Skip to content
/ vault-unsealer Public

Automatically unseals configured Vault instances using a push mechanism.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

soerenschneider/vault-unsealer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

125 Commits

.github

.github

 
 

cmd

cmd

 
 

contrib

contrib

 
 

docs

docs

 
 

internal

internal

 
 

pkg/vault

pkg/vault

 
 

.gitignore

.gitignore

 
 

.golangci.yaml

.golangci.yaml

 
 

.pre-commit-config.yaml

.pre-commit-config.yaml

 
 

CHANGELOG.md

CHANGELOG.md

 
 

Dockerfile

Dockerfile

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

Repository files navigation

vault-unsealer

Go Report Card test-workflow release-workflow golangci-lint-workflow

Automatically unseals configured Vault instances using a push mechanism.

Key Features

🔐 Retrieve Vault's unseal key from Vault's KV2 or transit secret engine
🛂 Authenticate against Vault using AppRole, (explicit) token or implicit auth
🔭 Robust automation through observability

FAQ

Q: Why would I need auto-unsealing?
A: I'm trying to push OS-, container image- and Vault-updates itself rather aggressively, therefore I'm not patching any machines manually, but automatically (see conditional-reboot). Hence, I need a mechanism that unseals preconfigured Vault instances automatically without human intervention.

Q: Ok, but why not using auto-unsealing using AWS KMS / Azure Key Vault / GCP KMS?
A: If your Vault clusters / instances do not run one of the specified cloud providers (like mine), you'll have to issue and deal with access keys to said platforms: distribute them secretly, keep them safe and rotate them frequently. Vault-unsealer reads the unseal key from Vault itself (make sure it's well protected!) as I've written enough tooling that helps me keep my Vault credentials safe and rotate them both frequently and automatically (e.g. vault-approle-cli or vault-mfa).

Q: Why not using auto-unsealing using Vault Transit?
A: I did not want to manage another cluster / production instances of Hashicorp Vault even though I built some tooling around it that keeps maintenance low.

Q: Do only three real question justify an own FAQ section?
A: Probably not, but here we are.

Installation

Docker / Podman

$ git clone https://github.com/soerenschneider/vault-unsealer.git
$ cd vault-unsealer
$ docker run -v $(pwd)/contrib:/config ghcr.io/soerenschneider/vault-unsealer:main -conf /config/example-config.json

Binaries

Download prebuilt binaries from the releases section for your system. Use the example systemd service file to run it at boot.

From Source

As a prerequisite, you need to have Golang SDK installed. Then you can install vault-unsealer from source by invoking:

$ go install github.com/soerenschneider/vault-unsealer@latest

Configuration

An example configuration can be found here. Note that this example is oversimplified and not secure. Head over to the configuration section to see more details.

Observability

Check here

How does it work?

unsealer

CHANGELOG

The changelog can be found here

About

Automatically unseals configured Vault instances using a push mechanism.

Topics

automation vault hashicorp-vault unseals-vault-servers unseal unsealer

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 3

v1.1.1 Latest
Mar 21, 2024
+ 2 releases

Packages 1

 

Contributors 3

  •  
  •  
  •  

Languages