|0.3.5||Jul 11, 2020|
|0.3.4||Jul 8, 2020|
|0.3.2||Jul 1, 2020|
|0.3.0||Jun 30, 2020|
#18 in #vault
Used in encrypt-rs
This keeper wraps the API for hashicorp vault 'transit' engine for encryption and decryption. This api is fully asynchronous,
If you don't already have a hashicorp vault to use, take a look at the examples directory (examples/README.md) which has detailed instructions for setting up a hashicorp vault in a docker container.
The examples/scripts folder also has some scripts that can create an encryption key using the 'vault' command-line program (part of the 'vault' or 'vault-bin' package for linux distros). The HashivaultKeeper also implements an api method for creating a new encryption key on the vault server.
SecretKeeper uris are of the form
hashivault://MYKEY(uses the default host:port == localhost:8200)
- this form uses http for localhost and https for all other hosts
- this form is only needed if the http/https scheme inferred above is not orrect
The REST API urls used to accesss the vault server are of the form:
You can test it out with the examples/encrypt-rs command-line program. Ensure that the environment variable VAULT_TOKEN is set:
Then, to encrypt
encrypt enc -o FILE.ENC -k hashivault://MYKEY FILE
To decrypt, use
encrypt dec -o FILE.DUP -k hashivault://MYKEY FILE.ENC
With default parameters, this will encrypt the file using the LZ4XChaCha20-Poly1305 compressing cipher using a newly-generated 256-bit key, encrypt that key with MYKEY on the vault, and store the encrypted key in the header of FILE.ENC.