Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Bash shell script to check seal status for local vault server and attempt to unseal using keys secured in vault secret store. Supports HA Vault clusters with TLS with unseal keys stored as secrets in vault (see code). Relies on registered service vault.service.consul, in place DNS configuration, and a single unsealed vault instance in your clust…
export vault=/usr/local/bin/vault
export VAULT_TOKEN=$(cat /root/.vault-token)
local_vault="-address=https://$(hostname -f):8200"
unsealed_vault="-address=https://$(getent hosts $(dig +short vault.service.consul | tail -n 1) | awk '{ print $2 }'):8200"
leader_vault="-address=https://$($vault status $vault_cacert $unsealed_vault 2> /dev/null | grep Leader | awk '{ print $2 }' | sed 's/^http\(\|s\):\/\///g'):8200"
vault_read="$vault read $vault_cacert $leader_vault"
vault_unseal="$vault unseal $vault_cacert $local_vault"
vault_status="$vault status $vault_cacert $local_vault"
function check_unsealed(){
$vault_status &> /dev/null
if [[ ! $? == "0" ]]
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Local Vault instance was unsuccessfully unsealed (the instance is still sealed)."
exit 1
function get_keys(){
vault_key_1=$($vault_read -field=value secret/vault/keys/1 2> /dev/null)
vault_key_2=$($vault_read -field=value secret/vault/keys/2 2> /dev/null)
vault_key_3=$($vault_read -field=value secret/vault/keys/3 2> /dev/null)
vault_key_4=$($vault_read -field=value secret/vault/keys/4 2> /dev/null)
vault_key_5=$($vault_read -field=value secret/vault/keys/5 2> /dev/null)
if [[ -z "$vault_key_1" ]] || [[ -z "$vault_key_2" ]] || [[ -z "$vault_key_3" ]] || [[ -z "$vault_key_4" ]] || [[ -z "$vault_key_5" ]]
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error retrieving unseal keys from Vault secret store!"
exit 1
function unseal_vault(){
$vault_unseal $vault_key_1 &> /dev/null;
$vault_unseal $vault_key_2 &> /dev/null;
$vault_unseal $vault_key_3 &> /dev/null;
# Only need three to unseal
#$vault_unseal $vault_key_4 &> /dev/null;
#$vault_unseal $vault_key_5 &> /dev/null;
if [[ ! $status_1 == "0" ]] || [[ ! $status_2 == "0" ]] || [[ ! $status_3 == "0" ]] # || [[ ! "status_4" == "0" ]] || [[ ! "status_5" == "0" ]]
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error unsealing local Vault instance!"
exit 1
function main(){
$vault_status &> /dev/null
if [[ $? == "0" ]]
echo "VaultSealManager-[$(date +'%X %x')]-[IFNO]: Local Vault instance is already unsealed!"
exit 0
if [[ -z "$unsealed_vault" ]]
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Consul service returned no unsealed Vault instances!"
exit 1
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Consul service returned unsealed Vault instance..."
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to get secured keys from Vault secret store..."
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Got unseal keys successfull..."
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to unseal local Vault instance with acquired unseal keys..."
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Checking local seal status..."
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Local Vault instance is now unsealed!"
exit 0

This comment has been minimized.

Copy link

@divvy19 divvy19 commented Jan 2, 2018

It would be great if you write some comments on how this code is actually working .
I was thinking of adding one more parameter to this , i.e Sending alert mail whenever the vault gets sealed .
Can that be done here ? If yes kindly help me with that .


This comment has been minimized.

Copy link

@grocid grocid commented Jan 5, 2018

@divvy19 I would advise against storing the root token on disk, which is done here. See

export VAULT_TOKEN=$(cat /root/.vault-token)

But, if this is not an issue... To summarize: It reads from secret storage (from other Vault instances in the cluster) using root token, to obtain the unseal keys, which are used to unseal the local Vault.

Then, again, you could store the unseal keys on disk, which basically yields the same security in the attack model.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.