How to use vault to store RSA private key PEM format
6,967 views
Skip to first unread message
Kulbir singh Saini
Feb 26, 2016, 1:35:09 PM2/26/16
to Vault
hello,
is it possible to store RSA private key in HarshiCorp vault?
Thanks
Kulbir
Jeff Mitchell
Feb 26, 2016, 2:05:40 PM2/26/16
to vault...@googlegroups.com
Hi,
You can store anything you like in Vault, so long as it can be
represented as a JSON-compatible string. You may want to base64 the
value before putting it in, just for ease of use (so as to not deal
with escaping newlines) -- but yes!
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/a3fd3a93-1e35-4621-9849-adda01e9a46a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
You can store anything you like in Vault, so long as it can be
represented as a JSON-compatible string. You may want to base64 the
value before putting it in, just for ease of use (so as to not deal
with escaping newlines) -- but yes!
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/a3fd3a93-1e35-4621-9849-adda01e9a46a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Kulbir singh Saini
Feb 26, 2016, 2:21:00 PM2/26/16
to Vault
Hello Jeff,
Thanks! can you point me some document i can quick refer. New to Vault.
Cheers,
Kulbir
Jeff Mitchell
Feb 26, 2016, 3:29:53 PM2/26/16
to vault...@googlegroups.com
Hi Kulbir,
Check out the generic backend documentation at
https://www.vaultproject.io/docs/secrets/generic/index.html
Since you're new to Vault, it may also be useful to go through the
interactive tutorial, which is a button on the main page at
https://www.vaultproject.io/ -- it has a step that walks through
writing and reading strings to the generic backend.
Best,
Jeff
On Fri, Feb 26, 2016 at 2:21 PM, Kulbir singh Saini
> https://groups.google.com/d/msgid/vault-tool/95c75d1f-d9fa-491f-aa2c-ff80a1029f37%40googlegroups.com.
Check out the generic backend documentation at
https://www.vaultproject.io/docs/secrets/generic/index.html
Since you're new to Vault, it may also be useful to go through the
interactive tutorial, which is a button on the main page at
https://www.vaultproject.io/ -- it has a step that walks through
writing and reading strings to the generic backend.
Best,
Jeff
On Fri, Feb 26, 2016 at 2:21 PM, Kulbir singh Saini
Kulbir singh Saini
Feb 26, 2016, 3:52:56 PM2/26/16
to vault...@googlegroups.com
Thanks!
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/26lF5xzdvmQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHocFFYp5W%3DZwG%2Ba1siMrS7nLe6xHM%3DDSjmqx_JLDkBkw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Warm Regards
------------------------------------
Kulbir Singh
------------------------------------
Kulbir Singh
Kulbir singh Saini
Mar 7, 2016, 11:02:45 PM3/7/16
to vault...@googlegroups.com
Hello Jeff,
I was able to setup vault and tore retrieve secret. Not sure what happened now i am getting "{"errors":["permission denied"]}" issue. I tried to read forum but couldnt get any luck to make it work. Below is snapshot of sequence for ready reference. Appreciate your help.
[root@default-oel65 ~]# curl --silent -d '{"app_id":762,"user_id":50}' http://127.0.0.1:8200/v1/auth/app-id/login
{"lease_id":"","renewable":false,"lease_duration":0,"data":null,"warnings":null,"auth":{"client_token":"624a4f5f-7ae0-eb5e-a74e-3acad6c073f2","policies":["762"],"metadata":{"app-id":"sha1:c99a2a26bd03c1536aa7684d3acb54914f099b3f","user-id":"sha1:e1822db470e60d090affd0956d743cb0e7cdf113"},"lease_duration":2592000,"renewable":true}}
[root@default-oel65 ~]# curl --silent -H "X-Vault-Token:ddab9bc7-2b2c-325e-ff3d-8514a73fd6c6" http://127.0.0.1:8200/v1/secret/seckey
{"errors":["permission denied"]}
[root@default-oel65 ~]# curl --silent -H "X-Vault-Token:ddab9bc7-2b2c-325e-ff3d-8514a73fd6c6" http://127.0.0.1:8200/v1/secret/76249
{"errors":["permission denied"]}
[root@default-oel65 ~]# vault read secret/seckey
Key Value
lease_duration 2592000
key LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBc3Bxd0JRcW02
cHQ3SGpwT0dXYVZ5MmY2RitFQUhGZHU1d2dON3ZiQjlhZ3ZFaXI3CkxDZTB6WU5KRFhJY0w2UVd5
MXFzbitpbmxMWS9IK085cjlUcnJrU0Z4Q084RWp6TTg2R2tzY3VlcmcwQkllQ0QKaEkzN2phUXZw
aTFGcmViQVRoUVFIbWoyVlZlS1Rib2xuU2JiL09LcnF0a0NUSGxqTFFoTzltM0ZnM1NmR2NnMAoz
cHBNSStlT3RUZWhRQ3EvVDI5MERPamFKUnNMTWJRQTJHTjBmbDlXT0RnVjZib1Z3VjFkbERDS3kw
On Fri, Feb 26, 2016 at 3:29 PM, Jeff Mitchell <je...@hashicorp.com> wrote:
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/26lF5xzdvmQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHocFFYp5W%3DZwG%2Ba1siMrS7nLe6xHM%3DDSjmqx_JLDkBkw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Jeff Mitchell
Mar 7, 2016, 11:06:00 PM3/7/16
to vault...@googlegroups.com
Hi Kulbir,
The client token in your app-id response is not the same token as in
your subsequent curl calls. You're using an old/invalid token, hence
permission denied!
Best,
Jeff
On Mon, Mar 7, 2016 at 11:02 PM, Kulbir singh Saini
> https://groups.google.com/d/msgid/vault-tool/CAFjm7p53oStgji-QsdvpsRD14D9XpzCA%2BKBKmYVxErMDZTyeGQ%40mail.gmail.com.
The client token in your app-id response is not the same token as in
your subsequent curl calls. You're using an old/invalid token, hence
permission denied!
Best,
Jeff
On Mon, Mar 7, 2016 at 11:02 PM, Kulbir singh Saini
Kulbir singh Saini
Mar 8, 2016, 6:13:33 AM3/8/16
to vault...@googlegroups.com
Oh i m so sorry for that copy- paste stuff, here is another snapshot
[root@default-oel65 ~]# curl --silent -d '{"app_id":762,"user_id":50}' http://127.0.0.1:8200/v1/auth/app-id/login
{"lease_id":"","renewable":false,"lease_duration":0,"data":null,"warnings":null,"auth":{"client_token":"02b89adc-4da6-320a-9827-b184a42e53bd","policies":["762"],"metadata":{"app-id":"sha1:c99a2a26bd03c1536aa7684d3acb54914f099b3f","user-id":"sha1:e1822db470e60d090affd0956d743cb0e7cdf113"},"lease_duration":2592000,"renewable":true}}
[root@default-oel65 ~]# curl --silent -H "X-Vault-Token:02b89adc-4da6-320a-9827-b184a42e53bd" http://127.0.0.1:8200/v1/secret/seckey
{"errors":["permission denied"]}
[root@default-oel65 ~]# vault read secret/seckey
Key Value
lease_duration 2592000
key LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBc3Bxd0JRcW02
cHQ3SGpwT0dXYVZ5MmY2RitFQUhGZHU1d2dON3ZiQjlhZ3ZFaXI3CkxDZTB6WU5KRFhJY0w2UVd5
MXFzbitpbmxMWS9IK085cjlUcnJrU0Z4Q084RWp6TTg2R2tzY3VlcmcwQkllQ0QKaEkzN2phUXZw
aTFGcmViQVRoUVFIbWoyVlZlS1Rib2xuU2JiL09LcnF0a0NUSGxqTFFoTzltM0ZnM1NmR2NnMAoz
--
--
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GGueWq65vSdCK2_%2B-NON7bT9bm281ihpOLjhi2hb3GUMQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Jeff Mitchell
Mar 8, 2016, 8:18:29 AM3/8/16
to vault...@googlegroups.com
Hi Kulbir,
What is the content of policy "762"?
Thanks,
Jeff
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAFjm7p6Lt-Ls%2BaPHexDvfpS_hYkjSJc8YJ5Bt4Gaa1P8tRm-Wg%40mail.gmail.com.
Kulbir singh Saini
Mar 8, 2016, 8:57:05 AM3/8/16
to vault...@googlegroups.com
Hello Jeff,
Your question helped me to figure out problem. I was messing up with user-id mapping option while creating policy. Appreciate your quick responses....Thanks
qq, i had those vault write commands still in my history, what is best way to find content of policy? i am still trying to go through documentation to find something.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GE6z5RWodrBps_oZhLL98YVYOR3N7zNJjMUK7rQBJabUQ%40mail.gmail.com.
Jeff Mitchell
Mar 8, 2016, 9:09:10 AM3/8/16
to vault...@googlegroups.com
Hi Kulbir,
"vault policies 762" will do it!
--Jeff
On Tue, Mar 8, 2016 at 8:56 AM, Kulbir singh Saini
> https://groups.google.com/d/msgid/vault-tool/CAFjm7p5Mw-2CGxw7-_kCU7yBk2MB%2BMjoWPUoPLktVqQ9QbqpPw%40mail.gmail.com.
"vault policies 762" will do it!
--Jeff
On Tue, Mar 8, 2016 at 8:56 AM, Kulbir singh Saini
Kulbir singh Saini
Mar 8, 2016, 10:23:16 AM3/8/16
to vault...@googlegroups.com
Hello Jeff,
Thanks.. i gives me nothing
[root@default-oel65 ~]# vault policies 762
[root@default-oel65 ~]#
below is what i created for testing-
vault write auth/app-id/map/app-id/762 value=root display_name=762
vault write auth/app-id/map/user-id/50 value=762
Regards
Kulbir
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GFuMEEqV1QbaAyB8qtVNA9G-7jbsT6m3gjLfG6qZ2r8uQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Jeff Mitchell
Mar 8, 2016, 10:56:08 AM3/8/16
to vault...@googlegroups.com
Makes sense -- an empty policy won't allow access to anything, since
Vault is default-deny.
Best,
Jeff
On Tue, Mar 8, 2016 at 10:22 AM, Kulbir singh Saini
> https://groups.google.com/d/msgid/vault-tool/CAFjm7p7XCE%2B3XQJqkAtacHtToHmHkwiVY8n62aPZE2vOEcXNVw%40mail.gmail.com.
Vault is default-deny.
Best,
Jeff
On Tue, Mar 8, 2016 at 10:22 AM, Kulbir singh Saini
Kulbir singh Saini
Mar 8, 2016, 11:07:29 AM3/8/16
to vault...@googlegroups.com
But i am able to access secrets now after i fix user-id mapping options even policy is shown as empty. Am i missing something?
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHQZezbxPOpcYhu3y385Je2CFE0Hbw3nhHPK52m%3D0jmhA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Jeff Mitchell
Mar 8, 2016, 11:19:32 AM3/8/16
to vault...@googlegroups.com
Hi Kulbir,
Now that you've fixed the mapping, you're giving out the root policy
with tokens (which, by the way, is very, very much discouraged).
Originally the authentication information you were giving out only had
the policy "762" attached, which as you saw when you tried to look it
up, is blank, so nothing was allowed with it.
Best,
Jeff
On Tue, Mar 8, 2016 at 11:07 AM, Kulbir singh Saini
> https://groups.google.com/d/msgid/vault-tool/CAFjm7p5n%3D7SNu6%3DwdhoPUKeE%3Dmhdr33i%3DEbjJdppxKdVb%3DSG2Q%40mail.gmail.com.
Now that you've fixed the mapping, you're giving out the root policy
with tokens (which, by the way, is very, very much discouraged).
Originally the authentication information you were giving out only had
the policy "762" attached, which as you saw when you tried to look it
up, is blank, so nothing was allowed with it.
Best,
Jeff
On Tue, Mar 8, 2016 at 11:07 AM, Kulbir singh Saini
Kulbir singh Saini
Mar 8, 2016, 11:41:15 AM3/8/16
to vault...@googlegroups.com
hello Jeff,
Thanks for note. I will look into using custom policy other than root.
Appreciate your help!
Best
Kulbir
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHfmAKxMfbPs_p5o69bi3iRhHyb5Qa7mg0DtQMkjCZvdw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Clay Bowen
Mar 9, 2016, 5:13:02 PM3/9/16
to Vault
I have a program that will automatically store files (and automatically encode binary files before storing in Vault and decode on retrieval) -- you may find it useful. It's written in Go (note: this is based on Vault .4 but will work just fine with the new versions, it just doesn't use the new functionality)
vsecure.go
This uses a system that authenticates through AD, sets up a new location for each user (and a policy that allows only that person and the admin to access their content), and creates a catalog of items that have been stored using the program.
Thanks,
Clay
...
Kulbir singh Saini
Mar 10, 2016, 4:28:59 PM3/10/16
to vault...@googlegroups.com
hello Clay,
Thanks for sharing it. I will give a shot and let you know if need any help.
Best
Kulbir
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9457df31-2857-4d84-b1cc-59c5ab9840d6%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages