vault

Connect to a Vault server and initialize a new encrypted data store

$ vault init

$ vault unseal [key-share-x]

$ vault auth [authentication_token]

$ vault write secret/[hello] value=[world]

$ vault read secret/[hello]

$ vault read -field=[field_name] secret/[hello]

$ vault seal

vault command [ options ] [ args ]

auth
    Authenticate with Vault.

kv
    Interact with the Key/Value secrets engine.

read
    Read a secret from Vault.

write
    Write a secret to Vault.

delete
    Delete a secret from Vault.

secrets
    Manage secret engines.

policy
    Manage Vault policies.

token
    Manage Vault tokens.

namespace
    Manage Vault namespaces.

-address
    Address of the Vault server.

-namespace
    Vault namespace to operate in. If not specified, the default namespace is used.

-token
    Vault token to use for authentication.

-ca-cert
    Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate.

The `vault` command-line interface (CLI) is the primary tool for interacting with HashiCorp Vault, a secrets management tool. Vault provides a secure and centralized way to store and manage sensitive information like passwords, API keys, certificates, and encryption keys. The `vault` CLI allows users to authenticate, read secrets, write secrets, and manage Vault's configuration. It provides a consistent interface for various Vault operations, abstracting away the underlying API calls. Common uses include retrieving application secrets during deployment, storing database credentials securely, and managing SSH access. It offers a significant improvement over storing secrets in configuration files or environment variables because it provides encryption, access control, and audit logging. Think of it as a Swiss Army knife for handling anything sensitive in your infrastructure or application.

The `vault` CLI can be used to configure Vault's authentication methods, policies, and secret engines, as well as for troubleshooting and diagnosing issues. It offers commands for managing namespaces, tokens, and other core Vault resources.

Requires a properly configured and running Vault server. Proper authentication configuration is crucial for secure operation.

Vault supports numerous authentication methods, including token-based, AppRole, LDAP, Kubernetes, AWS IAM, and more. Each method requires specific configuration within Vault and with the external system. The `vault auth enable` command is used to enable these methods.

Vault provides various secret engines, such as Key/Value (kv), database, AWS, and others. These engines allow Vault to generate and manage secrets for different types of systems. For example, the database secret engine can dynamically generate database credentials on demand. The `vault secrets enable` command is used to enable secret engines.

The `vault agent` command can be used to run Vault Agent, a client application that handles authentication with Vault and retrieving secrets for applications. It can also automatically renew tokens and secrets, reducing the operational burden of managing secrets.

While `vault` is a command-line tool, Vault also provides a web UI for managing Vault. The UI is particularly helpful for exploring secrets, policies, and audit logs. However, the CLI provides more flexibility for automation and scripting.

The `vault` command was developed by HashiCorp as the primary interface for interacting with their Vault secrets management tool. Vault itself was first released in 2015 and has since become a widely adopted solution for secrets management in cloud and on-premise environments. The CLI has evolved alongside Vault, adding features to support new functionalities and improve usability. It is designed for developers, operations teams, and security professionals.

ssh(1), gpg(1), openssl(1)