Name: safe
Owner: Stark & Wayne
Description: A Vault CLI
Created: 2016-02-10 02:51:14.0
Updated: 2018-05-23 12:25:02.0
Pushed: 2018-05-18 15:11:43.0
Homepage: null
Size: 1604
Language: Go
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
Questions? Pop in our slack channel!
Vault is an awesome project and it comes with superb documentation, a rock-solid server component and a flexible and capable command-line interface.
So, why safe
? To solve the following problems:
Primarily, these are things encountered in trying to build secure BOSH deployments using Vault and Spruce.
To make it easier to target multiple Vaults from one client (i.e.
your work laptop), safe
lets you track and authenticate against
targets, each representing a different vault.
To get started, you'll need to add a new target:
target https://vault.example.com myvault
The first argument is the URL to the Vault; the second is a shorthand alias for the target. Later, you can retarget this Vault with just:
target myvault
You can see what Vaults you have targeted by running
targets
All commands will be run against the currently targeted Vault.
To authenticate:
auth [token]
auth ldap
auth github
(Other authentication backends are not yet supported)
For each type (token, ldap or github), you will be prompted for the necessary credentials to authenticated against the Vault.
safe
operates by way of sub-commands. To generate a new
2048-bit SSH keypair, and store it in secret/ssh
:
ssh 2048 secret/ssh
To set non-sensitive keys, you can just specify them inline:
set secret/ssh username=system
If you use a password manager (good for you!) and don't want to
have to paste passwords twice, use the paste
subcommand:
paste secret/1pass/managed
Commands can be chained by separating them with the argument
terminator, --
, so to both create a new SSH keypair and set the
username:
ssh 2048 secret/ssh -- set secret/ssh username=system
Auto-generated passwords are easy too:
gen secret/account passphrase
Sometimes, you just want to import passwords from another source
(like your own password manager), without the hassle of writing
files to disk or the risk of leaking credentials via the process
table or your shell history file. For that, safe
provides a
double-confirmation interactive mode:
set secret/ssl/ca passphrase
phrase [hidden]:
phrase [confirm]:
What you type will not be echoed back to the screen, and the confirmation prompt is there to make sure your fingers didn't betray you.
All operations (except for delete
) are additive, so the
following:
set secret/x a=b c=d
is equivalent to this:
set secret/x a=b -- set secret/x c=d
Need to take an existing password, and generate a crypt-sha512 hash,
or base64 encode it? safe fmt
will do this, and store the results
in a new key for you, making it easy to generate a password, and then
format that password as needed.
gen secret/account password
fmt base64 secret/account password base64_pass
fmt crypt-sha512 secret/account password crypt_pass
get secret/account
Updates a single path with new keys. Any existing keys that are not specified on the command line are left intact.
You will be prompted to enter values for any keys that do not have values. This can be used for more sensitive credentials like passwords, PINs, etc.
Example:
set secret/root username=root password
mpts for 'password' here...>
Similarly, safe paste
works the same way, but does not have a confirmation
prompt for your value. It assumes you have pasted in the value from a known-good
source.
Setting key to context of a file
Example:
set secret/root ssl_key@ssl_key_file
Retrieve and print the values of one or more paths, to standard
output. This is most useful for piping credentials through
keybase
or pgp
for encrypting and sending to others.
get secret/root secret/whatever secret/key
# secret/root
name: root
word: it's a secret
# secret/whatever
ever: is clever
# secret/key
ate: |
----BEGIN RSA PRIVATE KEY-----
..
----END RSA PRIVATE KEY-----
ic: |
---BEGIN RSA PUBLIC KEY-----
.
---END RSA PRIVATE KEY-----
Provide a tree hierarchy listing of all reachable keys in the Vault.
tree secret/dc1
et/dc1
ncourse/
pipeline-the-first/
aws
dockerhub
github
pipeline-the-second/
aws
dockerhub
github
Provide a flat listing of all reachable keys in the Vault.
paths secret/dc1
et/dc1concourse/pipeline-the-first/aws
et/dc1concourse/pipeline-the-first/dockerhub
et/dc1concourse/pipeline-the-first/github
et/dc1concourse/pipeline-the-second/aws
et/dc1concourse/pipeline-the-second/dockerhub
et/dc1concourse/pipeline-the-second/github
Removes multiple paths from the Vault.
delete secret/unused
Move a secret from oldpath
to newpath
, a rename of sorts.
move secret/staging/user secret/prod/user
(or, more succinctly, using brace expansion):
move secret/{staging,prod}/user
Any credentials at newpath
will be completely overwritten. The
secret at oldpath
will no longer exist.
Copy a secret from oldpath
to newpath
.
copy secret/staging/user secret/prod/user
(or, as with move
, using brace expansion):
copy secret/{staging,prod}/user
Any credentials at newpath
will be completely overwritten. The
secret at oldpath
will still exist after the copy.
Generate a new, random password. By default, the generated password will be 64 characters long.
gen secret/account secretkey
To get a shorter password, only 16 characters long:
gen 16 secret/account password
Take the key at path:oldKey
, reformat it according to format_type,
and save it in path:newKey
. Useful for hashing, or encoding passwords
in an alternate format (for htpass files, or /etc/shadow).
Currently supported formats:
fmt base64 secret/account password base64_password
fmt crypt-sha512 secret/account password crypt_password
Generate a new SSH RSA keypair, adding the keys “private” and “public” to each path. The public key will be encoded as an authorized keys. The private key is a PEM-encoded DER private key.
By default, a 2048-bit key will be generated. The nbits
parameter allows you to change that.
Each path gets a unique SSH keypair.
Generate a new RSA keypair, adding the keys “private” and “public” to each path. Both keys will be PEM-encoded DER.
By default, a 2048-bit key will be generated. The nbits
parameter allows you to change that.
Each path gets a unique RSA keypair.
Echo the arguments, space-separated, as a single line to the terminal. This is a convenience helper for long pipelines of chained commands.
Issues a new X.509 TLS/SSL certificate, and stores the new RSA private key and the certificate in the Vault at path, in PEM format.
Revoke a certificate that was signed by a Certificate Authority.
The private key for the CA must be present in the Vault for this
to work. Revoked certificates will be appended to the CA's
certificate revocation list (CRL), stored at path/to/ca:crl
Run a variety of validation checks against a certificate in the
Vault. In its simplest form, without arguments, this verifies
that the private key stored at path:key
matches the certificate
stored at path:certificate
. Options control more powerful
validations, like checking for revocation, SAN validity, and
expiry.
Renews (re-signs) the certificate authority at path
, without
affecting the list of revoked certificates.
Export the given subtree(s) in a format suitable for migration
(via a future import
call), or long-term storage offline.
Secrets will not be encrypted in this representation, so care
should be taken in handling it. Output will be printed to
standard output.
Read an export file (as produced by the export
subcommand) and
write all of the secrets contained therein to the same paths
inside the Vault. Trees will be imported in an additive nature,
so existing credentials in the same subtree as imported
credentials will be left intact.
Import and export can be combined in a pipeline to facilitate movement of credentials from one Vault to another, like so:
-t old-vault export secret/sub/tree | \
fe -t new-vault import