README
¶
vault-auto-unseal
Initialise a new Vault server and save unseal keys for later use.
For those occasions where a Vault server operating in dev mode is not sufficient, this tool may be employed in conjunction with build tools, configuration management tools, or an init system to automatically provision persistent Vault servers for testing purposes.
Security
vault-auto-unseal will store Vault unseal key shares and a Vault root token in plaintext on the filesystem.
Do not employ this tool in production Vault deployments.
Installation
Docker images are available from c2fq/vault-auto-unseal.
Alternatively, on a system equipped with a Go compiler:
go get github.com/saj/vault-auto-unseal
Usage
-
Start Vault.
-
Initialise Vault:
vault-auto-unseal --stash-file=keys.json init -
Unseal Vault:
vault-auto-unseal --stash-file=keys.json unseal
Steps (1), (2), and (3) may be executed concurrently. vault-auto-unseal will no-op by default if Vault has already been initialised or unsealed.
See --help for other options.
Secret stash format
When operating in init mode, vault-auto-unseal will write a JSON document to
--stash-file using the following schema:
{
"unseal_keys": [
"000000000000000000000000000000000000000000000000000000000000000000",
"111111111111111111111111111111111111111111111111111111111111111111",
"222222222222222222222222222222222222222222222222222222222222222222",
"333333333333333333333333333333333333333333333333333333333333333333",
"444444444444444444444444444444444444444444444444444444444444444444"
],
"root_token": "00000000-1111-2222-3333-444444444444"
}
The length of the unseal_keys array will depend on the value given to
--secret-shares. One unseal key share will be generated by default.
root_token is never used by vault-auto-unseal; this value is provided to allow
the operator to automatically configure mounts and tokens on a new Vault server.
Documentation
¶
There is no documentation for this package.
Source Files