key size from KMS")
+	}
+	copy(key[:], plainKey)
+	return key, nil
+}
+
+// UpdateKey re-wraps the sealedKey if the master key referenced by the keyID
+// has been changed by the KMS operator - i.e. the master key has been rotated.
+// If the master key hasn't changed since the sealedKey has been created / updated
+// it may return the same sealedKey as rotatedKey.
+//
+// The context must be same context as the one provided while
+// generating the plaintext key / sealedKey.
+func (kes *kesService) UpdateKey(keyID string, sealedKey []byte, ctx Context) ([]byte, error) {
+	_, err := kes.UnsealKey(keyID, sealedKey, ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	// Currently a kes server does not support key rotation (of the same key)
+	// Therefore, we simply return the same sealedKey.
+	return sealedKey, nil
+}
+
+// loadCACertificates returns a new CertPool
+// that contains all system root CA certificates
+// and any PEM-encoded certificate(s) found at
+// path.
+//
+// If path is a file, loadCACertificates will
+// try to parse it as PEM-encoded certificate.
+// If this fails, it returns an error.
+//
+// If path is a directory it tries to parse each
+// file as PEM-encoded certificate and add it to
+// the CertPool. If a file is not a PEM certificate
+// it will be ignored.
+func loadCACertificates(path string) (*x509.CertPool, error) {
+	rootCAs, _ := x509.SystemCertPool()
+	if rootCAs == nil {
+		// In some systems (like Windows) system cert pool is
+		// not supported or no certificates are present on the
+		// system - so we create a new cert pool.
+		rootCAs = x509.NewCertPool()
+	}
+	if path == "" {
+		return rootCAs, nil
+	}
+
+	stat, err := os.Stat(path)
+	if err != nil {
+		if os.IsNotExist(err) || os.IsPermission(err) {
+			return rootCAs, nil
+		}
+		return nil, fmt.Errorf("crypto: cannot open '%s': %v", path, err)
+	}
+
+	// If path is a file, parse as PEM-encoded certifcate
+	// and try to add it to the CertPool. If this fails
+	// return an error.
+	if !stat.IsDir() {
+		cert, err := ioutil.ReadFile(path)
+		if err != nil {
+			return nil, err
+		}
+		if !rootCAs.AppendCertsFromPEM(cert) {
+			return nil, fmt.Errorf("crypto: '%s' is not a valid PEM-encoded certificate", path)
+		}
+		return rootCAs, nil
+	}
+
+	// If path is a directory then try
+	// to parse each file as PEM-encoded
+	// certificate and add it to the CertPool.
+	// If a file is not a PEM-encoded certificate
+	// we ignore it.
+	files, err := ioutil.ReadDir(path)
+	if err != nil {
+		return nil, err
+	}
+	for _, file := range files {
+		cert, err := ioutil.ReadFile(filepath.Join(path, file.Name()))
+		if err != nil {
+			continue // ignore files which are not readable
+		}
+		rootCAs.AppendCertsFromPEM(cert) // ignore files which are not PEM certtificates
+	}
+	return rootCAs, nil
+
+}

cmd/crypto/legacy.go

@@ -136,18 +136,10 @@ func SetKMSConfig(s config.Config, cfg KMSConfig) {
 //
 // It sets the global KMS configuration according to the merged configuration
 // on success.
-func lookupConfigLegacy(kvs config.KVS) (KMSConfig, error) {
-	autoBool, err := config.ParseBool(env.Get(EnvAutoEncryptionLegacy, config.EnableOff))
-	if err != nil {
-		return KMSConfig{}, err
-	}
-
-	cfg := KMSConfig{
-		AutoEncryption: autoBool,
-		Vault: VaultConfig{
-			Auth: VaultAuth{
-				Type: "approle",
-			},
+func lookupConfigLegacy(kvs config.KVS) (VaultConfig, error) {
+	vcfg := VaultConfig{
+		Auth: VaultAuth{
+			Type: "approle",
 		},
 	}
 
@@ -156,37 +148,38 @@ func lookupConfigLegacy(kvs config.KVS) (KMSConfig, error) {
 		// Lookup Hashicorp-Vault configuration & overwrite config entry if ENV var is present
 		endpoint, err := xnet.ParseHTTPURL(endpointStr)
 		if err != nil {
-			return cfg, err
+			return vcfg, err
 		}
 		endpointStr = endpoint.String()
 	}
 
-	cfg.Vault.Endpoint = endpointStr
-	cfg.Vault.CAPath = env.Get(EnvLegacyVaultCAPath, "")
-	cfg.Vault.Auth.Type = env.Get(EnvLegacyVaultAuthType, "")
-	if cfg.Vault.Auth.Type == "" {
-		cfg.Vault.Auth.Type = "approle"
+	var err error
+	vcfg.Endpoint = endpointStr
+	vcfg.CAPath = env.Get(EnvLegacyVaultCAPath, "")
+	vcfg.Auth.Type = env.Get(EnvLegacyVaultAuthType, "")
+	if vcfg.Auth.Type == "" {
+		vcfg.Auth.Type = "approle"
 	}
-	cfg.Vault.Auth.AppRole.ID = env.Get(EnvLegacyVaultAppRoleID, "")
-	cfg.Vault.Auth.AppRole.Secret = env.Get(EnvLegacyVaultAppSecretID, "")
-	cfg.Vault.Key.Name = env.Get(EnvLegacyVaultKeyName, "")
-	cfg.Vault.Namespace = env.Get(EnvLegacyVaultNamespace, "")
+	vcfg.Auth.AppRole.ID = env.Get(EnvLegacyVaultAppRoleID, "")
+	vcfg.Auth.AppRole.Secret = env.Get(EnvLegacyVaultAppSecretID, "")
+	vcfg.Key.Name = env.Get(EnvLegacyVaultKeyName, "")
+	vcfg.Namespace = env.Get(EnvLegacyVaultNamespace, "")
 	if keyVersion := env.Get(EnvLegacyVaultKeyVersion, ""); keyVersion != "" {
-		cfg.Vault.Key.Version, err = strconv.Atoi(keyVersion)
+		vcfg.Key.Version, err = strconv.Atoi(keyVersion)
 		if err != nil {
-			return cfg, fmt.Errorf("Invalid ENV variable: Unable to parse %s value (`%s`)",
+			return vcfg, fmt.Errorf("Invalid ENV variable: Unable to parse %s value (`%s`)",
 				EnvLegacyVaultKeyVersion, keyVersion)
 		}
 	}
 
-	if reflect.DeepEqual(cfg.Vault, defaultCfg) {
-		return cfg, nil
+	if reflect.DeepEqual(vcfg, defaultVaultCfg) {
+		return vcfg, nil
 	}
 
-	if err = cfg.Vault.Verify(); err != nil {
-		return cfg, err
+	if err = vcfg.Verify(); err != nil {
+		return vcfg, err
 	}
 
-	cfg.Vault.Enabled = true
-	return cfg, nil
+	vcfg.Enabled = true
+	return vcfg, nil
 }