A Vault Tutorial. Part 2

Published: Feb 6, 2019 by Isaac Johnson

With Part 1, we showed how to launch a Vault instance locally with a focus on using docker and containers.  Now that you have vault installed, let’s check out what it can do.

Basic commands:

  1. Use kv put to put secrets
  2. Use kv get to retrieve them

With Vault, every key is versioned (so you may update and retrieve former versions).

You may also set multiple key value pairs (key=value anotherkey=value…).

$ export VAULT_ADDR='http://vault.local:8200'
$ export VAULT_DEV_ROOT_TOKEN_ID=5l8v34FMhOVBozD9IAAkHREj
$ vault status
Key Value
--- -----
Seal Type shamir

$ vault kv put secret/funky cold=medina
Key Value
--- -----
created_time 2018-12-28T17:52:22.217336Z
deletion_time n/a
destroyed false
version 1

$ vault kv get secret/funky
====== Metadata ======
Key Value
--- -----
created_time 2018-12-28T17:52:22.217336Z
deletion_time n/a
destroyed false
version 1

==== Data ====
Key Value
--- -----
cold medina

When retrieving values, one can use jquery to parse out the content or the newer “-field” option to just get the value.

When you wish to delete values, use “delete” to remove the secret. While delete does “delete”, it’s more akin to moving something to the trash folder.  It can be restored easily with undelete…

$ brew install jq
$ vault kv get -format=json secret/funcky | jq -r .data.data.cold
medina


$ vault kv get -field=cold secret/funky
medina


$ vault kv delete secret/funky
Success! Data deleted (if it existed) at: secret/funky
$ vault kv get -field=cold secret/funky
No data found at secret/data/funky

Delete Undelete and Destroy

When setting values, each update is versioned. If the value was not destroyed, one can “undelete” a version to restore it.

However, one can use “destroy” to irrevocably destroy unwanted data (e.g. a password or key that was errantly exposed).

$ vault kv get -field=cold secret/funky
No data found at secret/data/funky

# oh no, i want that value back!
$ vault kv get -version=1 secret/funky
====== Metadata ======
Key Value
--- -----
created_time 2018-12-28T17:52:22.217336Z
deletion_time 2018-12-28T18:23:05.2746784Z
destroyed false
version 1

$ vault kv undelete -versions=1 secret/funky
Success! Data written to: secret/undelete/funky

$ vault kv get -field=cold secret/funky
medina

Now we wish to delete permanently a value:

$ vault kv delete secret/funky
Success! Data deleted (if it existed) at: secret/funky

$ vault kv destroy -versions=1 secret/funky
Success! Data written to: secret/destroy/funky

$ vault kv get -field=cold secret/funky
No data found at secret/data/funky

$ vault kv undelete -versions=1 secret/funky
Success! Data written to: secret/undelete/funky

# proof it’s not available
$ vault kv get -field=cold secret/funky
No data found at secret/data/funky
tutorial vault

Isaac Johnson

Isaac Johnson

Cloud Solutions Architect

Isaac is a CSA and DevOps engineer who focuses on cloud migrations and devops processes. He also is a dad to three wonderful daughters (hence the references to Princess King sprinkled throughout the blog).

Theme built by C.S. Rhymes