#security #crypto #vault

secret-keeper-hashivault

Hashivault SecretKeeper, an integration with Hashicorp Vault for https://crates.io/crates/secret-keeper

4 releases

0.3.5 Jul 11, 2020
0.3.4 Jul 8, 2020
0.3.2 Jul 1, 2020
0.3.0 Jun 30, 2020

#18 in #vault


Used in encrypt-rs

Apache-2.0 OR MIT

140KB
2.5K SLoC

HashivaultKeeper - a SecretKeeper implementation for Hashicorp Vault

This keeper wraps the API for hashicorp vault 'transit' engine for encryption and decryption. This api is fully asynchronous,

Setup

If you don't already have a hashicorp vault to use, take a look at the examples directory (examples/README.md) which has detailed instructions for setting up a hashicorp vault in a docker container.

The examples/scripts folder also has some scripts that can create an encryption key using the 'vault' command-line program (part of the 'vault' or 'vault-bin' package for linux distros). The HashivaultKeeper also implements an api method for creating a new encryption key on the vault server.

Using this keeper

SecretKeeper uris are of the form

  • hashivault://MYKEY (uses the default host:port == localhost:8200)
  • hashivault://host:port/MYKEY
    • this form uses http for localhost and https for all other hosts
  • hashivault:https://host:port/MYKEY
    • this form is only needed if the http/https scheme inferred above is not orrect

If host and port are not set in the uri, the VAULT_ADDR is checked. VAULT_ADDR may be defined of the form 'https://127.0.0.1:8200/'. If VAULT_ADDR is not set, 'http://127.0.0.1:8200' is used.

The REST API urls used to accesss the vault server are of the form:

http(s)://host:port/v1/transit/(encrypt|decrypt|keys)/<KEY_NAME>

You can test it out with the examples/encrypt-rs command-line program. Ensure that the environment variable VAULT_TOKEN is set:

  source secret.env

Then, to encrypt FILE to FILE.ENC, use:

  encrypt enc -o FILE.ENC -k hashivault://MYKEY FILE

To decrypt, use

  encrypt dec -o FILE.DUP -k hashivault://MYKEY FILE.ENC

With default parameters, this will encrypt the file using the LZ4XChaCha20-Poly1305 compressing cipher using a newly-generated 256-bit key, encrypt that key with MYKEY on the vault, and store the encrypted key in the header of FILE.ENC.

Dependencies

~8–12MB
~251K SLoC