destruct

command module

v1.2.0 Latest Latest Go to latest Published: Sep 17, 2020 License: MIT Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/shaggy245/destruct

Links

Open Source Insights

README ¶

Destruct

As in "This message will self-destruct." Use Hashicorp Vault to share secrets that are destroyed after being accessed by a one-time password.

Why

Despite the many features of Hashicorp Vault, there are still occasions when secrets (passwords, keys, etc.) need to be generated by one person/entity and shared with another. This often leads to sensitive secrets being shared and stored long-term via insecure methods/systems (email, chat, sticky notes, etc.).

This tool aims to share secrets so that shared secrets are:

Stored in a secure system (currently a pre-existing Hashicorp Vault environment)
Only accessible via a single-use token
Deleted from the secure system after being accessed once or after expiring (15 day TTL)

Getting Started

Installation

MacOS, Windows, and Linux binaries are provided on the releases page.

To use current master:

go get -d github.com/shaggy245/destruct
cd to the downloaded src directory:
- If $GOPATH is unset, please see go help gopath
- If $GOPATH is set, cd $GOPATH/src/github.com/shaggy245/destruct
go install

Requirements

A reachable Hashicorp Vault service running Vault 0.8 or later
destruct store requires that you supply a Vault token (More info here)
destruct retrieve requires that you supply the single-use token generated when the secrets were stored

Important Note

Destruct secrets will expire after 15 days by default, can only be retrieved once, and will be permanently deleted from Vault if either of those events occur.

Usage

NAME:
   destruct - Store or access Vault secrets that will auto-delete after being accessed.

USAGE:
   destruct [global options] command [command options] [arguments...]

VERSION:
   1.0.0

COMMANDS:
   store, s     Store secrets
   retrieve, r  Retrieve secrets
   help, h      Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --help, -h     show help
   --version, -v  print the version

Store

Store Token Requirements

destruct store requires that the user has obtained a Vault token which is passed into destruct store by the --token cli flag, the $VAULT_TOKEN environment variable, or the ~/.vault-token file.

There are multiple ways to generate a Vault token. Examples include:

Using Vault's CLI tool to vault login (Vault login) which saves the resulting Vault token in a helper file (~/.vault-token by default)
Logging into the Vault UI, navigating to the user icon in the upper-right corner, and selecting "Copy token"

This Vault token must have an attached Vault policy that allows update access to /sys/wrapping/wrap, which should be provided by the default Vault policy.

Vault Address

A remote Vault address can be passed into Destruct by the --vault-addr cli flag or set as the $VAULT_ADDR environment variable.

Command

Shared secrets can either be piped into the destruct store command or provided as an argument (see examples below).

NAME:
   destruct store - Store secrets

USAGE:
   destruct store [command options] secrets

OPTIONS:
   --vault-addr value, -a value  Vault service hostname/IP and port (default: "https://127.0.0.1:8200") [$VAULT_ADDR]
   --token value, -t value       Vault token with access to create self-destructing token [$VAULT_TOKEN] [token help file]
   --insecure, -k                Allow invalid SSL cert on Vault service

Examples:

$ destruct store --vault-addr "http://127.0.0.1:1234" "some secrets"
s.GH6YnEqETnF0CcBXeQ5IUfqF

$ aws iam create-access-key --user-name aws-user-name | destruct store --vault-addr "http://127.0.0.1:1234"
s.ZR0nda4aGaimzdIviroL9o1o

Retrieve

Command

NAME:
   destruct retrieve - Retrieve secrets

USAGE:
   destruct retrieve [command options] token

OPTIONS:
   --vault-addr value, -a value  Vault service hostname/IP and port (default: "https://127.0.0.1:8200") [$VAULT_ADDR]
   --insecure, -k                Allow invalid SSL cert on Vault service

Example:

$ destruct retrieve --vault-addr "http://127.0.0.1:1234" s.GH6YnEqETnF0CcBXeQ5IUfqF
some secrets

Retrieve via Curl

Destruct retrievals can also be done via HTTP POST by passing the token as an X-Vault-Token HTTP header to the Vault sys/wrapping/unwrap endpoint. The response will be JSON-formatted, and the secrets will be returned in the "data":{"destruct": key.

Example:

$ curl --request POST http://127.0.0.1:1234/v1/sys/wrapping/unwrap --header "X-Vault-Token: s.DIjzW4PLkeCOgnc0Q1kMiYMx"
{"request_id":"3444d7d6-08a1-071b-1d88-1769a8ff4767","lease_id":"","renewable":false,"lease_duration":0,"data":{"destruct":"some other secrets"},"wrap_info":null,"warnings":null,"auth":null}

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL