# Vault Hierarchical Initializer

A Rust-based utility for initializing and unsealing HashiCorp Vault in non-dev (production) mode.

## Overview

This project provides a Docker-based solution for:

1. Running a HashiCorp Vault server in non-dev (production) mode
2. Automatically initializing the Vault instance
3. Unsealing the Vault after initialization
4. Storing unseal keys and root token securely

## Prerequisites

- Docker and Docker Compose installed on your system
- Rust (if you want to build the project locally)

## Configuration

In production mode, Vault:
- Starts sealed and requires a threshold of unseal keys to unseal
- Stores data persistently in mounted volumes
- Requires explicit initialization
- Needs manual unsealing after restarts

The implementation uses:
- 5 key shares with a threshold of 3 keys needed for unsealing
- Persistent volume storage for Vault data

## Usage

### Starting Vault with Docker Compose

```bash
docker-compose up -d
```

This will:
1. Start a Vault server in production mode
2. Run the vault-hier utility to initialize Vault if needed
3. Automatically unseal Vault using the threshold number of keys
4. Save the unseal keys and root token to `vault-credentials.txt` in the mounted volume

### Getting Vault Credentials

After initialization, you can find the unseal keys and root token in:

```
./vault-credentials.txt
```

Keep these credentials safe! They provide full access to your Vault instance.

### Restarting a Sealed Vault

If your Vault instance restarts, it will start in a sealed state. To unseal it automatically:

```bash
# Set the unseal keys as environment variables
export VAULT_UNSEAL_KEY_1="your-first-key"
export VAULT_UNSEAL_KEY_2="your-second-key"
export VAULT_UNSEAL_KEY_3="your-third-key"

# Restart the vault-init container to trigger unsealing
docker-compose restart vault-init
```

## Development

### Building the Project Locally

```bash
cargo build --release
```

### Running Tests

```bash
cargo test
```

### Custom Configuration

To modify the key sharing threshold:
1. Edit the `init_req` struct in `src/main.rs`
2. Rebuild the Docker image

## Security Considerations

- In a production environment, never store unseal keys on the same machine as Vault
- Consider using a key management solution like Shamir's Secret Sharing
- Rotate root tokens regularly and use appropriate authentication methods