Dumps keys from a Hashicorp Vault instance to be able to restore it on another instance
Project description
vault-dump-restore
Dumps keys from a Hashicorp instance into a file, to be able to restore it later in any other instance. Remember to encrypt the file!
This only supports reading a kv2 engine. Also note that these dumps and restores are meant to be used very rarely and under emergency situations since this kind of defeats the purpose of having a vault (storing secrets inside a vault, sealed with a key, etc) - you're dumping all the secrets to a external file!
The following examples use gpg commands to encrypt/decrypt the files.
Example for dump:
# make sure you have the vault environment variables:
export VAULT_ADDR=https://<vault-addr>
export VAULT_TOKEN=<vault-token>
# dumps the entire vault kv secrets in a shell script (vault commands)
vault-dump -o vault vault -o | gpg --symmetric --cipher-algo AES256 > vault-backup.sh.enc
# dumps a specific path with the default json format
vault-dump -p secrets/specific-app | gpg --symmetric --cipher-algo AES256 > vault-backup.json.enc
Examples for restore:
# make sure you have the vault environment variables:
export VAULT_ADDR=https://<vault-addr>
export VAULT_TOKEN=<vault-token>
# you will also must have the secret engine created
vault secrets enable -path=secrets kv
# restore a full dump using the shell script format
. <(gpg -qd vault-backup.sh.enc)
# restore a full dump using the JSON format
gpg -qd vault-backup.json.enc | vault-restore -
# restore a specific path using the JSON format
gpg -qd vault-backup.json.enc | vault-restore -p secrets/specific-app -
Installation and usage
Installation can be done through pip:
pip install vault-dump-restore
Use the -h parameter to get help from the commands:
vault-dump -h
vault-restore -h
Contents
Setup and usage for local development
Make a virtual environment:
python3 -m venv venv
source venv/bin/activate
pip install -e .
Note that this will also install the local dependencies, which might change after
some time. If needed, you can run pip install -e . again to reinstall the
updated dependencies anytime.
Documentation build
Run:
make docs
HTML documentation will be generated at docs/_build/html.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vault-dump-restore-0.5.1.tar.gz.
File metadata
- Download URL: vault-dump-restore-0.5.1.tar.gz
- Upload date:
- Size: 21.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.7.1 importlib_metadata/4.10.1 pkginfo/1.8.2 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.9.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c5f376b329e708ece10385d5ae0eab93583dc3cde36644bd31c77cf98ee7acb9
|
|
| MD5 |
b12e9b102bd5fa62d47d3a3225a82ca4
|
|
| BLAKE2b-256 |
a1e0f4cd6e66060a1369f0cfcfbea7af7d02138da1f415ee86202323639f4b32
|
File details
Details for the file vault_dump_restore-0.5.1-py3-none-any.whl.
File metadata
- Download URL: vault_dump_restore-0.5.1-py3-none-any.whl
- Upload date:
- Size: 21.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.7.1 importlib_metadata/4.10.1 pkginfo/1.8.2 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.9.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
16fc9552c6afff952df3b3dd68dc0cfee508fb80e3156f58d1b86adf58e93412
|
|
| MD5 |
e149218f48c825fee5df37f95edd33da
|
|
| BLAKE2b-256 |
93d54695da3b2787f56d5c250fb2722ca5b1f8e1aad9ecbeacc011c2dce32906
|
