Last active
December 24, 2018 12:21
-
-
Save gbevan/21b05fb05d84a4e7e8e692ddaec52760 to your computer and use it in GitHub Desktop.
Proof-of-concept to show how Hashicorp Vault can pre-create an encrypt/decrypt key and share it with other vault instances.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################################ | |
| # Proof-of-concept to show how Hashicorp Vault can pre-create an encrypt / | |
| # decrypt key and share it with other vault instances. | |
| # | |
| # docker build --no-cache -t vault-keys-poc . | |
| ################################################################################ | |
| # Generate Key in Vault (1) | |
| FROM vault:0.11.3 as generate | |
| RUN \ | |
| (SKIP_SETCAP=1 vault server -dev >/dev/null 2>&1 &); \ | |
| sleep 3 && \ | |
| export VAULT_ADDR='http://127.0.0.1:8200' && \ | |
| vault secrets enable transit && \ | |
| # Create an exportable transit key | |
| vault write -f transit/keys/poc \ | |
| exportable=true \ | |
| allow_plaintext_backup=true && \ | |
| # Backup the key | |
| KEY_BKUP=$(vault read transit/backup/poc | awk '/^backup/ {print $2}') && \ | |
| echo "KEY_BKUP: $KEY_BKUP" && \ | |
| echo "$KEY_BKUP" > /key_backup | |
| ################################################################################ | |
| # Encrypt a secret in Vault (2) | |
| FROM vault:0.11.3 as encrypt | |
| COPY --from=generate /key_backup / | |
| RUN \ | |
| (SKIP_SETCAP=1 vault server -dev >/dev/null 2>&1 &); \ | |
| sleep 3 && \ | |
| export VAULT_ADDR='http://127.0.0.1:8200' && \ | |
| vault secrets enable transit && \ | |
| # Restore the transit key | |
| vault write transit/restore/poc-enc backup=$(cat /key_backup) && \ | |
| vault list transit/keys && \ | |
| # Encrypt a secret | |
| CIPHER=`vault write transit/encrypt/poc-enc \ | |
| plaintext=$(echo "hello world" | base64) \ | |
| | awk '/^ciphertext/ {print $2}'` && \ | |
| echo "CIPHER: $CIPHER" && \ | |
| echo "$CIPHER" >/key_cipher | |
| ################################################################################ | |
| # Decrypt a secret in Vault (3) | |
| FROM vault:0.11.3 as decrypt | |
| COPY --from=generate /key_backup / | |
| COPY --from=encrypt /key_cipher / | |
| RUN \ | |
| (SKIP_SETCAP=1 vault server -dev >/dev/null 2>&1 &); \ | |
| sleep 3 && \ | |
| export VAULT_ADDR='http://127.0.0.1:8200' && \ | |
| vault secrets enable transit && \ | |
| # Restore the transit key | |
| vault write transit/restore/poc-dec backup=$(cat /key_backup) && \ | |
| vault list transit/keys && \ | |
| # Decrypt the secret | |
| PLAINTEXT=$(vault write transit/decrypt/poc-dec \ | |
| ciphertext=$(cat /key_cipher) \ | |
| | awk '/^plaintext/ {print $2}' | base64 -d) && \ | |
| echo "PLAINTEXT: $PLAINTEXT" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment