dockerfiles/vault/README.md

vault
=====

![](https://badge.imagelayers.io/vimagick/vault:latest.svg)

[`Vault`][1] is a tool for securely accessing secrets. A secret is anything
that you want to tightly control access to, such as API keys, passwords,
certificates, and more. Vault provides a unified interface to any secret, while
providing tight access control and recording a detailed audit log.

## docker-compose.yml

```
data:
  image: busybox
  volumes:
    - /var/lib/vault

vault:
  image: vimagick/vault
  ports:
    - "8200:8200"
  volumes:
    - vault/vault.crt:/etc/vault/vault.crt
    - vault/vault.key:/etc/vault/vault.key
  volumes_from:
    - data
  privileged: true
  restart: always
```

> Please distribute `vault.crt` to clients.

## server

```
$ cd ~/fig/vault
$ mkdir vault
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout vault/vault.key -out vault/vault.crt
$ docker-compose up -d
$ docker cp vault_vault_1:/usr/bin/vault /usr/local/bin/
```

## client

```
$ export VAULT_ADDR='https://127.0.0.1:8200'
$ vault status
$ vault init | tee vault.secret
$ vault unseal
$ vault auth
$ vault write secret/name key=value
$ vault read secret/name
$ vault seal
```

- Split `vault.secret`, keep them a secret.
- Run `vault unseal` 3 times to unseal.
- Use `key=@value` to read secret from file.

[1]: https://www.vaultproject.io/
add vault 2015-07-18 09:30:30 +02:00			`vault`
			`=====`

update 2015-07-18 09:44:59 +02:00			`![](https://badge.imagelayers.io/vimagick/vault:latest.svg)`

add vault 2015-07-18 09:30:30 +02:00			[`Vault`][1] is a tool for securely accessing secrets. A secret is anything
			`that you want to tightly control access to, such as API keys, passwords,`
			`certificates, and more. Vault provides a unified interface to any secret, while`
			`providing tight access control and recording a detailed audit log.`

update 2015-07-18 09:44:59 +02:00			`## docker-compose.yml`

			```
			`data:`
			`image: busybox`
			`volumes:`
			`- /var/lib/vault`

			`vault:`
			`image: vimagick/vault`
			`ports:`
			`- "8200:8200"`
update 2015-07-18 10:24:47 +02:00			`volumes:`
			`- vault/vault.crt:/etc/vault/vault.crt`
			`- vault/vault.key:/etc/vault/vault.key`
update 2015-07-18 10:03:34 +02:00			`volumes_from:`
update 2015-07-18 09:44:59 +02:00			`- data`
update 2015-07-18 10:03:34 +02:00			`privileged: true`
update 2015-07-18 09:44:59 +02:00			`restart: always`
			```

add dummy keys 2015-07-18 10:32:56 +02:00			> Please distribute `vault.crt` to clients.
update 2015-07-18 10:24:47 +02:00
update 2015-07-18 09:44:59 +02:00			`## server`

			```
			`$ cd ~/fig/vault`
update 2015-07-18 10:24:47 +02:00			`$ mkdir vault`
			`$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout vault/vault.key -out vault/vault.crt`
update 2015-07-18 09:44:59 +02:00			`$ docker-compose up -d`
			`$ docker cp vault_vault_1:/usr/bin/vault /usr/local/bin/`
			```

			`## client`

			```
update 2015-07-18 10:03:34 +02:00			`$ export VAULT_ADDR='https://127.0.0.1:8200'`
update 2015-07-18 09:44:59 +02:00			`$ vault status`
update 2015-07-18 10:24:47 +02:00			`$ vault init \| tee vault.secret`
update 2015-07-18 09:44:59 +02:00			`$ vault unseal`
update 2015-07-18 10:03:34 +02:00			`$ vault auth`
			`$ vault write secret/name key=value`
			`$ vault read secret/name`
update 2015-07-18 09:44:59 +02:00			`$ vault seal`
			```

update 2015-07-18 10:24:47 +02:00			- Split `vault.secret`, keep them a secret.
update 2015-07-18 10:03:34 +02:00			- Run `vault unseal` 3 times to unseal.
			- Use `key=@value` to read secret from file.
update 2015-07-18 09:44:59 +02:00
add vault 2015-07-18 09:30:30 +02:00			`[1]: https://www.vaultproject.io/`