Anjuna Vault Unseal Configuration

NAME

anjuna-create-unseal-config: Create an encrypted configuration file to securely unseal a Vault server

SYNOPSIS

$ anjuna-create-unseal-config [OPTIONS]...

DESCRIPTION

The Anjuna Vault Unseal Configuration utility creates an encrypted configuration file that stores the Vault unseal tokens and server certificate.

The utility can work in interactive mode or command line mode. When parameters are not provided on the command line, the user will be prompted for the information.

Once the encrypted configuration file has been created, it is not possible to inspect or edit its content. If the configuration file needs to change in any way, it should be recreated.

The Anjuna Vault Unseal Configuration utility creates the configuration file in the current directory, and will overwrite any existing configuration.

OPTIONS

--help               : Display this information and exit
--endpoint           : Specify the Vault server address
--cacert             : Specify the path for the Vault server CA-CERT
--unseal-key         : One of the unseal keys to unseal Vault. This parameter
                       can be used multiple times where there are more than
                       one unseal key

EXIT STATUS

Returns:

  • 0 on success
  • 1 if any of the parameters are invalid

EXAMPLE

In interactive mode, the utility will prompt the user for the required information:

$ anjuna-create-unseal-config

which will produce an interactive session like this:

$ anjuna-create-unseal-config
Anjuna Vault Unseal Configuration
-----
[Vault URL]       : https://vault.anjuna.test:8200
[Vault CA-CERT]   : /etc/vault/cacert.pem
[Unseal Key #1]   : qxxczFlqtGRHdPtK2MaJKUR2wSvPkiTX4p0BfnZnfmPG
[Unseal Key #2]   : hEOpCKJc5jqpIssMhTVx5xNWSGB6BQdbaPVm3nyYg3AP
[Unseal Key #3]   : Qk1xt0SW4pey8Q3yw5NFfuhiR8ZDehX5d1Zwm3HPO4IL
[Unseal Key #4]   :
Using Vault endpoint: https://vault.anjuna.test:8200
Using Vault CA-CERT: /etc/vault/cacert.pem
Using Unseal Keys:
- qxxczFlqtGRHdPtK2MaJKUR2wSvPkiTX4p0BfnZnfmPG
- hEOpCKJc5jqpIssMhTVx5xNWSGB6BQdbaPVm3nyYg3AP
- Qk1xt0SW4pey8Q3yw5NFfuhiR8ZDehX5d1Zwm3HPO4IL
Generating unseal-config.yml in current directory
Encrypting unseal-config.yml
Sealed unseal-config.yml to unseal-config.yml.sealed
Deleting unseal-config.yml
Success: unseal-config.yml.sealed generated => the Vault unseal configuration was created and encrypted

In command line mode, the parameters can be passed as arguments:

$ anjuna-create-unseal-config --endpoint https://vault.anjuna.test:8200 \
  --cacert /etc/vault/cacert.pem \
  --unseal-key qxxczFlqtGRHdPtK2MaJKUR2wSvPkiTX4p0BfnZnfmPG \
  --unseal-key hEOpCKJc5jqpIssMhTVx5xNWSGB6BQdbaPVm3nyYg3AP \
  --unseal-key Qk1xt0SW4pey8Q3yw5NFfuhiR8ZDehX5d1Zwm3HPO4IL

which produces a similar output:

Using Vault endpoint: https://vault.anjuna.test:8200
Using Vault CA-CERT: /etc/vault/cacert.pem
Using Unseal Keys:
- qxxczFlqtGRHdPtK2MaJKUR2wSvPkiTX4p0BfnZnfmPG
- hEOpCKJc5jqpIssMhTVx5xNWSGB6BQdbaPVm3nyYg3AP
- Qk1xt0SW4pey8Q3yw5NFfuhiR8ZDehX5d1Zwm3HPO4IL
Generating unseal-config.yml in current directory
Encrypting unseal-config.yml
Sealed unseal-config.yml to unseal-config.yml.sealed
Deleting unseal-config.yml
Success: unseal-config.yml.sealed generated => the Vault unseal configuration was created and encrypted