Vault transit auto unseal
// TODO: update readme Readme is out of date a little. I did a complete rewrite of the app, so it's supports now policies/tokens/TLS etc. I'll update it soon
Warning: Before using anything from this repo, consider the following:
- Implementation isn't checked from the security perspective
- A single key type supported - AES256
- This app is handling only some of the transit secret engine APIs
- Code quality isn't good (right now at least)
- Encryption AES256 key is stored unencrypted in the sqlite db (alongside with the app)
- Whole app was created to train with GO
- Probably the primary usage of this - homelab, or testing dev vault environment
What this
Vault has an awesome feature of auto unsealing it using the transit secrets engine. The problem is - you need a whole separate vault cluster with really high uptime and realability. This small go app is mocking transit secret engine and implements endpoints required to make auto unseal work.
How to use
- Container
- Clone this repo
- Build the container image using something like:
docker build -rm -t <image_name> -f Dockerfile .
- By default server will use port
8200
and db will be saved at the following path:/w/db/vaseal.db
- Run builded image:
docker run -itp 8200:8200 -v <image_name>
- Create a new key by running
curl -X POST http://localhost:8200/v1/transit/keys/<key_name>
- Apply the following example config to your vault:
seal "transit" { address = "http://<ip>:8200" token = "s.Qf1s5zigZ4OX6akYjQXJC1jY" # any random token will work, it's not used disable_renewal = "true" # disable vault from trying to lookup and renew the token key_name = "<key_name>" mount_path = "transit/" tls_skip_verify = "true" # I've not implemented TLS }
- Start vault and init it -
vault operator init
- Binary
- Download precompiled binary, or compile it yourself:
- To compile it yourself clone the repo
- Install go
- Run
go mod download
- Compile binary
CGO_ENABLED=1 go build -ldflags="-w -s" -o /vault-auto-unseal main.go
- By default server will use port
8200
and db will be saved at the following path:./vault-auto-unseal.db
- Run compiled binary:
./vault-auto-unseal
- Create a new key by running
curl -X POST http://localhost:8200/v1/transit/keys/<key_name>
- Apply the following example config to your vault:
seal "transit" { address = "http://<ip>:8200" token = "s.Qf1s5zigZ4OX6akYjQXJC1jY" # any random token will work, it's not used disable_renewal = "true" # disable vault from trying to lookup and renew the token key_name = "<key_name>" mount_path = "transit/" tls_skip_verify = "true" # I've not implemented TLS }
- Start vault and init it -
vault operator init
- Download precompiled binary, or compile it yourself:
ENV Vars
- VAULT_AUTO_UNSEAL_HOST -
string
(default:0.0.0.0
) - VAULT_AUTO_UNSEAL_PORT -
int
(default:8200
) - VAULT_AUTO_UNSEAL_DB_PATH -
string
(default:.
) - VAULT_AUTO_UNSEAL_DB_NAME -
string
(default:vault-auto-unseal.db
)
VAULT_AUTO_UNSEAL_DB_PATH
and VAULT_AUTO_UNSEAL_DB_NAME
are building the os path, so by default it'll create a DB on the following path ./vault-auto-unseal.db