Spawning and storage of secure environments
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
doc Add file locations documentation Nov 27, 2018
edit Add automatic detection of MFA devices Nov 26, 2018
lib Rename session receiver variable Nov 22, 2018
menu Add automatic detection of MFA devices Nov 26, 2018
.gitignore Initial commit Mar 14, 2015
.travis.yml add travis build information Dec 2, 2015
LICENSE Change license to MIT Jul 21, 2016
README.md Add file locations documentation Nov 27, 2018
command.go add vaulted exec to cli Oct 12, 2018
command_test.go Consolidate and simplify session generation Oct 15, 2018
copy.go Make the lib aware of the Steward interface Jul 31, 2017
copy_test.go Add passwd subcommand to change passwords Oct 11, 2018
dump.go Make the lib aware of the Steward interface Jul 31, 2017
dump_test.go Make the lib aware of the Steward interface Jul 31, 2017
env.go Consolidate and simplify session generation Oct 15, 2018
env_test.go Consolidate and simplify session generation Oct 15, 2018
go.mod Add Go mod files Nov 27, 2018
go.sum Add Go mod files Nov 27, 2018
help.go add vaulted exec to cli Oct 12, 2018
list.go Make the lib aware of the Steward interface Jul 31, 2017
list_test.go Make the lib aware of the Steward interface Jul 31, 2017
load.go Make the lib aware of the Steward interface Jul 31, 2017
load_test.go Make the lib aware of the Steward interface Jul 31, 2017
main.go fix error mappings to avoid unhashable errors Oct 8, 2018
main_test.go Add simple method to invalidate old sessions Oct 12, 2018
man.go Add file locations documentation Nov 27, 2018
remove.go Make the lib aware of the Steward interface Jul 31, 2017
remove_test.go Make the lib aware of the Steward interface Jul 31, 2017
session_generation.go Consolidate and simplify session generation Oct 15, 2018
spawn.go Consolidate and simplify session generation Oct 15, 2018
spawn_test.go Consolidate and simplify session generation Oct 15, 2018
steward.go Fix askpass prompts to include the vault name Jul 31, 2017
upgrade.go Make the lib aware of the Steward interface Jul 31, 2017
upgrade_test.go Make the lib aware of the Steward interface Jul 31, 2017
version.go Bump version to v2.4.unstable Nov 27, 2018

README.md

vaulted

Spawn environments from securely stored secrets.

With so many secrets floating around in our modern lives, it's a wonder we're able to keep track of any of them!

vaulted allows you to create vaults of related secrets and then spawn sessions with these secrets. Vaults can contain secure environment variables, AWS credentials, or SSH keys (RSA, DSA, & ECDSA).

vaulted also attempts to insulate spawned environments from other environments on the system. Temporary AWS credentials are created for each session as well as a new SSH agent. The SSH agent still allows access keys in the parent environment's SSH agent, but any keys added inside the spawned environment are only available in the that environment.

Installation

macOS

The easiest way to install vaulted on macOS is through Homebrew.

brew install vaulted

Linux

If you already have Linux Brew installed

brew install vaulted

If you do not use Linux Brew, you will need to build vaulted manually.

Manual

Installation on other platforms should be simple enough through go get as long as you have a proper Go environment setup:

go get -u github.com/miquella/vaulted

Don't forget to add $GOPATH/bin to your $PATH! You must be running go version 1.9 or greater.

Getting Started

vaulted is oriented around vaults of secrets that are used to spawn environments. To get started, add a new vault:

vaulted add my-vault

This will start an interactive editing mode that will help you create your first vault. AWS keys, SSH keys, and arbitrary environment variables can be added to the vault. Once you have your vault arranged how you would like, use q to exit the interactive mode and save the vault to disk.

While editing a vault, Ctrl+C may be used to discard changes to the vault.

Now that your vault has been saved, the list of vaults will reflect your newly saved vault:

vaulted ls

And you can use vaulted to spawn a command in an environment generated from the secrets stored in the vault:

vaulted -n my-vault -- aws s3 ls

Sometimes it is useful to be able to issue multiple commands that require the vault's secrets. In this case, you can spawn an interactive shell:

vaulted shell my-vault

Warning! Leaving interactive shells with your credentials loaded can be dangerous as you may inadvertently provide credentials to an application you didn't intend!

File Locations

Vaults and cached sessions are stored according to the XDG Base Directory Specification.

Vault files are stored in:

  • $XDG_DATA_HOME/vaulted/ (typically ~/.local/share/vaulted/)
  • $XDG_DATA_DIRS/vaulted/ (typically /usr/local/share and /usr/share)

Vault files are written to $XDG_DATA_HOME/vaulted/. To backup your Vaulted data, all files in this directory should be backed up. Session cache files do not need to be retained.

Session cache files are stored in:

  • $XDG_CACHE/vaulted/ (typically ~/.cache/vaulted/)

Using Vaulted from other software

An env subcommand has been included with the intention of supplying machine readable output for integration with shells and shell utilities. Every effort has been made to supply meaningful return codes on failures along with a description of what has gone wrong. See vaulted(1) for details on the return values to expect and their meanings.

Going Further

While vaulted supports basic modification methods like copying, editing, and removing, more advanced methods such as JSON-formatted dumping and loading are also available. An environment can even be loaded into a running shell! See vaulted --help for available commands.

Spawned Environment

In addition to including secrets stored in the vault, spawned environments also include environment variables that describe how the session and environment were spawned. See vaulted-env(1) and vaulted-shell(1) for details.

GUI Password Prompts

GUI-based password prompts can be used by setting the VAULTED_ASKPASS variable. See vaulted(1) for more details.