Vault is a tool for managing and encrypting secrets. It's used as a daemon, running on a server, that needs to be active in order for these encrypted secrets to be read. I've been cleaning a few things up with a vault service I'm using: fixing a graphite connection error that caused vault.log to grow to over 1gb, setting up log rotation for this log file and vault_audit.log, and just some routine upgrades of the Vault software itself.
When you make changes like this to Vault, it has the tendency to "seal" itself. This is a security measure that requires a few separate keys to "unseal" into a mode where Vault can again read out secrets for you. Because of this, making changes to Vault can be scary: What if I lose all my secrets?
There's still a place in this world for plain text files and password books. As a safeguard, I decided to just save all my vault secrets in a plain text file, and keep it somewhere physically secure.
Following that path led me
here,
and since Vault doesn't have a "print out all the secrets" command,
I needed to do some basic shell scripting.
Use this vault-tree
script to print out the full path of each secret
in your vault tree. Then make another script
that takes each line and runs vault read
on it:
#!/usr/bin/env bash # # read_vault_secrets.sh # while read path; do vault read -format=json "$path" done < $1
Using these scripts together, you can do something like this:
./vault-tree > my_vault_tree.txt ./read_vault_secrets.sh my_vault_tree.txt > vault_secrets.txt