Skip to content

Latest commit

 

History

History
42 lines (36 loc) · 1.92 KB

README.md

File metadata and controls

42 lines (36 loc) · 1.92 KB

Intro

This tool is a demonstration of my blog post. It's allow us fetching encrypted Vault recovery key from storage backend (filesystem/consul supported at the moment) and decrypt it with AWS KMS.

Feature

  • Getting encrypted recovery key from local filesystem and consul
  • Decrypt recovery key with AWS KMS service
  • Allow specify key share & threshold to split recovery key. (Default to recovery config stored in backend)

Example

hashicorp-vault-utils --aws-profile dev --backend file --file-path /data/vault

Usage

NAME:
   hashicorp-vault-utils - Misc for fun

USAGE:
   hashicorp-vault-utils [global options] command [command options] [arguments...]

COMMANDS:
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --recovery-shares value        Number of key shares to split the recovery key into (default: Automatically fetch from saved recovery config)
   --recovery-threshold value     Number of key shares required to reconstruct the recovery key (default: Automatically fetch from saved recovery config)
   --backend value                storage backend name (file/consul) (default: file)
   --consul-address value         Specifies the address of the Consul agent to communicate with. (default: http://127.0.0.1:8500)
   --consul-path value            Specifies the path in Consul's key-value store where Vault data will be stored (Default: 'vault/') (default: vault/)
   --file-path value              The absolute path on disk to the directory where the data will be stored
   --aws-access-key-id value      AWS Access Key ID
   --aws-secret-access-key value  AWS Secret Access Key
   --aws-session-token value      AWS Session Token
   --aws-region value             AWS Region (default: "eu-west-1")
   --aws-profile value            AWS Profile name
   --help, -h                     show help (default: false)