Managing Vault With Vault_helper

HashiCorp Vault is a secure platform, however you need to take care when initializing or rekeying the master encryption key.

Standard Init

The default way to initialize Vault, is to use the command vault operator init.

[user@host]$ vault operator init -format=json -key-shares=3 -key-threshold=2
{
  "unseal_keys_b64": [
    "i/eXXGeWdbBoFccrRn0VpY2OqtlC7fsHnOAM7Ht9xGAW",
    "va+D348CsHt9BxYNpvRwDXVSnpilmT3tvk8wIvGx1DEp",
    "X7+q3L+eExvPWZycIm6A6jatUdTNgSjwdURLg909pw7k"
  ],
  "unseal_keys_hex": [
    "8bf7975c679675b06815c72b467d15a58d8eaad942edfb079ce00cec7b7dc46016",
    "bdaf83df8f02b07b7d07160da6f4700d75529e98a5993dedbe4f3022f1b1d43129",
    "5fbfaadcbf9e131bcf599c9c226e80ea36ad51d4cd8128f075444b83dd3da70ee4"
  ],
  "unseal_shares": 3,
  "unseal_threshold": 2,
  "recovery_keys_b64": [],
  "recovery_keys_hex": [],
  "recovery_keys_shares": 5,
  "recovery_keys_threshold": 3,
  "root_token": "s.22TJIDZI0eX0NB4DRbiwCOUJ"
}

The downside to the above command is the person who ran the initialization command has access to all of the unseal keys (you probably don’t want this).

Vault has a method to encrypt each unseal key using PGP, which is more secure.

[user@host]$ vault operator init -format=json -key-shares=3 -key-threshold=2 -pgp-keys=keys/foo.gpg,keys/bar.gpg,keys/baz.gpg
{
  "unseal_keys_b64": [
    "wcBMA1aosrn219wNAQgAWH3POQtm5klQcCjUaTgg5EFYJhOp+L7NkvflKHSK3OVAV0X/OBFe4xp4Yclv7hWQ0NbAA09OEFnuRi5BZwrrdw55Hwdskn2gW53ef0zcvvuPSVhlXTRsrnSIeop6ZHB5iCXVRuE0peTKWRUICg38Vmk9eSgToufFolaqgCs3aW1qAREbgpsknIjncYXpi7zvsTUZ8RnOscttOziJekPgDi4uIPkI7UDa4LmwjcUis4nykKlU3sKdPLq+QiJZy4UIWcfqmRO6pZs57BdhvmBpYwxVdplB41VfL+RZs4MRiXQBBQDxOAmaMrucJ
4C1PxzzcS7vhrFnQ2rYzbJl3jGY7tLgAeQ07vSlNixcz49+UfCQqU7e4bxZ4Nng5uEdDuDX4pK6i4zgqeYfQPSXDwTGiuCM0SNnfqeQn0FD6Wve91aY2xLpnExegHMw6Z5LKBNMnYUhyZ2LtyXL48jG4U01ZF5dBHgvF7kn4D
fhYzXg8OQMXuj07KHkRpcgwolMgb1C4sAc5N7hdd0A",
    "wcBMA019PYFElDVAAQgAA31F2vpdbePBL8qZeBBNCtmYaywr6O6iZN7Wr3/BT4pQPd48J6WSTwj/U2Y4g1Q500kjEVoJnHvt9Snon9qK+1O7Onq6UTdC/CL3N9nxB4qle38qsgiX8/uCJFCWvOGDLSMaHg1C+qGz/K4Nof0e+sfAzVtjHRlG3dL7w4L5+vDT3FV1ugvzQ5Ge8Y0fixqS9z4Fzye92pA5YmBXQmqzUX9fDd+xFDqKNmGAYm2pjdNlLgc/ctf6bx42Re7RH4/sbM0bLhYU7XqqSlIK/C3+hSIwcs8PfZvrBprIEFUQjJzdJpdWuuCt4X2mS01Is9T+GeO7gXHV9lRhAzNf1n24tdLgAeQvn6hGRg0sYdUZFfSCRMUq4dM14G3gI+H8cuDt4mCS0iXgHOYS4YMDJgP50lLBbOpQs2+dBktnS8UR6M2AnaBKgNVLyv/GE7jVaVrbWgsYPnaYpF28WaB+LcUeClkmNeK42eVy4P
vhHTjgHORsXHu3ZNM9vFBrUbtkbbWP4kRLKcDhG6oA",
    "wcBMA+//N7JLNmLJAQgApyyjAAO4EyG1xH0+rCov5ZzdPzPUQwG0yzU89YxhtlMGe+Pktid2raPdZPx6/biMo6FQtNHO1NAUIfx3ocSHuRSPHpzTrMFid4Oha8sctVUcKpe9RoYE9YMVXOk0jGgzxvMwySU/5t96F710
TD5oSrL2fP2or6hGSpz32PKgTd8eVtAU13A9ZEiiUdw4BqhW7CMDIm2XRCKt+bhYi6NM1XJIxF1kqJwyM2DHCataGfW0UhWPZ+R6o58wGKWyPx+mqZaOK+b/QUTZinu5SwjJ34clvkrlFf7JfSDqXk+u7e1vWxlqG5gyF/Akt
A0d8mCoW1kMnMvWTfNWwEgLjq/Ag9LgAeRcA9ZYDHTsPEuNBVoYg2jd4Tip4Fbg7OEFUOC34rCA1K7ghObLxvd0SvsJ5Spfr7hDU8Sjwyvv+C89+WkP6+PM9e2gD7oqJ6FmxaDrqL7Las11kcsALL/0PlIstOnbFenF5ZQo4M
jhRV3gWeRa5UG7UKxwRxX4jiOPFYKC4oLHLgfhZ4wA"
  ],
  "unseal_keys_hex": [
    "c1c04c0356a8b2b9f6d7dc0d010800587dcf390b66e649507028d4693820e441582613a9f8becd92f7e528748adce5405745ff38115ee31a7861c96fee1590d0d6c0034f4e1059ee462e41670aeb770e791f
076c927da05b9dde7f4cdcbefb8f4958655d346cae74887a8a7a6470798825d546e134a5e4ca5915080a0dfc56693d792813a2e7c5a256aa802b37696d6a01111b829b249c88e77185e98bbcefb13519f119ceb1c
b6d3b38897a43e00e2e2e20f908ed40dae0b9b08dc522b389f290a954dec29d3cbabe422259cb850859c7ea9913baa59b39ec1761be6069630c55769941e3555f2fe459b383118974010500f138099a32bb9c2780
b53f1cf3712eef86b167436ad8cdb265de3198eed2e001e434eef4a5362c5ccf8f7e51f090a94edee1bc59e0d9e0e6e11d0ee0d7e292ba8b8ce0a9e61f40f4970f04c68ae08cd123677ea7909f4143e96bdef7569
8db12e99c4c5e807330e99e4b28134c9d8521c99d8bb725cbe3c8c6e14d35645e5d04782f17b927e037e16335e0f0e40c5ee8f4eca1e4469720c2894c81bd42e2c01ce4dee175dd00",
    "c1c04c034d7d3d8144943540010800037d45dafa5d6de3c12fca9978104d0ad9986b2c2be8eea264ded6af7fc14f8a503dde3c27a5924f08ff536638835439d34923115a099c7bedf529e89fda8afb53bb3a
7aba513742fc22f737d9f1078aa57b7f2ab20897f3fb82245096bce1832d231a1e0d42faa1b3fcae0da1fd1efac7c0cd5b631d1946ddd2fbc382f9faf0d3dc5575ba0bf343919ef18d1f8b1a92f73e05cf27bdda9
039626057426ab3517f5f0ddfb1143a8a366180626da98dd3652e073f72d7fa6f1e3645eed11f8fec6ccd1b2e1614ed7aaa4a520afc2dfe85223072cf0f7d9beb069ac81055108c9cdd269756bae0ade17da64b4d
48b3d4fe19e3bb8171d5f6546103335fd67db8b5d2e001e42f9fa846460d2c61d51915f48244c52ae1d335e06de023e1fc72e0ede26092d225e01ce612e183032603f9d252c16cea50b36f9d064b674bc511e8cd8
09da04a80d54bcaffc613b8d5695adb5a0b183e7698a45dbc59a07e2dc51e0a592635e2b8d9e572e0fbe11d38e01ce46c5c7bb764d33dbc506b51bb646db58fe2444b29c0e11baa00",
    "c1c04c03efff37b24b3662c9010800a72ca30003b81321b5c47d3eac2a2fe59cdd3f33d44301b4cb353cf58c61b653067be3e4b62776ada3dd64fc7afdb88ca3a150b4d1ced4d01421fc77a1c487b9148f1e
9cd3acc1627783a16bcb1cb5551c2a97bd468604f583155ce9348c6833c6f330c9253fe6df7a17bd744c3e684ab2f67cfda8afa8464a9cf7d8f2a04ddf1e56d014d7703d6448a251dc3806a856ec2303226d97442
2adf9b8588ba34cd57248c45d64a89c323360c709ab5a19f5b452158f67e47aa39f3018a5b23f1fa6a9968e2be6ff4144d98a7bb94b08c9df8725be4ae515fec97d20ea5e4faeeded6f5b196a1b983217f024b40d
1df260a85b590c9ccbd64df356c0480b8eafc083d2e001e45c03d6580c74ec3c4b8d055a188368dde138a9e056e0ece10550e0b7e2b080d4aee084e6cbc6f7744afb09e52a5fafb84353c4a3c32beff82f3df9690
febe3ccf5eda00fba2a27a166c5a0eba8becb6acd7591cb002cbff43e522cb4e9db15e9c5e59428e0c8e1455de059e45ae541bb50ac704715f88e238f158282e282c72e07e1678c00"
  ],
  "unseal_shares": 3,
  "unseal_threshold": 2,
  "recovery_keys_b64": [],
  "recovery_keys_hex": [],
  "recovery_keys_shares": 5,
  "recovery_keys_threshold": 3,
  "root_token": "s.5Nxvx9KOUISB5XsMWoLJ072O"
}

The above output has the unseal keys encrypted with PGP. This is more secure, but it also adds some complexity to getting the key shares to each recipient.

Enter vault_helper.

Vault Helper

I wrote the vault_helper tool to help me manage the PGP keys during the rekey and init commands for Vault.

This command will download the keys from Keybase (if you use that), use the proper flags with the vault command, and create a tarball with all of the unseal shared keys separated by key holder email.

The full documentation can be found in the project’s README, I will cover the basics here.

Config File

The config file looks like this:

Vault Helper Config File
VAULT_HELPER_MODE=pgp
VAULT_HELPER_RECOVERY_KEYSHARES=1
VAULT_HELPER_RECOVERY_KEYTHRESH=1
VAULT_HELPER_KEYSHARES=2
VAULT_HELPER_KEYTHRESH=2
VAULT_HELPER_PGPKEYS=/opt/foo.gpg,/opt/bar.gpg
VAULT_HELPER_ROOTTOKPGPKEY=/opt/root.gpg
VAULT_HELPER_VERBOSE=''
ENV_NAME=testing
# Do not remove the below line
export ENV_NAME VAULT_HELPER_KEYSHARES VAULT_HELPER_KEYTHRESH VAULT_HELPER_PGPKEYS VAULT_HELPER_ROOTTOKPGPKEY VAULT_HELPER_MODE VAULT_HELPER_RECOVERY_KEYSHARES VAULT_HELPER_RECOVERY_KEYTHRESH

You can optionally specify Keybase usernames in the PGPKEYS sections

VAULT_HELPER_PGPKEYS=keybase:goozbach,keybase:navbach

vault_helper Commands

Main command is vault_helper

The sub-commands are:

init

vault_helper init will initialize a newly create Vault instance.

rekey

vault_helper rekey will initialize a rekey operation.

continue

Run vault_helper continue as many times as needed to reach quorum.

cancel

vault_helper cancel will reset a running rekey operation.

status

vault_helper status will print status of the vault system.

export

When you have finished your init or rekey operation use vault_helper export to create a tarball with all of the artifacts generated by your operation. This will be signed using your user’s default PGP key.

Hopefully you’ll find the vault_helper tool as useful as I have