secretsejson

package module
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 10, 2021 License: MIT Imports: 12 Imported by: 1

README

Vault Plugin: EJSON Secrets Backend

Build Status

Summary

A secret plugin for use with Hashicorp Vault. This plugin provides the ability to submit and manipulate EJSON to Vault wherein it can be decrypted and/or stored.

Note: For storage operations, any key values prefixed with an underscore will be stored with the underscore removed at the decrypted path (see below for an example). This is done intentionally to keep data access sane.

Usage

Installing for development use
# Build the binary
$ make build

# Run Vault
# NOTE: Do not run -dev in production
$ vault server -dev -dev-root-token-id=root -dev-plugin-dir=./vault/plugins

# Export VAULT_ADDR for future `vault` commands
$ export VAULT_ADDR='http://127.0.0.1:8200'

# Enable the plugin at a specific path (in this case ejson/)
$ vault secrets enable -path=ejson secrets-ejson
Success! Enabled the vault-plugin-secrets-ejson plugin at: ejson/
Installing for production use

Please consult official Vault documentation on how to checksum, load and enable plugins.

Demo

Generating public-private-keypairs (/keypair)
$ vault write -force ejson/keypair
Key       Value
---       -----
public    7f0510f044e9ae852f8ae2865cce55ae01f3b9c0f505b1b33b6323579b778a30

$ vault list ejson/keys
Keys
----
7f0510f044e9ae852f8ae2865cce55ae01f3b9c0f505b1b33b6323579b778a30

$ vault read ejson/keys/7f0510f044e9ae852f8ae2865cce55ae01f3b9c0f505b1b33b6323579b778a30
Key        Value
---        -----
private    1430dc364475c63e21cc549ad74245970bfa70b98b9497e7f3c71dd3ce7cb13c
Storing public-private-keypairs (/keys/.*)
# Storing the public/private key for decryption
# This needs to be done first, and the secret must be underneath keys/
$ vault write ejson/keys/15838c2f3260185ad2a8e1298bd507479ff2470b9e9c1fd89e0fdfefe2959f56 private="37124bcf00c2d9fd87ddd596162d99c004460fd47130f2d653e45f85a0681cf0"
Key        Value
---        -----
private    37124bcf00c2d9fd87ddd596162d99c004460fd47130f2d653e45f85a0681cf0
Storing ejson documents (/.*)
$ cat itsasecret.ejson
{
  "_public_key": "15838c2f3260185ad2a8e1298bd507479ff2470b9e9c1fd89e0fdfefe2959f56",
  "asecret": "EJ[1:sdseJpJ3BpP9PO5Qs8IB4urmmYil46edSTek8SjgVGA=:zl7mkBzL4g2d0PE3hPucmfbDjf3aDK7K:iryi3H7wRGWvUI8kjfWLtP3sFiw=]",
  "_bsecret": "orly",
  "anumber": 1
}

$ vault write ejson/itsasecret @itsasecret.ejson
Key      Value
---      -----
ejson    map[_bsecret:orly _public_key:15838c2f3260185ad2a8e1298bd507479ff2470b9e9c1fd89e0fdfefe2959f56 anumber:1 asecret:EJ[1:sdseJpJ3BpP9PO5Qs8IB4urmmYil46edSTek8SjgVGA=:zl7mkBzL4g2d0PE3hPucmfbDjf3aDK7K:iryi3H7wRGWvUI8kjfWLtP3sFiw=]]

# Encrypted payload, useful for safely comparing values with other tools (e.g. Terraform)
$ vault read ejson/itsasecret
Key      Value
---      -----
ejson    map[_bsecret:orly _public_key:15838c2f3260185ad2a8e1298bd507479ff2470b9e9c1fd89e0fdfefe2959f56 anumber:1 asecret:EJ[1:sdseJpJ3BpP9PO5Qs8IB4urmmYil46edSTek8SjgVGA=:zl7mkBzL4g2d0PE3hPucmfbDjf3aDK7K:iryi3H7wRGWvUI8kjfWLtP3sFiw=]]

# Decrypted payload, useful for consumption!
$ vault read ejson/itsasecret/decrypted
Key      Value
---      -----
ejson    map[anumber:1 asecret:ohai bsecret:orly]
Decrypting an ejson document on the fly with EaaS (/decrypt)
$ vault write -format=json ejson/decrypt @itsasecret.ejson
{
  "request_id": "3df23dd2-7c41-3c3f-b5e4-d5300906bd78",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "_bsecret": "orly",
    "_public_key": "15838c2f3260185ad2a8e1298bd507479ff2470b9e9c1fd89e0fdfefe2959f56",
    "anumber": 1,
    "asecret": "to everyone",
    "database": {
      "_username": "admin",
      "password": "sicher"
    }
  },
  "warnings": null
}
Uniquely identify a plain text secret (/identity)

To help with identifying secrets across multiple ejson documents, this EaaS function can be used to generate a unique string for any given plain text.

# This needs to be done first, and the secret salt must be underneath keys/
# If not set however, a default value will be used. This is considered less secure, especially if applied
# to low entropy plain text.
$ vault write ejson/keys/__secret_salt private="SOME_LONG_AND_RANDOM_STRING_THAT_SHOULD_BE_KEPT_SECRET"
Key        Value
---        -----
private    SOME_LONG_AND_RANDOM_STRING_THAT_SHOULD_BE_KEPT_SECRET

$ vault write ejson/identity plaintext="p4ssw0rd"
Key         Value
---         -----
identity    1ab30335c71ede6e08ef18f6ee68ad2e893edd3eb12a5629b899be9149777ee1
Terraform integration

This plugin can also be used with Terraform's vault_generic_secret resource to safely store version controlled secrets inside of Vault.

$ cat main.tf
provider "vault" {}

resource "vault_generic_secret" "example" {
  path = "ejson/itsasecret"

  data_json = <<EOT
{
  "ejson": {
    "_public_key": "15838c2f3260185ad2a8e1298bd507479ff2470b9e9c1fd89e0fdfefe2959f56",
    "asecret": "EJ[1:sdseJpJ3BpP9PO5Qs8IB4urmmYil46edSTek8SjgVGA=:zl7mkBzL4g2d0PE3hPucmfbDjf3aDK7K:iryi3H7wRGWvUI8kjfWLtP3sFiw=]",
    "_bsecret": "orly",
    "anumber": 1
  }
}
EOT
}

# Initial apply
$ terraform apply -auto-approve
vault_generic_secret.example: Refreshing state... (ID: ejson/itsasecret)
vault_generic_secret.example: Creating...
  data_json:    "" => "{\"ejson\":{\"_public_key\":\"15838c2f3260185ad2a8e1298bd507479ff2470b9e9c1fd89e0fdfefe2959f56\",\"anumber\":1,\"asecret\":\"EJ[1:dPD6H7zfvJRwpJEIixW4HmZOSr+Mwi68Dtp0h+w5fAM=:lsAK/idjgbFagIWHIooBmVsTwFO1xr/1:cyzQwFGgAnMH24wVTwQKpSAw0V2vFQsD7x329g==]\",\"_bsecret\":\"orly\",\"anumber\":\"1\"}}"
  disable_read: "" => "false"
  path:         "" => "ejson/itsasecret"
vault_generic_secret.example: Creation complete after 0s (ID: ejson/itsasecret)

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

# Re-apply
# NOTE: This will never print out the decrypted secrets as it only compares the encrypted payload
$ terraform apply -auto-approve
vault_generic_secret.example: Refreshing state... (ID: ejson/itsasecret)

Apply complete! Resources: 0 added, 0 changed, 0 destroyed

Contributing

See CONTRIBUTING.

License

See LICENSE

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Backend 

func Backend() *backend

Backend returns a private embedded struct of framework.Backend.

func DecryptEjson added in v1.1.0 

func DecryptEjson(ctx context.Context, encData []byte, storage logical.Storage) ([]byte, error)

func DecryptEjsonDocument added in v1.1.0 

func DecryptEjsonDocument(ctx context.Context, req *logical.Request, encData []byte) (map[string]interface{}, error)

func EncryptEjson added in v1.2.0 

func EncryptEjson(ctx context.Context, decData []byte) ([]byte, error)

func EncryptEjsonDocument added in v1.2.0 

func EncryptEjsonDocument(ctx context.Context, decData map[string]interface{}) (map[string]interface{}, error)

func Factory 

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

Factory returns a new backend as logical.Backend.

func FactoryType 

func FactoryType(backendType logical.BackendType) logical.Factory

FactoryType is a wrapper func that allows the Factory func to specify the backend type for the mock backend plugin instance.

func HashPlaintext added in v1.1.0 

func HashPlaintext(plaintext []byte, salt []byte) ([]byte, error)

func MarshalForEjson added in v1.1.0 

func MarshalForEjson(input map[string]interface{}) ([]byte, error)

func MarshalInput added in v1.1.0 

func MarshalInput(inputData interface{}) ([]byte, error)

Types

This section is empty.

Source Files

View all Source files

Directories

Path Synopsis
cmd
vault-plugin-secrets-ejson

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.