A Vault Tutorial. Part 6

Published: Feb 10, 2019 by Isaac Johnson

API Access

We can use REST APIs to interact with Vault as well.  We can use these APIS to  init, unseal and even create and update roles.

# init with curl
$ curl --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' http://127.0.0.1:9990/v1/sys/init
{"errors":["Vault is already initialized"]}

$ curl --request POST --data '{"key": " *****myunsealkey******"}' http://127.0.0.1:9990/v1/sys/init

# enable app role
$ curl --header "X-Vault-Token: s.GajsySoAWg7fWANaA1jYB1ws" --request POST --data '{"type": "approle"}' http://127.0.0.1:9990/v1/sys/auth/approle

$ curl --header "X-Vault-Token: s.GajsySoAWg7fWANaA1jYB1ws" --request POST --data '{"policies": ["dev-policy", "my-readonly-policy"]}' http://127.0.0.1:9990/v1/auth/approle/role/my-role

WebUI Access

There is also a web interface (provided you are using a -dev server or set “ui = true” in your .hcl)

There are some fantastic wizards for interacting with various providers (e.g. cloud auth providers)

Demo: Encryption as a Service

First you need to enable the transit backend and create a transit encryption key.

The service will require base64 encoded data and will provide as output a cyphertext.

D:\Vault>vault secrets enable transit
Success! Enabled the transit secrets engine at: transit/

D:\Vault>vault secrets enable -path=encryption transit
Success! Enabled the transit secrets engine at: encryption/

D:\Vault>vault write -f transit/keys/hack-the-planet
Success! Data written to: transit/keys/hack-the-planet

D:\Vault>echo "Trashing our Rights!" > tmp.b64

D:\Vault>certutil -encode tmp.b64 tmp.out.b64 && findstr /v /c:- tmp.out.b64 > data.b64
Input Length = 25
Output Length = 94
CertUtil: -encode command completed successfully.

D:\Vault>type data.b64
IlRyYXNoaW5nIG91ciBSaWdodHMhIiANCg==

D:\Vault>vault write transit/encrypt/hack-the-planet plaintext="IlRyYXNoaW5nIG91ciBSaWdodHMhIiANCg=="
Key Value
--- -----
ciphertext vault:v1:jrHmxoutT+rB2wzc6RIyr7xLnxHGLrexDTprFIDjluR6UDAWttcjULVEaKcRexyAPiM20rk=

builder@DESKTOP-JBA79RT:~$ ./vault write transit/encrypt/hack-the-planet plaintext=$(base64 <<< "Trashing our rights!")
Key Value
--- -----
ciphertext vault:v1:15QMGiFqASbYNeZ9cNiD0N6nS4YxCF2/Uls/v5TP8cex6aODZf7x47z9J4JyO0xqZg==

Decoding

You can now use the cypher with your token ring to decode the data.

D:\Vault>vault write transit/decrypt/hack-the-planet ciphertext="vault:v1:jrHmxoutT+rB2wzc6RIyr7xLnxHGLrexDTprFIDjluR6UDAWttcjULVEaKcRexyAPiM20rk="
Key Value
--- -----
plaintext IlRyYXNoaW5nIG91ciBSaWdodHMhIiANCg==

D:\Vault>echo IlRyYXNoaW5nIG91ciBSaWdodHMhIiANCg== > data.b64

D:\Vault>certutil -decode data.b64 data.txt
Input Length = 39
Output Length = 25
CertUtil: -decode command completed successfully.

D:\Vault>type data.txt
"Trashing our Rights!"
builder@DESKTOP-JBA79RT:~$ ./vault write transit/decrypt/hack-the-planet ciphertext="vault:v1:15QMGiFqASbYNeZ9cNiD0N6nS4YxCF2/Uls/v5TP8cex6aODZf7x47z9J4JyO0xqZg=="
Key Value
--- -----
plaintext VHJhc2hpbmcgb3VyIHJpZ2h0cyEK

$ base64 --decode <<< "VHJhc2hpbmcgb3VyIHJpZ2h0cyEK"
Trashing our rights!
tutorial vault

Isaac Johnson

Isaac Johnson

Cloud Solutions Architect

Isaac is a CSA and DevOps engineer who focuses on cloud migrations and devops processes. He also is a dad to three wonderful daughters (hence the references to Princess King sprinkled throughout the blog).

Theme built by C.S. Rhymes