Propriétaire de la Clé ; The Key Owner
This tool is still in an early stage. If you want to play with it, enabling backups during rekey and regeneration operations is probably wise. This tool,
propriecle, facilitates safe interaction patterns for Vault master key concepts. As of now, it provides both an interactive and non interactive interface around the following operations
- Initializing a fresh Vault instance with GPG protected root and unseal keys
- Sealing of a Vault instance using a GPG protected root key
- Unsealing of a Vault instance using GPG protected unseal keys
- Rekeying with new GPG protected unseal keys
- Rotation of the master key
- Regeneration of a new GPG protected root key
- Stepping down of a HA Leader server
The GPG keys may be derived from Keybase. At this point, validation is not done at time of import. For the smoothest experience you should validate it out of band. The
keybase-validator script might help.
It is possible to run propricle both interactively and as a scriptable command line tool. If you invoke it with out any arguments (or setting any configuration parameters) it will look for it's configuration directory in
~/.propriecle and a configuration file in
~/.proprieclerc and start the interactive ncurses based GUI. You can override the file paths with the
PROPRICLE_CONFIG environment variables.
Non interactive mode makes use of the same environment variables and encapsulates what is available via the gui, plus a few other options. Each operation takes a single argument of a Vault instance name (as specified in the configuration file).
unsealwill attempt to use every applicable key to unseal the specified vault instance. If you do not specify an instance then it will attempt to unseal everything.
sealwill make use of the root token to seal the specified Vault instance. If you do not specify an instance then it will seal everything.
initwill initialize a fresh vault instance, properly storing the encrypted root and unseal keys
step_downwill ask a vault ha leader to step down and become standby
root_getwill print the root token to stdout
rekey_startwill begin the process of rekeying unseal keys
rekey_authwill attempt to use every applicable key to rekey unseal keys
rekey_cancelwill cancel the process of rekeying unseal keys
regenreate_startwill begin the process of generating a new root token
regenerate_authwill attempt to use every applicable key to generate a new root token
It is configured with a simple YML file. When refferring to GPG keys you may use either a shortened GPG fingerprint ID or a a keybase username with a prefix. I.e.
keybase:otakup0pe would encrypt things against that keybase ID. The following configuration items are supported.
root_keythe GPG key to encode the root token against.
keysa list of GPG keys to encode unseal keys against. This will affect how many total keys are requested during init, rekey, and regenerate operations.
requiredis the minimum number of keys required for init, rekey, and regenerate operations.
backupis a boolean that controls whether spares of the unseal keys are kept on the Vault instance.
vaultsis a list of Vault instances to interact with. You can specify both a friendly
- Ability to execute seal/unseal actions across entire cluster
- Tests, Docker
- Can you rekey gpg unseal keys?
- Start UI thread prior to http threads
- Make sure the http check thread timeout is low. Might have to mod hvac for this?
- Make sure Python3.5 works!
- Validate Keys at startup (remove the case of a init failing due to bad keys)
- Collapse associated servers to their parent
- Less terrible errors
- Friendly import/export of keys?
- Support non-root admin users
- This project operates under a Code of Conduct.
- Changes are welcome via pull request!
- Please use informative commit messages and pull request descriptions.
- Please remember to update the documentation if needed.
- Please keep style consistent. This means PEP8 and pylint compliance at a minimum.
- Please add both unit and integration tests. Unit tests should run in complete isolation with all disk/network calls mocked out.
If you have any questions, please feel free to contact firstname.lastname@example.org.