vault

Connect to a Vault server and initialize a new encrypted data store

$ vault init

$ vault unseal [key-share-x]

$ vault auth [authentication_token]

$ vault write secret/[hello] value=[world]

$ vault read secret/[hello]

$ vault read -field=[field_name] secret/[hello]

$ vault seal

vault [global-options] command [command-specific-options] [arguments]

-address=address
    Specifies the address of the Vault server (e.g., 'http://127.0.0.1:8200'). Can also be set via the VAULT_ADDR environment variable.

-token=token
    Specifies the Vault authentication token to use. Can also be set via the VAULT_TOKEN environment variable.

-namespace=namespace
    Specifies the target namespace for the operation. Applicable in Vault Enterprise with Namespaces enabled. Can also be set via the VAULT_NAMESPACE environment variable.

-format=format
    Configures the output format for responses. Common formats include 'table' (default), 'json', and 'yaml'.

-no-color
    Disables colorized output in the terminal.

-output-curl-string
    Prints the equivalent curl command string that the vault command would execute against the Vault API, instead of executing the command.

-skip-verify
    Do not verify TLS certificates. This is insecure and should only be used for development or testing.

-help
    Shows help for the command or subcommand.

The vault command-line interface (CLI) provides a unified way to interact with the HashiCorp Vault server. Vault is a powerful tool designed to securely store, manage, and access sensitive data such as API keys, passwords, certificates, and encryption keys.

It addresses the challenges of secrets management by offering a central, highly available, and auditable system. Vault can dynamically generate secrets on demand, reducing the attack surface by minimizing the lifetime of credentials. It supports various authentication methods and secret engines, allowing integration with diverse systems like databases, cloud providers (AWS, Azure, GCP), and container orchestrators (Kubernetes).

Through the CLI, users and automated systems can perform essential operations such as initializing and unsealing the Vault server, configuring authentication methods and secret engines, writing and reading secrets, managing policies, and revoking access. It's an indispensable tool in modern DevOps and security workflows.

The vault command is the command-line client for HashiCorp Vault, not a built-in Linux utility; it must be installed separately. It requires a running Vault server instance to function properly, either locally or remotely. Many operations require prior authentication and appropriate policies (permissions) to be granted. Incorrect configuration or use of options like -skip-verify can compromise security.

Understanding Vault involves several core concepts:
Secrets Engines: Interfaces that Vault uses to store, generate, or encrypt data. Examples include 'kv' (key-value store), 'pki' (PKI certificate generation), 'aws' (dynamic AWS credentials), and 'database' (dynamic database credentials).
Auth Methods: Ways for users or machines to authenticate with Vault. Common methods are 'token', 'userpass', 'ldap', 'github', 'kubernetes', and 'AWS IAM'.
Policies: JSON-based documents that define permissions (what a user or machine can do) within Vault.
Initialization & Unsealing: For security, Vault starts in a 'sealed' state. It must be initialized once (creating initial keys) and then unsealed on every startup (providing enough master keys to decrypt its data).

The vault CLI client supports several environment variables that can simplify its use and avoid repetitive typing of global options:
VAULT_ADDR: Sets the default Vault server address.
VAULT_TOKEN: Provides the default authentication token.
VAULT_NAMESPACE: Specifies the default target namespace.
VAULT_SKIP_VERIFY: Equivalent to -skip-verify for TLS.
VAULT_FORMAT: Sets the default output format.

HashiCorp Vault was first publicly released in 2015 by HashiCorp, a company known for infrastructure automation tools. It was developed to address the critical need for a centralized, secure system to manage secrets in dynamic, distributed environments, a problem exacerbated by the rise of cloud computing and microservices architectures. Since its inception, Vault has seen continuous development, adding numerous secret engines, authentication methods, and enterprise features, establishing itself as a leading solution for secrets management and identity-based security.

curl(1), jq(1), openssl(1), systemctl(1), docker(1)