• Stars
    star
    181
  • Rank 212,110 (Top 5 %)
  • Language
    Go
  • License
    MIT License
  • Created about 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

auto-unseal utility for Hashicorp Vault

logo

๐Ÿ”— Table of Contents

โ” Why

HashiCorp Vault provides a few options for auto-unsealing clusters:

However, depending on your deployment conditions and use-cases of Vault, some of the above may not be feasible (cost, network connectivity, complexity). This may lead you to want to roll your own unseal functionality, however, it's not easy to do in a relatively secure manner.

So, what do we need to solve? We want to auto-unseal a vault cluster, by providing the necessary unseal tokens when we find vault is sealed. We also want to make sure we're sending notifications when this happens, so if vault was unsealed unintentionally (not patching, upgrades, etc), possibly related to crashing or malicious intent, a human can investigate at a later time (not 3am in the morning).

โœ”๏ธ Solution

The goal for this project is to find the best way to unseal vault in a way that doesn't compromise too much security (a good balance between security and ease of use/uptime), without the requirement of Vault Enterprise, or having to move to a cloud platform.

We do this by running multiple instances of vault-unseal (you could run one on each node in the cluster). Each instance of vault-unseal is given a subset of the unseal tokens. You want to give each node just enough tokens, that when paired with another vault-unseal node, they can work together to unseal the vault. What we want to avoid is giving a single vault-unseal instance enough tokens to unseal (to prevent a compromise leading to enough tokens being exposed that could unseal the vault). Let's use the following example:

vault-unseal example diagram

Explained further:

  • cluster-1 consists of 3 nodes:
    • node-1
    • node-2
    • node-3
  • cluster-1 is configured with 5 unseal tokens (tokens A, B, C, D, E), but only 3 are required to unseal a given vault node.
  • given there are 3 nodes, 3 tokens being required:
    • vault-unseal on node-1 gets tokens A and B.
    • vault-unseal on node-2 gets tokens B and C.
    • vault-unseal on node-3 gets tokens A and C.

With the above configuration:

  • Given each vault-unseal node, each node has two tokens.
  • Given the tokens provided to vault-unseal, each token (A, B, and C), there are two instances of that token across nodes in the cluster.
  • If node-1 is completely hard-offline, nodes node-2 and node-3 should have all three tokens, so if the other two nodes reboot, as long as vault-unseal starts up on those nodes, vault-unseal will be able to unseal both.
  • If node-2 becomes compromised, and the tokens are read from the config file (note: vault-unseal will not start if the permissions on the file aren't 600), this will not be enough tokens to unseal the vault.
  • vault-unseal runs as root, with root permissions.

๐Ÿ’ป Installation

Check out the releases page for prebuilt versions.

๐Ÿณ Container Images (ghcr)

$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:master
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.3.0
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:latest
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.2.4
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.2.3
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.2.2
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.2.1
$ docker run -it --rm ghcr.io/lrstanley/vault-unseal:0.2.0

๐Ÿงฐ Source

Note that you must have Go installed (latest is usually best).

git clone https://github.com/lrstanley/vault-unseal.git && cd vault-unseal
make
./vault-unseal --help

โš™๏ธ Usage

The default configuration path is /etc/vault-unseal.yaml when using deb/rpm. If you are not using these package formats, copy the example config file, example.vault-unseal.yaml, to vault-unseal.yaml. Note, all fields can be provided via environment variables (vault-unseal also supports .env files).

$ ./vault-unseal --help
Usage:
  vault-unseal [OPTIONS]

Application Options:
  -v, --version          Display the version of vault-unseal and exit
  -l, --log-path=PATH    Optional path to log output to
  -c, --config=PATH      Path to configuration file (default: ./vault-unseal.yaml)

Help Options:
  -h, --help             Show this help message

โ˜‘๏ธ TODO

  • add option to use vault token/another vault instance to obtain keys (e.g. as long the leader is online)?
  • memory obfuscating/removing from memory right after unseal?

๐Ÿ™‹โ€โ™‚๏ธ Support & Assistance

  • โค๏ธ Please review the Code of Conduct for guidelines on ensuring everyone has the best experience interacting with the community.
  • ๐Ÿ™‹โ€โ™‚๏ธ Take a look at the support document on guidelines for tips on how to ask the right questions.
  • ๐Ÿž For all features/bugs/issues/questions/etc, head over here.

๐Ÿค Contributing

  • โค๏ธ Please review the Code of Conduct for guidelines on ensuring everyone has the best experience interacting with the community.
  • ๐Ÿ“‹ Please review the contributing doc for submitting issues/a guide on submitting pull requests and helping out.
  • ๐Ÿ—๏ธ For anything security related, please review this repositories security policy.

โš–๏ธ License

MIT License

Copyright (c) 2018 Liam Stanley <[email protected]>

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Also located here

More Repositories

1

bubblezone

helper utility for BubbleTea, allowing easy mouse event tracking
Go
377
star
2

girc

๐Ÿ’ฃ girc is a flexible IRC library for Go ๐Ÿ‘Œ
Go
157
star
3

geoip

๐ŸŒ Geolocation API service -- Run it yourself! | alternative to freegeoip.net
Go
100
star
4

bubbletint

Terminal tints for everyone
Go
57
star
5

links

Simple, fast link shortener
Go
49
star
6

Code

Code - Python IRC Bot
Python
31
star
7

chix

helper middleware and functionality for go-chi/chi
Go
22
star
8

arlo-dl

๐ŸŽฅ ๐Ÿ“ท cli tool for downloading arlo recordings and saving them to a file (add to a cron!)
Go
8
star
9

liam.sh

my personal website/blog
Go
8
star
10

go-queryparser

"q" http GET variable parser that supports filters/tags for advanced searches ๐Ÿ‘
Go
8
star
11

marill

๐Ÿ”ง Marill -- Automated site testing utility ๐Ÿ’ป
Go
7
star
12

go-bogon

Go package to check if an IP address is a bogon (internal) IP address
Go
7
star
13

recoverer

Simple Go http middleware to catch (and optionally display) panics gracefully
Go
6
star
14

irccloud-uptime

[DEPRECATED] Want to keep your IRCcloud up, and have a place where you can run a Python script 24/7?
Python
6
star
15

go-sempool

go-sempool is a super simple semaphore go-routine worker pool
Go
4
star
16

php-status

Legacy PHP Status checker with slick graphics
PHP
3
star
17

clix

go-flags wrapper with useful helpers
Go
2
star
18

hangar-ui

WIP: Concourse CI Terminal UI
Go
2
star
19

autodelete-docker

container image for AutoDelete Discord bot
Dockerfile
2
star
20

arpme

๐Ÿ” Simple arp scanning library for Go.
Go
2
star
21

byteirc.org

ByteIRC website
HTML
1
star
22

nagios-notify-irc

๐Ÿ”‰ Nagios utility for reporting to an IRC channel when an event occurs. โš ๏ธ
Go
1
star
23

mdhttp

mdhttp lets you easily render markdown files via a Go http middleware
Go
1
star
24

helm-charts

misc helm charts for my projects, or projects I use
TypeScript
1
star
25

httpstat

httpstat is a net/http handler for Go, which reports various useful metrics
Go
1
star
26

pt

pt is a helper package for using pongo2 & in-memory tmpl loaders together.
Go
1
star
27

basic-irc-bot

Super basic Python IRC bot. Build upon it!
Python
1
star
28

php-mc-status

PHP Minecraft Status Checker (Online/Offline)
PHP
1
star
29

ircdef

ircdef, IRC constants and definitions, in Go!
Go
1
star
30

spectrograph

Spectrograph -- Discord bot that manages creating/removing voice channels depending on occupancy
Go
1
star
31

lrstanley

1
star
32

ponger

Server monitoring and reporting bot for Slack
Go
1
star
33

flask-example

A basic Python website built with the Flask micro-framework and Jinja2 templating engine
CSS
1
star