Basis

Env Variables

export VAULT_TOKEN=hvs.xxxxxxxxxxxxxxxx
Set Token for Token Authentication Method.

export VAULT_SKIP_VERIFY=true
Skip TLS check.

Initialization

Check Status

vault status
Check if server is running.

Initialize and Unseal Vault

vault operator init
Initialize vault.

vault operator unseal
Ask for an unseal keys to unlock the vault (it unlocks when the required number of unseal keys are given).

Login

vault login
Login to the server.

Tokens

Explore

vault list auth/my_auth_method/accessors
List tokens created with specified Auth Method.

vault token lookup -accessor <token_accessor>
Return info about the token (type, TTL, max TTL ...).

Revoke

vault token revoke <token_id>
Revoke token.

vault token revoke -accessor <token_accessor>
Revoke token using its accessor.

vault token revoke -self
Revoke current token.

vault token revoke -mode-path auth/my_auth_method
Revoke all tokens (and their children) created with specified auth method.

Traceability

Entity

vault list identity/entity/id
List entities.

vault delete identity/entity/id/f53c4994-8458-6b6c-8cff-eaf869c9aefc
Delete entity.

Audit Device

vault audit list
List audit devices.

vault audit enable file file_path=/var/log/vault_audit.log
Create an audit device (the user running Vault has to be able to write to the given path).

vault audit disable file
Disable specified audit device.

vault write sys/audit-hash/file input="P@ssword!"
Compute the hash for a given input (can be used to check hashed values in audit file). Warning: only admin should be able to write in sys/audit-hash/file.

Access Control

Lease

vault lease revoke aws/creds/myRole/my_lease_id
Revoke specified lease.

vault lease revoke -prefix aws/
Revoke all leases under the specified prefix.

Policy

vault policy list
List policies.

vault policy read my-policy
Read policy content.

vault policy write my-policy my-policy.hcl
Create a policy from local file.

vault token capabilities hvs.XXXXXXXXXXXX /transit/encrypt/my_key
Check capabilities of a token for the given path (output example: update).

Namespaces (Enterprise)

vault namespace list
List namespaces.

vault namespace create my-namespace
Create namespace.

vault namespace delete my-namespace
Delete namespace.

vault secrets list -namespace=my_namespace
Use a namespace in a command.

Authentication Methods

Basis

vault auth list
List authentication backends enabled.

vault auth enable aws
Enable an authentication backend.

Token

vault token create -policy=my_policy -ttl=30m
Create a token with a specified Policy and TTL.

vault token renew myToken
Renew a token.

UserPass

vault auth enable userpass
Enable UserPass Auth Method.

vault list auth/userpass/users/
List created users

vault write auth/userpass/users/my_user password="my_pass"
Create a password for user "my_user".

vault login -method=userpass username=my_user password="my_pass"
Login to Vault using UserPass Auth Method.

AppRole

vault auth enable approle
Enable AppRole.

vault write auth/approle/role/my-role \ token_policies="my-policy"
Create an AppRole Role with a Policy.

vault read auth/approle/role/my-role/role-id
Retrieve RoleId.

vault write -f auth/approle/role/my-role/secret-id
Retrieve SecretId (-f because write operation without any data).

vault write auth/approle/login role_id="$ROLE_ID" secret_id="$SECRET_ID"
Login using AppRole.

Secret Engines

List

vault secrets list
Return info about secret engines.

vault secrets list -detailed
Return more info about secret engines (e.g. KV version).

Enable

vault secrets enable -path=my_secret_engine_path kv
Create a new Key Value (KV) secrets engine.

Modify

vault secrets move my/old/path my/new/path
Change the path of the Secret Engine.

vault secrets tune -default-lease-ttl=12h
Change the configuration of the Secret Engine.

Secret Engine KV

List

vault kv list kv
List secrets in a kv secret engine.

Get

vault kv get -mount=my_engine_path my_secret
Read a secret.

vault kv get -mount=my_engine_path -format=json my_secret | jq -r .data
Read a secret and output in JSON.

vault kv get -mount=my_engine_path -field=foo my_secret
Read one field.

vault kv get -mount=my_engine_path -format=json my_secret | jq -r .data.data.foo
Read one field and output in JSON.

Put

vault kv put -mount=my_engine_path my_secret key=value
Create a secret (or replace pre-existing).

vault kv put -mount=my_engine_path my_credentials username=myUser password=myPass
Create a new secret composed of credentials.

Delete

vault kv delete -mount=my_engine_path -versions=2 my_secret
In KV v1, permanently delete specified the secret. In KV v2, mark the secret as deleted. The secret is still readable when specifying the version explicitly (it can be restored with vault kv undelete).

KV v2 Specific

vault kv undelete -mount=my_engine_path -versions=2 my_secret
Recover password. Only works if destroyed parameter is set to false.

vault kv destroy -mount=my_engine_path -versions=1 my_secret
Permanently delete specified version(s) of a secret (cannot be recovered).

vault kv metadata delete -mount=my_engine_path my_secret
Permanently deletes the secret (thus all of it versions).

vault kv enable-versioning my_engine_path
Enable versioning for a KV v1 Secret Engine (convert to v2).

Secret Engine Transit

Enable

vault secrets enable transit
Enable Transit secret engine.

Keys

vault list transit/keys
List Keys in Transit engine.

vault write -f transit/keys/my-key
Create a new Key.

vault write -f transit/keys/my_key/rotate
Rotate the Key (create a new version). Old versions of the key will still exist (they are managed by min_decryption_version).

Encryption

vault write transit/encrypt/my_key plaintext=$(echo "my secret data" | base64)
Encrypt data.

vault write -field=plaintext transit/decrypt/my_key ciphertext=vault:v1:qRuV... | base64 -d
Decrypt data (-field=plaintext to only get the base64 decrypted data).

vault write transit/rewrap/my-key ciphertext=vault:v1:8SDd...
Decrypt then re-encrypt data with a newer version of the key.

Operator

Regenerate Root Token

vault operator generate-root -generate-otp
Generate an OTP for the generate-root command.

vault operator generate-root -init -otp=<otp_token>
Initialize Root Token Generation. Give the generated nonce to the Recovery Keys holders.

vault operator generate-root -nonce=<request_nonce>
Validate the request with every one that has a Recovery Keys until quorum is reached. This will return the encoded token.

vault operator generate-root -decode=<encoded_token> -otp=<otp_token>
Decode the newly generated Root Token.

ReKey (Regenerate Unseal Keys)

vault operator rekey -init -key-shares=3 -key-threshold=2
Initialize request for ReKey.

vault operator rekey -nonce=<request_nonce>
Validate the request with Useal Keys until quorum is reached. This will output new Unseal.

vault operator rekey -target=recovery -init -key-shares=3 -key-threshold=2
Initialize request for ReKey with Recovery Key mode (Auto Unseal enabled).

vault operator rekey -target=recovery -nonce=<request_nonce>
Validate the request with Recovery Keys until quorum is reached. This will output new Unseal.

Rotate Encryption Keys

vault operator rotate
Vault automatically rotate the Encryption Key.

Raft

Cluster

vault operator raft list-peers
List Raft members.

vault operator raft autopilot state
Show current cluster autopilot state.

vault operator raft autopilot get-config
Show autopilot config.

Snapshot

vault operator raft snapshot save backup.snap
Create a Snapshot.

vault operator raft snapshot restore -force backup.snap
Restore Snapshot from local file (copy the Snapshot file on the machine to restore). -force option is required here since the Auto-Unseal or Shamir keys will not be consistent with the snapshot data (snapshot from a different cluster). https://developer.hashicorp.com/vault/tutorials/standard-procedures/sop-restore

Snapshot Auto (Enterprise)

vault list /sys/storage/raft/snapshot-auto/config
List Auto Snapshot configs.

vault read /sys/storage/raft/snapshot-auto/config/my-auto-snapshot-config
Check specified Auto Snapshot config.

Replication

Basis

vault read sys/replication/status
Check replication status (DR and Performance).

Disaster Recovery

https://developer.hashicorp.com/vault/tutorials/enterprise/disaster-recovery

vault read sys/replication/dr/status
Check DR replication status.

vault write -f sys/replication/dr/primary/enable
Enable DR replication as Primary.

vault write sys/replication/dr/primary/secondary-token id=dr-secondary
Create a token for a Secondary cluster.

vault write sys/replication/dr/secondary/enable token=DR_SECONDARY_TOKEN
Enable DR replication as Secondary.

Performance

https://developer.hashicorp.com/vault/tutorials/enterprise/performance-replication#configure-the-secondary-cluster

vault read sys/replication/performance/status
Check Performance replication status.

vault write -f sys/replication/performance/primary/enable
Enable Performance replication as Primary.

vault write sys/replication/performance/primary/secondary-token id=perf-secondary
Create a token for a Secondary cluster.

vault write sys/replication/performance/secondary/enable token=PERF_SECONDARY_TOKEN
Enable Performance replication as Secondary.

Agent

Basis

vault agent generate-config -type="env-template" -exec="./my_script.sh" -path="secret/my_secret" agent-config.hcl
Generate a configuration file for an agent.

vault agent -config=agent-config.hcl
Run an agent.