Published: Feb 10, 2019 by Isaac Johnson
API Access
We can use REST APIs to interact with Vault as well. We can use these APIS to init, unseal and even create and update roles.
# init with curl
$ curl --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' http://127.0.0.1:9990/v1/sys/init
{"errors":["Vault is already initialized"]}
$ curl --request POST --data '{"key": " *****myunsealkey******"}' http://127.0.0.1:9990/v1/sys/init
# enable app role
$ curl --header "X-Vault-Token: s.GajsySoAWg7fWANaA1jYB1ws" --request POST --data '{"type": "approle"}' http://127.0.0.1:9990/v1/sys/auth/approle
$ curl --header "X-Vault-Token: s.GajsySoAWg7fWANaA1jYB1ws" --request POST --data '{"policies": ["dev-policy", "my-readonly-policy"]}' http://127.0.0.1:9990/v1/auth/approle/role/my-role
WebUI Access
There is also a web interface (provided you are using a -dev server or set “ui = true” in your .hcl)
There are some fantastic wizards for interacting with various providers (e.g. cloud auth providers)
Demo: Encryption as a Service
First you need to enable the transit backend and create a transit encryption key.
The service will require base64 encoded data and will provide as output a cyphertext.
D:\Vault>vault secrets enable transit
Success! Enabled the transit secrets engine at: transit/
D:\Vault>vault secrets enable -path=encryption transit
Success! Enabled the transit secrets engine at: encryption/
D:\Vault>vault write -f transit/keys/hack-the-planet
Success! Data written to: transit/keys/hack-the-planet
D:\Vault>echo "Trashing our Rights!" > tmp.b64
D:\Vault>certutil -encode tmp.b64 tmp.out.b64 && findstr /v /c:- tmp.out.b64 > data.b64
Input Length = 25
Output Length = 94
CertUtil: -encode command completed successfully.
D:\Vault>type data.b64
IlRyYXNoaW5nIG91ciBSaWdodHMhIiANCg==
D:\Vault>vault write transit/encrypt/hack-the-planet plaintext="IlRyYXNoaW5nIG91ciBSaWdodHMhIiANCg=="
Key Value
--- -----
ciphertext vault:v1:jrHmxoutT+rB2wzc6RIyr7xLnxHGLrexDTprFIDjluR6UDAWttcjULVEaKcRexyAPiM20rk=
builder@DESKTOP-JBA79RT:~$ ./vault write transit/encrypt/hack-the-planet plaintext=$(base64 <<< "Trashing our rights!")
Key Value
--- -----
ciphertext vault:v1:15QMGiFqASbYNeZ9cNiD0N6nS4YxCF2/Uls/v5TP8cex6aODZf7x47z9J4JyO0xqZg==
Decoding
You can now use the cypher with your token ring to decode the data.
D:\Vault>vault write transit/decrypt/hack-the-planet ciphertext="vault:v1:jrHmxoutT+rB2wzc6RIyr7xLnxHGLrexDTprFIDjluR6UDAWttcjULVEaKcRexyAPiM20rk="
Key Value
--- -----
plaintext IlRyYXNoaW5nIG91ciBSaWdodHMhIiANCg==
D:\Vault>echo IlRyYXNoaW5nIG91ciBSaWdodHMhIiANCg== > data.b64
D:\Vault>certutil -decode data.b64 data.txt
Input Length = 39
Output Length = 25
CertUtil: -decode command completed successfully.
D:\Vault>type data.txt
"Trashing our Rights!"
builder@DESKTOP-JBA79RT:~$ ./vault write transit/decrypt/hack-the-planet ciphertext="vault:v1:15QMGiFqASbYNeZ9cNiD0N6nS4YxCF2/Uls/v5TP8cex6aODZf7x47z9J4JyO0xqZg=="
Key Value
--- -----
plaintext VHJhc2hpbmcgb3VyIHJpZ2h0cyEK
$ base64 --decode <<< "VHJhc2hpbmcgb3VyIHJpZ2h0cyEK"
Trashing our rights!
