vault server --dev --dev-root-token-id="root" PreReq: export VAULT_ADDR=http://127.0.0.1:8200/ export VAULT_TOKEN=root
# Enable transit secrets engine
path "sys/mounts/transit" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
# To read enabled secrets engines
path "sys/mounts" {
capabilities = [ "read" ]
}
# Manage the transit secrets engine
path "transit/*" {
capabilities = [ "create", "read", "update", "delete", "list" ]
}
vault policy write transit-policy - <<EOF
path "sys/mounts/transit" { capabilities = [ "create", "read", "update", "delete", "list" ] }
path "sys/mounts" { capabilities = [ "read" ] }
echo “this is a sample file to be encrypted” | base64 > sample.txt cat sample.txt
vault secrets enable -path=transit transit
curl -k --header "X-Vault-Token: ${VAULT_TOKEN}" --request POST --data '{"exportable":"false","type":"rsa-4096"}' ${VAULT_ADDR}/v1/transit/keys/example-key
curl -k --header "X-Vault-Token: ${VAULT_TOKEN}" --request GET ${VAULT_ADDR}/v1/transit/keys/example-key | jq . -note you can save this as publickey.pub
curl -k --header "X-Vault-Token: ${VAULT_TOKEN}" --request GET ${VAULT_ADDR}/v1/transit/export/encryption-key/example-key | jq . CLI: vault read transit/keys/example-key
End branch
vault write transit/sign/example-key input=@sample.txt -format=json | jq -r .data.signature > /tmp/signature
vault write transit/encrypt/example-key plaintext=$(cat sample.txt) -format=json | jq -r .data.ciphertext > /tmp/ciphertext
vault write transit/decrypt/example-key ciphertext=$(cat /tmp/ciphertext) -format=json | jq -r .data.plaintext|base64 -d
echo -n '{"ciphertext": "vault:v1:' > encryptedFile.txt cat sample.txt | openssl pkeyutl -encrypt -inkey publickkey.pub -pubin -pkeyopt rssa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 | base64 -w 0 | cat >> encryptedFile.txt; echo -n '"}' >> encryptedFile.txt
cat encryptedFile.txt | vault write -field=plaintext transit/decrypt/example-key - | base64 -d