Skip to content

Instantly share code, notes, and snippets.

@WhatsARanjit
Last active April 4, 2019 20:08
Show Gist options
  • Save WhatsARanjit/300911b8729eecef1e7084044dd249c0 to your computer and use it in GitHub Desktop.
Save WhatsARanjit/300911b8729eecef1e7084044dd249c0 to your computer and use it in GitHub Desktop.
Use transit to encrypt values before storing in K/V

Overview

  • Admins can check that a secret exists with READ permissions
  • Admins cannot actually see the value

Encrypt string before putting in K/V

➜  ~ VALUE=$(vault write transit/encrypt/ranjit -format=json plaintext=$(base64 <<< "supersecret") | jq -r '.data.ciphertext')
➜  ~ vault kv put kv/my-secret value=$VALUE

Check value with READ permissions

➜  ~ vault kv get kv/my-secret
==== Data ====
Key      Value
---      -----
value    vault:v1:1Yd+KC+k6Wsx598NCYd88qO2HZGjMWDuXlDi/w9CiIu+u1hNfxR8/Q==

Pull K/V and decrypt real value

➜  ~ LOOK=$(vault kv get -format=json kv/my-secret | jq -r '.data.data.value')
➜  ~ base64 --decode -i <(vault write -format=json transit/decrypt/ranjit ciphertext=$LOOK | jq -r '.data.plaintext')
supersecret
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment