harald/vault-hier
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
8 commits 1 branch 0 tags 194 KiB
Rust 72.3%
Shell 16.1%
Nix 10.5%
Dockerfile 1.1%
Find a file
Harald Hoyer a3fa6c2e8d Improve test script portability 
- Replace #!/bin/bash with #!/usr/bin/env bash for better portability
- This helps ensure scripts run correctly on different systems where bash
  might be located in different paths

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-03-20 13:19:17 +01:00
src Implement JSON credential storage 2025-03-20 13:16:39 +01:00
.gitignore Implement JSON credential storage 2025-03-20 13:16:39 +01:00
Cargo.toml Initial commit: Vault Hierarchical Initializer 2025-03-20 12:49:44 +01:00
docker-compose.yml Initial commit: Vault Hierarchical Initializer 2025-03-20 12:49:44 +01:00
Dockerfile Initial commit: Vault Hierarchical Initializer 2025-03-20 12:49:44 +01:00
flake.lock Initial commit: Vault Hierarchical Initializer 2025-03-20 12:49:44 +01:00
flake.nix Initial commit: Vault Hierarchical Initializer 2025-03-20 12:49:44 +01:00
README.md Initial commit: Vault Hierarchical Initializer 2025-03-20 12:49:44 +01:00
test_docker.sh Improve test script portability 2025-03-20 13:19:17 +01:00
test_local.sh Improve test script portability 2025-03-20 13:19:17 +01:00

README.md

Vault Hierarchical Initializer

A Rust-based utility for initializing and unsealing HashiCorp Vault in non-dev (production) mode.

Overview

This project provides a Docker-based solution for:

  1. Running a HashiCorp Vault server in non-dev (production) mode
  2. Automatically initializing the Vault instance
  3. Unsealing the Vault after initialization
  4. Storing unseal keys and root token securely

Prerequisites

  • Docker and Docker Compose installed on your system
  • Rust (if you want to build the project locally)

Configuration

In production mode, Vault:

  • Starts sealed and requires a threshold of unseal keys to unseal
  • Stores data persistently in mounted volumes
  • Requires explicit initialization
  • Needs manual unsealing after restarts

The implementation uses:

  • 5 key shares with a threshold of 3 keys needed for unsealing
  • Persistent volume storage for Vault data

Usage

Starting Vault with Docker Compose

docker-compose up -d

This will:

  1. Start a Vault server in production mode
  2. Run the vault-hier utility to initialize Vault if needed
  3. Automatically unseal Vault using the threshold number of keys
  4. Save the unseal keys and root token to vault-credentials.txt in the mounted volume

Getting Vault Credentials

After initialization, you can find the unseal keys and root token in:

./vault-credentials.txt

Keep these credentials safe! They provide full access to your Vault instance.

Restarting a Sealed Vault

If your Vault instance restarts, it will start in a sealed state. To unseal it automatically:

# Set the unseal keys as environment variables
export VAULT_UNSEAL_KEY_1="your-first-key"
export VAULT_UNSEAL_KEY_2="your-second-key"
export VAULT_UNSEAL_KEY_3="your-third-key"

# Restart the vault-init container to trigger unsealing
docker-compose restart vault-init

Development

Building the Project Locally

cargo build --release

Running Tests

cargo test

Custom Configuration

To modify the key sharing threshold:

  1. Edit the init_req struct in src/main.rs
  2. Rebuild the Docker image

Security Considerations

  • In a production environment, never store unseal keys on the same machine as Vault
  • Consider using a key management solution like Shamir's Secret Sharing
  • Rotate root tokens regularly and use appropriate authentication methods