The purpose of this document is to configure backup and recovery process solution for HashiCorp vault.
- Medusa: Medusa is a cli tool currently for importing and exporting a json or yaml file into HashiCorp Vault and supports kv1 and kv2 Vault secret engines.
# Download Medusa binary
wget https://github.com/jonasvinther/medusa/releases/download/v0.2.2/medusa_0.2.2_linux_amd64.tar.gz
# Unzip the binary
tar xvf medusa_0.2.2_linux_amd64.tar.gz
# Validate if medusa works
./medusa --help
- The RSA key-pair: When exporting your Vault secrets using Medusa, the secrets are encrypted using the AES symmetric encryption algorithm. The 256-bit AES encryption key is randomly generated by Medusa every time the export command is being called. This ensures that both the exported secrets and AES enctyption key can be transfered safely between Vault instances. The exported secrets and AES enctyption key can only be decrypted by a person who is in possession of the RSA private key.
# The RSA key-pair can be generated by the following two commands:
# Create folder
mkdir "keys"
cd keys
# Generate private key
openssl genrsa -out vault-private-key.pem 4096
# Generate public key
openssl rsa -in vault-private-key.pem -pubout -out vault-public-key.pem
- Manually creating
kv
secrets engine in new vault same as old vault (i.e.dev
,prod
).
Vault export is easy using Medusa. Simply use following command to export secrets to create backup with today's date
folder
# create new file
touch exportSecrets.sh
# Edit new file
nano exportSecrets.sh
Add following code and update vaultAddress
, token
and secretsEngines
:
#!/bin/sh
# Create variables
vaultAddress="https://<vault-address>";
vaultToken="xxxxxxxxxxxx";
secretsEngines=('dev' 'prod'); # Note: 'cubbyhole' is private and can not be exported
pubicKeyPath="./keys/vault-public-key.pem";
getDate="$(date '+%Y%m%d')";
outputFolderPath="./${getDate}";
encrypt="true"
# Try catch
{
# Create folder for each date backup
if [ -d "${outputFolderPath}" ]; then
echo "Folder already exits."
else
mkdir "${outputFolderPath}";
fi
echo "Exporting started."
# start exporting process
for kv in "${secretsEngines[@]}";
do
./medusa export ${kv} --address="${vaultAddress}" --token="${vaultToken}" --insecure --encrypt="${encrypt}" --public-key="${pubicKeyPath}" --output="${outputFolderPath}/${kv}.txt"
echo " - Secrest engine '${kv}': completed."
done
echo "Exporting completed successfully!"
} || {
echo "Error in $__EXCEPTION_SOURCE__ at line: $__EXCEPTION_LINE__!"
}
Please use following command to execute the exporting process.
./exportSecrets.sh
Please use the following commands to import the secrets to new vault.
# create new file
touch importSecrets.sh
# Edit new file
nano importSecrets.sh
Add following code and update vaultAddress
, token
and secretsEngines
:
#!/bin/sh
# Create variables
vaultAddress="https://<vault-address>;
vaultToken="xxxxxxxxxx";
secretsEngines=('dev' 'prod');
privateKeyPath="./keys/vault-private-key.pem";
getDate="$(date '+%Y%m%d')";
outputFolderPath="./${getDate}";
decrypt="true"
# Try catch
{
# Create folder for each date backup
if [ -d "${outputFolderPath}" ]; then
echo "Importing started."
# start exporting process
for kv in "${secretsEngines[@]}";
do
./medusa import ${kv} "${outputFolderPath}/${kv}.txt" --address="${vaultAddress}" --token="${vaultToken}" --insecure --decrypt="${decrypt}" --private-key="${privateKeyPath}"
echo " - Secrest engine '${kv}' completed."
# sleep 0.5 # Waits 0.5 second.
done
echo "Importing completed successfully!"
else
echo "Invalid folder path '${outputFolderPath}'"
fi
} || {
echo "Error in $__EXCEPTION_SOURCE__ at line: $__EXCEPTION_LINE__!"
}
Please use following command to execute the importing process.
./importSecrets.sh