How to back up your Vault secrets

Vault is a tool for managing and encrypting secrets. It's used as a daemon, running on a server, that needs to be active in order for these encrypted secrets to be read. I've been cleaning a few things up with a vault service I'm using: fixing a graphite connection error that caused vault.log to grow to over 1gb, setting up log rotation for this log file and vault_audit.log, and just some routine upgrades of the Vault software itself.

When you make changes like this to Vault, it has the tendency to "seal" itself. This is a security measure that requires a few separate keys to "unseal" into a mode where Vault can again read out secrets for you. Because of this, making changes to Vault can be scary: What if I lose all my secrets?

There's still a place in this world for plain text files and password books. As a safeguard, I decided to just save all my vault secrets in a plain text file, and keep it somewhere physically secure.

Following that path led me here, and since Vault doesn't have a "print out all the secrets" command, I needed to do some basic shell scripting. Use this vault-tree script to print out the full path of each secret in your vault tree. Then make another script that takes each line and runs vault read on it:

#!/usr/bin/env bash
#
# read_vault_secrets.sh
#

while read path; do
    vault read -format=json "$path"
done < $1

Using these scripts together, you can do something like this:

./vault-tree > my_vault_tree.txt
./read_vault_secrets.sh my_vault_tree.txt > vault_secrets.txt