HashivaultKeeper - a SecretKeeper implementation for Hashicorp Vault

This keeper wraps the API for hashicorp vault 'transit' engine for encryption and decryption. This api is fully asynchronous,

Setup

If you don't already have a hashicorp vault to use, take a look at the examples directory (examples/README.md) which has detailed instructions for setting up a hashicorp vault in a docker container.

The examples/scripts folder also has some scripts that can create an encryption key using the 'vault' command-line program (part of the 'vault' or 'vault-bin' package for linux distros). The HashivaultKeeper also implements an api method for creating a new encryption key on the vault server.

Using this keeper

SecretKeeper uris are of the form

• hashivault://MYKEY (uses the default host:port == localhost:8200)
• hashivault://host:port/MYKEY
  • this form uses http for localhost and https for all other hosts
• hashivault:https://host:port/MYKEY
  • this form is only needed if the http/https scheme inferred above is not orrect

If host and port are not set in the uri, the VAULT_ADDR is checked. VAULT_ADDR may be defined of the form 'https://127.0.0.1:8200/'. If VAULT_ADDR is not set, 'http://127.0.0.1:8200' is used.

The REST API urls used to accesss the vault server are of the form:

http(s)://host:port/v1/transit/(encrypt|decrypt|keys)/<KEY_NAME>

You can test it out with the examples/encrypt-rs command-line program. Ensure that the environment variable VAULT_TOKEN is set:

  source secret.env

Then, to encrypt FILE to FILE.ENC, use:

  encrypt enc -o FILE.ENC -k hashivault://MYKEY FILE

To decrypt, use

  encrypt dec -o FILE.DUP -k hashivault://MYKEY FILE.ENC

With default parameters, this will encrypt the file using the LZ4XChaCha20-Poly1305 compressing cipher using a newly-generated 256-bit key, encrypt that key with MYKEY on the vault, and store the encrypted key in the header of FILE.ENC.