Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Document the procedure to use gpg keys with vault init. #682
my exploration has uncovered how to do this. Documenting for others. This may not be secure use at your own risk
export the generated pubkey for use on the vault server
gpg --export 4096R/1659DFAB > JohnDoeVaultPubKey.out
copy the JohnDoeVaultPubKey.out to the vault server
Once you have a few keys you are ready to initialize the vault. My next example is insecure because we are using a single key-share. Please follow the documentation and use 3 or more. Also I had started my vault server without https enabled. In a production server you will want https
[root@vault-dev files]# VAULT_ADDR=http://localhost:8200 vault init -key-shares=1 -key-threshold=1 -pgp-keys /tmp/JohnDoeVaultPubKey.out
Send Key 1 back to the first user to decrypt so that it can be used to unseal the vault or seal it if necessary.
echo c1c14..... | xxd -r -p > vault.gpg
gpg -d vault.gpg # you will need the pass phrase from creating the gpg key
assuming you did everything right you should have one of your unseal keys.
VAULT_ADDR=http://localhost:8200 vault unseal
@jefferai not sure if this is a bug but I can't seem to get base64 pub keys to work:
If I export my pub key as binary, everything works as expected.
I don't think that's a supported format, but I can take a look. It should work fine if you b64 encode the binary file. That support was put in because some people already had b64 versions and didn't want to convert to binary to then have it go back to b64 to go across the wire. It might have changed with the recent keybase support so it may also work in master right now.