Skip to content
A Vault secrets plugin for generating high entropy passwords and passphrases.
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Create reaction.yml Aug 3, 2018
gen Update modules, fix linter errors Apr 19, 2019
scripts Update instructions Mar 7, 2018
version Update build to pass Sep 10, 2018
.gitignore Prep release Nov 10, 2017
.travis.yml Swtich to go modules Mar 21, 2019
LICENSE Initial commit Nov 10, 2017
Makefile Fix logger (use built-in) Sep 10, 2018
README.md Add setcap command (#5) Oct 26, 2018
go.mod Update modules, fix linter errors Apr 19, 2019
go.sum Update modules, fix linter errors Apr 19, 2019
main.go Initial commit Nov 10, 2017

README.md

Password Generator for HashiCorp Vault

Build Status

The Vault Password Generator is a Vault secrets plugin for generating cryptographically secure passwords and passphrases.

This is both a real custom Vault secrets plugin, and an example of how to build, install, and maintain your own Vault secrets plugin.

Setup

The setup guide assumes some familiarity with Vault and Vault's plugin ecosystem. You must have a Vault server already running, unsealed, and authenticated.

  1. Download and decompress the latest plugin binary from the Releases tab on GitHub. Alternatively you can compile the plugin from source, if you're into that kinda thing.

  2. Move the compiled plugin into Vault's configured plugin_directory:

    $ mv vault-secrets-gen /etc/vault/plugins/vault-secrets-gen
  3. Enable mlock so the plugin can safely be enabled and disabled:

    setcap cap_ipc_lock=+ep /etc/vault/plugins/vault-secrets-gen
  4. Calculate the SHA256 of the plugin and register it in Vault's plugin catalog. If you are downloading the pre-compiled binary, it is highly recommended that you use the published checksums to verify integrity.

    $ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-secrets-gen" | cut -d' ' -f1)
    
    $ vault write sys/plugins/catalog/secrets-gen \
        sha_256="${SHA256}" \
        command="vault-secrets-gen"
  5. Mount the secrets engine:

    $ vault secrets enable \
        -path="gen" \
        -plugin-name="secrets-gen" \
        plugin

Usage & API

Generate Password

Generates a random, high-entropy password with the specified number of characters, digits, symbols, and configurables.

Method Path Produces
POST /gen/password 200 (application/json)

Parameters

  • length (int: 64) - Specifies the total length of the password including all letters, digits, and symbols.

  • digits (int: 10) - Specifies the number of digits to include in the password.

  • symbols (int: 10) - Specifies the number of symbols to include in the password.

  • allow_uppercase (bool: true) - Specifies whether to allow uppercase and lowercase letters in the password.

  • allow_repeat (bool: true) - Specifies to allow duplicate characters in the password. If set to false, be conscious of password length as values cannot be re-used.

CLI

$ vault write gen/password length=36 symbols=0
Key  	Value
---  	-----
value	27f3L5zKCZS8DD6D2PEK1xm0ECNaImg1PJqg

Generate Passphrase

Generates a random, high-entropy passphrase with the specified number of words and separator using the diceware algorithm.

Method Path Produces
POST /gen/passphrase 200 (application/json)

Parameters

  • words (int: 6) - Specifies the total number of words to generate.

  • separator (string: "-") - Specifies the string value to use as a separator between words.

CLI

$ vault write gen/passphrase words=4
Key  	Value
---  	-----
value	obstacle-sacrament-sizable-variably

License

This code is licensed under the MIT license.

You can’t perform that action at this time.