/vault-auto-unseal

Automatically init and unseal a Vault server

Primary LanguageGoMIT LicenseMIT

vault-auto-unseal

CircleCI

Automatically init and unseal a Vault server.

For those occasions where a Vault server operating in dev mode is not sufficient, this tool may be employed in conjunction with build tools, configuration management tools, or an init system to automatically provision persistent Vault servers for testing purposes.

Security

vault-auto-unseal will store Vault unseal key shares and a Vault root token in plaintext on the filesystem.

Do not employ this tool in production Vault deployments.

Installation

Docker images are available from c2fq/vault-auto-unseal.

Alternatively, on a system equipped with a Go compiler:

go get github.com/saj/vault-auto-unseal

Usage

  1. Start Vault.

  2. Initialise Vault:

     vault-auto-unseal --stash-file=keys.json init

  3. Unseal Vault:

     vault-auto-unseal --stash-file=keys.json unseal

Steps (1), (2), and (3) may be executed concurrently. vault-auto-unseal will no-op by default if Vault has already been initialised or unsealed.

See --help for other options.

Secret stash format

When operating in init mode, vault-auto-unseal will write a JSON document to --stash-file using the following schema:

{
  "unseal_keys": [
	"000000000000000000000000000000000000000000000000000000000000000000",
	"111111111111111111111111111111111111111111111111111111111111111111",
	"222222222222222222222222222222222222222222222222222222222222222222",
	"333333333333333333333333333333333333333333333333333333333333333333",
	"444444444444444444444444444444444444444444444444444444444444444444"
  ],
  "root_token": "00000000-1111-2222-3333-444444444444"
}

The length of the unseal_keys array will depend on the value given to --secret-shares. One unseal key share will be generated by default.

root_token is never used by vault-auto-unseal; this value is provided to allow the operator to automatically configure mounts and tokens on a new Vault server.