Created
July 24, 2020 07:28
-
-
Save pbernet/8f0d38f364ccef823a6e242d2d574b10 to your computer and use it in GitHub Desktop.
Vault cmds for posting https://discuss.hashicorp.com/t/approle-policies-for-transit-secret-engine-datakey-concept/11892
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ... | |
| vault secrets enable transit | |
| echo "Create a named encryption key" | |
| vault write -force transit/keys/master-key | |
| echo "Read the corresponding 'datakey' (with Admin token)" | |
| RESPONSE_DATA_KEY=`vault write -force transit/datakey/plaintext/master-key` | |
| echo "RESPONSE_DATA_KEY:" $RESPONSE_DATA_KEY | |
| VAULT_DATAKEY_CIPHERTEXT=`echo $RESPONSE_DATA_KEY | grep -Po '(vault:v1:)\S{80}'` | |
| echo "VAULT_DATAKEY_CIPHERTEXT: $VAULT_DATAKEY_CIPHERTEXT" | |
| echo "Decrypt 'datakey' (with Admin token)" | |
| RESPONSE_DATA_KEY_PLAIN=`vault write transit/decrypt/master-key ciphertext="$VAULT_DATAKEY_CIPHERTEXT"` | |
| echo "RESPONSE_DATA_KEY_PLAIN:" $RESPONSE_DATA_KEY_PLAIN | |
| echo "Read the corresponding 'datakey' via cURL (with Approle token)" | |
| RESPONSE_DATA_KEY_CURL=`curl --silent --insecure --header "X-Vault-Token: $VAULT_TOKEN_APPROLE" --request POST http://127.0.0.1:8200/v1/transit/datakey/plaintext/master-key` | |
| echo "RESPONSE_DATA_KEY_CURL: $RESPONSE_DATA_KEY_CURL" | |
| echo "Decrypt 'datakey' via cURL (with Approle token)" | |
| echo "{\"ciphertext\": \"$VAULT_DATAKEY_CIPHERTEXT\"}" > key.json | |
| RESPONSE_DATA_KEY_PLAIN_CURL=`curl --silent --insecure --header "X-Vault-Token: $VAULT_TOKEN_APPROLE" --request POST --data @key.json http://127.0.0.1:8200/v1/transit/decrypt/master-key` | |
| echo "RESPONSE_DATA_KEY_PLAIN_CURL: $RESPONSE_DATA_KEY_PLAIN_CURL" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment