Skip to content
Vault Unseal automation
Branch: master
Clone or download
Latest commit 59b05dd Jan 22, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmd Merge pull request #15 from sheldonkwok/fix/use-unseal-period Nov 17, 2018
docs Docs: Added documentation on how to retrieve keys from AWS KMS. Nov 7, 2018
pkg Use directory for multiple key shares in path Sep 3, 2018
vendor Updates dep and locks vault version Jan 16, 2019
.gitignore Update gitlab config Jul 10, 2017
.gitlab-ci.yml Upgrade goreleaser to latest upstream version Jan 22, 2019
.goreleaser.yml Upgrade goreleaser to latest upstream version Jan 22, 2019
CHANGELOG.md Release 0.3.1 Jan 22, 2019
CONTRIBUTING.md Add CONTRIBUTING.md Sep 3, 2018
Dockerfile
Gopkg.lock Updates dep and locks vault version Jan 16, 2019
Gopkg.toml Updates dep and locks vault version Jan 16, 2019
LICENSE initial commit May 23, 2017
Makefile Upgrades go to 1.11.4 Jan 22, 2019
OWNERS Add owners and labels Jun 17, 2018
README.md Docs: AWS KMS SSM instructions. Jun 17, 2018
labels.yaml Add owners and labels Jun 17, 2018
main.go Move from jetstack-experimental to jetstack Nov 23, 2017

README.md

Vault-unsealer

This project aims to make it easier to automate the secure unsealing of a Vault server.

Usage

This is a CLI tool to help automate the setup and management of
Hashicorp Vault.

It will continuously attempt to unseal the target Vault instance, by retrieving
unseal keys from a Google Cloud KMS keyring.

Usage:
  vault-unsealer [command]

Available Commands:
  help        Help about any command
  init        Initialise the target Vault instance
  unseal      A brief description of your command

Flags:
      --aws-kms-key-id string                The ID or ARN of the AWS KMS key to encrypt values
      --aws-ssm-key-prefix string            The Key Prefix for SSM Parameter store
      --google-cloud-kms-crypto-key string   The name of the Google Cloud KMS crypt key to use
      --google-cloud-kms-key-ring string     The name of the Google Cloud KMS key ring to use
      --google-cloud-kms-location string     The Google Cloud KMS location to use (eg. 'global', 'europe-west1')
      --google-cloud-kms-project string      The Google Cloud KMS project to use
      --google-cloud-storage-bucket string   The name of the Google Cloud Storage bucket to store values in
      --google-cloud-storage-prefix string   The prefix to use for values store in Google Cloud Storage
  -h, --help                                 help for vault-unsealer
      --mode string                          Select the mode to use 'google-cloud-kms-gcs' => Google Cloud Storage with encryption using Google KMS; 'aws-kms-ssm' => AWS SSM parameter store using AWS KMS encryption (default "google-cloud-kms-gcs")
      --secret-shares int                    Total count of secret shares that exist (default 1)
      --secret-threshold int                 Minimum required secret shares to unseal (default 1)

Use "vault-unsealer [command] --help" for more information about a command.

How to setup vault-unsealer via AWS KMS and SSM

Instruction on existing and new vaults for unsealing vault using KMS and SSM

Build from source

go get github.com/jetstack/vault-unsealer
make -C $(go env GOPATH)/src/github.com/jetstack/vault-unsealer build

Build a Docker image

docker build -t vault-unsealer:<version> .
You can’t perform that action at this time.