A Vault Tutorial. Part 2

With Part 1, we showed how to launch a Vault instance locally with a focus on using docker and containers.  Now that you have vault installed, let's check out what it can do.

Basic commands:
1. Use kv put to put secrets
2. Use kv get to retrieve them

With Vault, every key is versioned (so you may update and retrieve former versions).

You may also set multiple key value pairs (key=value anotherkey=value…).

$ export VAULT_ADDR='http://vault.local:8200'
$ export VAULT_DEV_ROOT_TOKEN_ID=5l8v34FMhOVBozD9IAAkHREj
$ vault status
Key             Value
---             -----
Seal Type       shamir

$ vault kv put secret/funky cold=medina
Key              Value
---              -----
created_time     2018-12-28T17:52:22.217336Z
deletion_time    n/a
destroyed        false
version          1

$ vault kv get secret/funky
====== Metadata ======
Key              Value
---              -----
created_time     2018-12-28T17:52:22.217336Z
deletion_time    n/a
destroyed        false
version          1

==== Data ====
Key     Value
---     -----
cold    medina

When retrieving values, one can use jquery to parse out the content or the newer “-field” option to just get the value.

When you wish to delete values, use “delete” to remove the secret. While delete does “delete”, it’s more akin to moving something to the trash folder.  It can be restored easily with undelete...

$ brew install jq
$ vault kv get -format=json secret/funcky | jq -r .data.data.cold
medina


$ vault kv get -field=cold secret/funky
medina


$ vault kv delete secret/funky
Success! Data deleted (if it existed) at: secret/funky
$ vault kv get -field=cold secret/funky
No data found at secret/data/funky

Delete Undelete and Destroy

When setting values, each update is versioned. If the value was not destroyed, one can “undelete” a version to restore it.

However, one can use “destroy” to irrevocably destroy unwanted data (e.g. a password or key that was errantly exposed).

$ vault kv get -field=cold secret/funky
No data found at secret/data/funky

# oh no, i want that value back!
$ vault kv get -version=1 secret/funky
====== Metadata ======
Key              Value
---              -----
created_time     2018-12-28T17:52:22.217336Z
deletion_time    2018-12-28T18:23:05.2746784Z
destroyed        false
version          1

$ vault kv undelete -versions=1 secret/funky
Success! Data written to: secret/undelete/funky

$ vault kv get -field=cold secret/funky
medina

Now we wish to delete permanently a value:

$ vault kv delete secret/funky
Success! Data deleted (if it existed) at: secret/funky

$ vault kv destroy -versions=1 secret/funky
Success! Data written to: secret/destroy/funky

$ vault kv get -field=cold secret/funky
No data found at secret/data/funky

$ vault kv undelete -versions=1 secret/funky
Success! Data written to: secret/undelete/funky

# proof it’s not available
$ vault kv get -field=cold secret/funky
No data found at secret/data/funky