Unseal Vault Secret Storage

vault_unseal.py

#!/usr/bin/env python3

import re
import random
import subprocess

initfile = "/usr/local/etc/vault/.init"
data = ""

with open(initfile, "r") as ifile:
  data = ifile.read()

findkeys = re.compile(r'(?:Key\s\d+:\s)(.+)')
allkeys = findkeys.findall(data)

for x in range(0, 3):
  randomkey = random.choice(allkeys)
  allkeys.remove(randomkey)
  print("vault unseal %s" % randomkey)
  try:
    out = subprocess.check_output(['vault', 'unseal', randomkey], stderr=subprocess.STDOUT)
  except subprocess.CalledProcessError as e:
    emsg = e.output
    ecode = e.returncode
    print("exited with code %s and message: %s." % (emsg, ecode))

assumes that you already initialized your Vault and stored the relevant output secure in a local file (chmod 0400 !!) called /usr/local/etc/vault/.init, e.g.:

Key 1: 1e823b9be734cdca9c85b4ca1f4c0cc0db9d6d76574b086bb564dc7dc3c9ae0d01
Key 2: 2ba394c853d72c3c0386e867300c991c5419c56b15376cd45472dea5877da5a502
Key 3: 3689331ac8191e087982e8d47a36313b05a85f27f72b239c3fca0ccdff2f94bd03
Key 4: 1bd9e3a82a3ea8ff73b367d276ba1de8c66de79109ecf351baa212f5de5f905804
Key 5: 06f3447ab1f09acb09b767613c80b5cf97dc7dddebf0bc19d11ac09da60da14005
Initial Root Token: 1db92977-1945-fd91-ced9-b2a80f320073

Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the Vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.

Vault does not store the master key. Without at least 3 keys,
your Vault will remain permanently sealed.

and yes, of course, the above is no production Vault!