LinuxCommandLibrary

vault

Securely access secrets and protect sensitive data

TLDR

Connect to a Vault server and initialize a new encrypted data store

$ vault init
copy

Unseal (unlock) the vault, by providing one of the key shares needed to access the encrypted data store
$ vault unseal [key-share-x]
copy

Authenticate the CLI client against the Vault server, using an authentication token
$ vault auth [authentication_token]
copy

Store a new secret in the vault, using the generic back-end called "secret"
$ vault write secret/[hello] value=[world]
copy

Read a value from the vault, using the generic back-end called "secret"
$ vault read secret/[hello]
copy

Read a specific field from the value
$ vault read -field=[field_name] secret/[hello]
copy

Seal (lock) the Vault server, by removing the encryption key of the data store from memory
$ vault seal
copy

SYNOPSIS

vault command [ options ] [ args ]

PARAMETERS

auth
    Authenticate with Vault.

kv
    Interact with the Key/Value secrets engine.

read
    Read a secret from Vault.

write
    Write a secret to Vault.

delete
    Delete a secret from Vault.

secrets
    Manage secret engines.

policy
    Manage Vault policies.

token
    Manage Vault tokens.

namespace
    Manage Vault namespaces.

-address
    Address of the Vault server.

-namespace
    Vault namespace to operate in. If not specified, the default namespace is used.

-token
    Vault token to use for authentication.

-ca-cert
    Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate.

DESCRIPTION

The `vault` command-line interface (CLI) is the primary tool for interacting with HashiCorp Vault, a secrets management tool. Vault provides a secure and centralized way to store and manage sensitive information like passwords, API keys, certificates, and encryption keys. The `vault` CLI allows users to authenticate, read secrets, write secrets, and manage Vault's configuration. It provides a consistent interface for various Vault operations, abstracting away the underlying API calls. Common uses include retrieving application secrets during deployment, storing database credentials securely, and managing SSH access. It offers a significant improvement over storing secrets in configuration files or environment variables because it provides encryption, access control, and audit logging. Think of it as a Swiss Army knife for handling anything sensitive in your infrastructure or application.

The `vault` CLI can be used to configure Vault's authentication methods, policies, and secret engines, as well as for troubleshooting and diagnosing issues. It offers commands for managing namespaces, tokens, and other core Vault resources.

CAVEATS

Requires a properly configured and running Vault server. Proper authentication configuration is crucial for secure operation.

AUTHENTICATION METHODS

Vault supports numerous authentication methods, including token-based, AppRole, LDAP, Kubernetes, AWS IAM, and more. Each method requires specific configuration within Vault and with the external system. The `vault auth enable` command is used to enable these methods.

SECRET ENGINES

Vault provides various secret engines, such as Key/Value (kv), database, AWS, and others. These engines allow Vault to generate and manage secrets for different types of systems. For example, the database secret engine can dynamically generate database credentials on demand. The `vault secrets enable` command is used to enable secret engines.

VAULT AGENT

The `vault agent` command can be used to run Vault Agent, a client application that handles authentication with Vault and retrieving secrets for applications. It can also automatically renew tokens and secrets, reducing the operational burden of managing secrets.

VAULT UI

While `vault` is a command-line tool, Vault also provides a web UI for managing Vault. The UI is particularly helpful for exploring secrets, policies, and audit logs. However, the CLI provides more flexibility for automation and scripting.

HISTORY

The `vault` command was developed by HashiCorp as the primary interface for interacting with their Vault secrets management tool. Vault itself was first released in 2015 and has since become a widely adopted solution for secrets management in cloud and on-premise environments. The CLI has evolved alongside Vault, adding features to support new functionalities and improve usability. It is designed for developers, operations teams, and security professionals.

SEE ALSO

ssh(1), gpg(1), openssl(1)

Copied to clipboard