vault-auto-unseal
Automatically init and unseal a Vault server.
For those occasions where a Vault server operating in dev mode is not sufficient, this tool may be employed in conjunction with build tools, configuration management tools, or an init system to automatically provision persistent Vault servers for testing purposes.
Security
vault-auto-unseal will store Vault unseal key shares and a Vault root token in plaintext on the filesystem.
Do not employ this tool in production Vault deployments.
Installation
Docker images are available from c2fq/vault-auto-unseal.
Alternatively, on a system equipped with a Go compiler:
go get github.com/saj/vault-auto-unseal
Usage
-
Start Vault.
-
Initialise Vault:
vault-auto-unseal --stash-file=keys.json init
-
Unseal Vault:
vault-auto-unseal --stash-file=keys.json unseal
Steps (1), (2), and (3) may be executed concurrently. vault-auto-unseal will no-op by default if Vault has already been initialised or unsealed.
See --help
for other options.
Secret stash format
When operating in init
mode, vault-auto-unseal will write a JSON document to
--stash-file
using the following schema:
{
"unseal_keys": [
"000000000000000000000000000000000000000000000000000000000000000000",
"111111111111111111111111111111111111111111111111111111111111111111",
"222222222222222222222222222222222222222222222222222222222222222222",
"333333333333333333333333333333333333333333333333333333333333333333",
"444444444444444444444444444444444444444444444444444444444444444444"
],
"root_token": "00000000-1111-2222-3333-444444444444"
}
The length of the unseal_keys
array will depend on the value given to
--secret-shares
. One unseal key share will be generated by default.
root_token
is never used by vault-auto-unseal; this value is provided to allow
the operator to automatically configure mounts and tokens on a new Vault server.