A ruby script written in an afternoon to backup/export key/values from HashiCorp's Vault. It uses the Vault ruby client libraries, so make sure they are installed beforehand with 'gem install vault'.
Be careful with the data exported using this tool. Vault is designed to be secure, and this tool does bypass some (all) of that security. Use at your own risk and be aware of the consequences.
This script can export the data in an encrypted fashion, but should by no means be considered secure.
- Export to a customizable YAML file
- Import to a different vault from an exported YAML file
- Password-protect values (not keys) with AES 256 encryption
Before you can use vault_backup.rb, you must ensure the vault is unsealed and you've set your vault address and token environment variables. For example:
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=94356e20-0ca0-1163-8396-f0d4f3f56bc7
vault_backup.rb backup --file=FILE [--password=PASSWORD] [--root=secret/]
Mandatory arguments:
-f FILE, --file=FILE the file location to backup/export to.
Optional arguments:
-r PATH, --root=PATH the root Vault location to backup/export. This must end with a forward slash (/). Defaults to 'secret/'.
-p PASSWORD, --password=PASSWORD the password to encrypt the exported data with. This only encrypts secrets, not locations, so exported YAML files can still be manipulated before being imported.
vault_backup.rb restore --file=FILE [--password=PASSWORD] [--root=secret/]
Mandatory arguments:
-f FILE, --file=FILE the file location to import from.
Optional arguments:
-p PASSWORD, --password=PASSWORD the password to decrypt the imported data with. Only required if importing from and encrypted yaml file.
- Better error handling
- Make classes instead of global variables
- Validate vault responses