A Vault Tutorial. Part 6

by Isaac Johnson

API Access

We can use REST APIs to interact with Vault as well.  We can use these APIS to  init, unseal and even create and update roles.

# init with curl
$ curl --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' http://127.0.0.1:9990/v1/sys/init
{"errors":["Vault is already initialized"]}

$ curl --request POST --data '{"key": "*****myunsealkey******"}' http://127.0.0.1:9990/v1/sys/init

# enable app role
$ curl --header "X-Vault-Token: s.GajsySoAWg7fWANaA1jYB1ws" --request POST --data '{"type": "approle"}' http://127.0.0.1:9990/v1/sys/auth/approle

$ curl --header "X-Vault-Token: s.GajsySoAWg7fWANaA1jYB1ws" --request POST --data '{"policies": ["dev-policy", "my-readonly-policy"]}' http://127.0.0.1:9990/v1/auth/approle/role/my-role

WebUI Access

There is also a web interface (provided you are using a -dev server or set “ui = true” in your .hcl)

There are some fantastic wizards for interacting with various providers (e.g. cloud auth providers)

Demo: Encryption as a Service

First you need to enable the transit backend and create a transit encryption key.

The service will require base64 encoded data and will provide as output a cyphertext.

D:\Vault>vault secrets enable transit
Success! Enabled the transit secrets engine at: transit/

D:\Vault>vault secrets enable -path=encryption transit
Success! Enabled the transit secrets engine at: encryption/

D:\Vault>vault write -f transit/keys/hack-the-planet
Success! Data written to: transit/keys/hack-the-planet

D:\Vault>echo "Trashing our Rights!" > tmp.b64

D:\Vault>certutil -encode tmp.b64 tmp.out.b64 && findstr /v /c:- tmp.out.b64 > data.b64
Input Length = 25
Output Length = 94
CertUtil: -encode command completed successfully.

D:\Vault>type data.b64
IlRyYXNoaW5nIG91ciBSaWdodHMhIiANCg==

D:\Vault>vault write transit/encrypt/hack-the-planet plaintext="IlRyYXNoaW5nIG91ciBSaWdodHMhIiANCg=="
Key           Value
---           -----
ciphertext    vault:v1:jrHmxoutT+rB2wzc6RIyr7xLnxHGLrexDTprFIDjluR6UDAWttcjULVEaKcRexyAPiM20rk=

builder@DESKTOP-JBA79RT:~$ ./vault write transit/encrypt/hack-the-planet plaintext=$(base64 <<< "Trashing our rights!")
Key           Value
---           -----
ciphertext    vault:v1:15QMGiFqASbYNeZ9cNiD0N6nS4YxCF2/Uls/v5TP8cex6aODZf7x47z9J4JyO0xqZg==

Decoding

You can now use the cypher with your token ring to decode the data.

D:\Vault>vault write transit/decrypt/hack-the-planet ciphertext="vault:v1:jrHmxoutT+rB2wzc6RIyr7xLnxHGLrexDTprFIDjluR6UDAWttcjULVEaKcRexyAPiM20rk="
Key          Value
---          -----
plaintext    IlRyYXNoaW5nIG91ciBSaWdodHMhIiANCg==

D:\Vault>echo IlRyYXNoaW5nIG91ciBSaWdodHMhIiANCg== > data.b64

D:\Vault>certutil -decode data.b64 data.txt
Input Length = 39
Output Length = 25
CertUtil: -decode command completed successfully.

D:\Vault>type data.txt
"Trashing our Rights!"

builder@DESKTOP-JBA79RT:~$ ./vault write transit/decrypt/hack-the-planet ciphertext="vault:v1:15QMGiFqASbYNeZ9cNiD0N6nS4YxCF2/Uls/v5TP8cex6aODZf7x47z9J4JyO0xqZg=="
Key          Value
---          -----
plaintext    VHJhc2hpbmcgb3VyIHJpZ2h0cyEK

$ base64 --decode <<< "VHJhc2hpbmcgb3VyIHJpZ2h0cyEK"
Trashing our rights!