Created
November 5, 2015 14:54
-
-
Save michaelkrieg/1b68e7d0c2ae971c1754 to your computer and use it in GitHub Desktop.
Unseal Vault Secret Storage
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import re | |
import random | |
import subprocess | |
initfile = "/usr/local/etc/vault/.init" | |
data = "" | |
with open(initfile, "r") as ifile: | |
data = ifile.read() | |
findkeys = re.compile(r'(?:Key\s\d+:\s)(.+)') | |
allkeys = findkeys.findall(data) | |
for x in range(0, 3): | |
randomkey = random.choice(allkeys) | |
allkeys.remove(randomkey) | |
print("vault unseal %s" % randomkey) | |
try: | |
out = subprocess.check_output(['vault', 'unseal', randomkey], stderr=subprocess.STDOUT) | |
except subprocess.CalledProcessError as e: | |
emsg = e.output | |
ecode = e.returncode | |
print("exited with code %s and message: %s." % (emsg, ecode)) | |
and yes, of course, the above is no production Vault!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
assumes that you already initialized your Vault and stored the relevant output secure in a local file (chmod 0400 !!) called /usr/local/etc/vault/.init, e.g.:
Key 1: 1e823b9be734cdca9c85b4ca1f4c0cc0db9d6d76574b086bb564dc7dc3c9ae0d01
Key 2: 2ba394c853d72c3c0386e867300c991c5419c56b15376cd45472dea5877da5a502
Key 3: 3689331ac8191e087982e8d47a36313b05a85f27f72b239c3fca0ccdff2f94bd03
Key 4: 1bd9e3a82a3ea8ff73b367d276ba1de8c66de79109ecf351baa212f5de5f905804
Key 5: 06f3447ab1f09acb09b767613c80b5cf97dc7dddebf0bc19d11ac09da60da14005
Initial Root Token: 1db92977-1945-fd91-ced9-b2a80f320073
Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the Vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.
Vault does not store the master key. Without at least 3 keys,
your Vault will remain permanently sealed.