This tool is a demonstration of my blog post. It's allow us fetching encrypted Vault recovery key from storage backend (filesystem/consul supported at the moment) and decrypt it with AWS KMS.
- Getting encrypted recovery key from local filesystem and consul
- Decrypt recovery key with AWS KMS service
- Allow specify key share & threshold to split recovery key. (Default to recovery config stored in backend)
hashicorp-vault-utils --aws-profile dev --backend file --file-path /data/vault
NAME:
hashicorp-vault-utils - Misc for fun
USAGE:
hashicorp-vault-utils [global options] command [command options] [arguments...]
COMMANDS:
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--recovery-shares value Number of key shares to split the recovery key into (default: Automatically fetch from saved recovery config)
--recovery-threshold value Number of key shares required to reconstruct the recovery key (default: Automatically fetch from saved recovery config)
--backend value storage backend name (file/consul) (default: file)
--consul-address value Specifies the address of the Consul agent to communicate with. (default: http://127.0.0.1:8500)
--consul-path value Specifies the path in Consul's key-value store where Vault data will be stored (Default: 'vault/') (default: vault/)
--file-path value The absolute path on disk to the directory where the data will be stored
--aws-access-key-id value AWS Access Key ID
--aws-secret-access-key value AWS Secret Access Key
--aws-session-token value AWS Session Token
--aws-region value AWS Region (default: "eu-west-1")
--aws-profile value AWS Profile name
--help, -h show help (default: false)