From f10ea81e3e7deb2d5a312e123751e81211e8324f Mon Sep 17 00:00:00 2001 From: Jeroen Meulemeester Date: Thu, 7 Sep 2017 10:42:31 +0200 Subject: [PATCH 1/6] vault: add page --- pages/common/vault.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 pages/common/vault.md diff --git a/pages/common/vault.md b/pages/common/vault.md new file mode 100644 index 0000000000..df70750de1 --- /dev/null +++ b/pages/common/vault.md @@ -0,0 +1,27 @@ +# vault + +> HashiCorp Vault, a tool for managing secrets. + +- Create a new vault, requiring at least 2 out of 5 keyshares to unseal: + +`vault init -key-shares={{5}} -key-threshold={{2}}` + +- Unseal a vault, by providing one of the keyshares. Repeat with necessary key-shares until unsealed: + +`vault unseal {{key-share-x}}` + +- Authenticate client against vault, using an authentication token: + +`vault auth {{authentication-token}}` + +- Store a new secret in the vault: + +`vault write {{secret/hello}} value={{world}}` + +- Read a secret from the vault: + +`vault read {{secret/hello}}` + +- Seal the vault: + +`vault seal` From 2ae4673c9d805769d9911711c93a31a2b18b81a7 Mon Sep 17 00:00:00 2001 From: Jeroen Meulemeester Date: Thu, 7 Sep 2017 18:50:18 +0200 Subject: [PATCH 2/6] vault: Fix some review remarks --- pages/common/vault.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/common/vault.md b/pages/common/vault.md index df70750de1..70af129fb3 100644 --- a/pages/common/vault.md +++ b/pages/common/vault.md @@ -1,12 +1,12 @@ # vault -> HashiCorp Vault, a tool for managing secrets. +> A CLI to interact with HashiCorp Vault. - Create a new vault, requiring at least 2 out of 5 keyshares to unseal: `vault init -key-shares={{5}} -key-threshold={{2}}` -- Unseal a vault, by providing one of the keyshares. Repeat with necessary key-shares until unsealed: +- Unseal the vault: `vault unseal {{key-share-x}}` @@ -22,6 +22,6 @@ `vault read {{secret/hello}}` -- Seal the vault: +- Seal the vault again: `vault seal` From 3074e54c5d5c9b36b6390a0250c95c40a4be3a97 Mon Sep 17 00:00:00 2001 From: Jeroen Meulemeester Date: Thu, 7 Sep 2017 21:30:59 +0200 Subject: [PATCH 3/6] vault: Fix 'vault write' remarks Vault uses different back-ends (secret, auth, audit, ..), which are modeled as a kind of file system: - Remove 'secret' from the token - Include the 'secret' back-end to the 'vault write' description --- pages/common/vault.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pages/common/vault.md b/pages/common/vault.md index 70af129fb3..f2d0138be1 100644 --- a/pages/common/vault.md +++ b/pages/common/vault.md @@ -14,13 +14,13 @@ `vault auth {{authentication-token}}` -- Store a new secret in the vault: +- Store a new secret in the vault using the generic back-end called secret: -`vault write {{secret/hello}} value={{world}}` +`vault write secret/{{hello}} value={{world}}` -- Read a secret from the vault: +- Read a value from the vault using the generic back-end called secret: -`vault read {{secret/hello}}` +`vault read secret/{{hello}}` - Seal the vault again: From 8e75c501729b8aaa2d68fb04f30c130421a7c758 Mon Sep 17 00:00:00 2001 From: Jeroen Meulemeester Date: Fri, 8 Sep 2017 07:40:26 +0200 Subject: [PATCH 4/6] vault: Fix 'comma/comment' remarks --- pages/common/vault.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/common/vault.md b/pages/common/vault.md index f2d0138be1..17f6926307 100644 --- a/pages/common/vault.md +++ b/pages/common/vault.md @@ -6,7 +6,7 @@ `vault init -key-shares={{5}} -key-threshold={{2}}` -- Unseal the vault: +- Unseal the vault by providing one of the keyshares. Repeat with necessary key-shares until unsealed: `vault unseal {{key-share-x}}` From 98ccb025514c2b4f82615da75efb7d26057e4858 Mon Sep 17 00:00:00 2001 From: Jeroen Meulemeester Date: Fri, 8 Sep 2017 14:21:37 +0200 Subject: [PATCH 5/6] vault: Simplify examples and prevent jargon - Simplified 'init' command, using the defaults - Provide synonym 'unlock' to explain the 'unsealing' process - Use 'key shares' instead of 'key-shares' or 'keyshares' - Briefly explain what 'sealing' means --- pages/common/vault.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pages/common/vault.md b/pages/common/vault.md index 17f6926307..47d8afa4de 100644 --- a/pages/common/vault.md +++ b/pages/common/vault.md @@ -2,26 +2,26 @@ > A CLI to interact with HashiCorp Vault. -- Create a new vault, requiring at least 2 out of 5 keyshares to unseal: +- Connect to a Vault server and initialize a new encrypted data store: -`vault init -key-shares={{5}} -key-threshold={{2}}` +`vault init` -- Unseal the vault by providing one of the keyshares. Repeat with necessary key-shares until unsealed: +- Unseal or 'unlock' the vault by providing one of the key shares needed to access the encrypted data store: `vault unseal {{key-share-x}}` -- Authenticate client against vault, using an authentication token: +- Authenticate the CLI client against the Vault server using an authentication token: `vault auth {{authentication-token}}` -- Store a new secret in the vault using the generic back-end called secret: +- Store a new secret in the vault using the generic back-end, called 'secret': `vault write secret/{{hello}} value={{world}}` -- Read a value from the vault using the generic back-end called secret: +- Read a value from the vault using the generic back-end, called 'secret': `vault read secret/{{hello}}` -- Seal the vault again: +- Seal or 'lock' the Vault server by removing the encryption key of the data store from memory: `vault seal` From 0ddfb4fcf10dab6e8af2a7c19203cb2d8de5190a Mon Sep 17 00:00:00 2001 From: Jeroen Meulemeester Date: Fri, 8 Sep 2017 16:36:06 +0200 Subject: [PATCH 6/6] vault: Fix punctuation review remarks --- pages/common/vault.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pages/common/vault.md b/pages/common/vault.md index 47d8afa4de..fa927e6895 100644 --- a/pages/common/vault.md +++ b/pages/common/vault.md @@ -6,22 +6,22 @@ `vault init` -- Unseal or 'unlock' the vault by providing one of the key shares needed to access the encrypted data store: +- Unseal (unlock) the vault, by providing one of the key shares needed to access the encrypted data store: `vault unseal {{key-share-x}}` -- Authenticate the CLI client against the Vault server using an authentication token: +- Authenticate the CLI client against the Vault server, using an authentication token: `vault auth {{authentication-token}}` -- Store a new secret in the vault using the generic back-end, called 'secret': +- Store a new secret in the vault, using the generic back-end called "secret": `vault write secret/{{hello}} value={{world}}` -- Read a value from the vault using the generic back-end, called 'secret': +- Read a value from the vault, using the generic back-end called "secret": `vault read secret/{{hello}}` -- Seal or 'lock' the Vault server by removing the encryption key of the data store from memory: +- Seal (lock) the Vault server, by removing the encryption key of the data store from memory: `vault seal`