Utility to store and retrieve dm-crypt encryption keys in Hashicorp Vault
Project description
Utility to store and retrieve dm-crypt keys in Hashicorp Vault.
Vault provides a nice way to manage secrets within complex software deployments.
vaultlocker provides a way to store and retrieve dm-crypt encryption keys in Vault, automatically retrieving keys and opening LUKS dm-crypt devices on boot.
vaultlocker is configured using /etc/vaultlocker/vaultlocker.conf:
[vault] url = https://vault.internal:8200 approle = 4a1b84d2-7bb2-4c07-9804-04d1683ac925 backend = secret
vaultlocker defaults to using a backend with the name secret.
A block device can be encrypted and its key stored in vault:
sudo vaultlocker encrypt /dev/sdd1
This will automatically create a new systemd unit which will automatically retrieve the key and open the LUKS/dm-crypt device on boot.
Unless a UUID is provided (using the optional –uuid flag) vaultlocker will generate a UUID to label and identify the block device during subsequent operations.
A block device can also be opened from the command line using its UUID (hint - the block device or partition will be labelled with the UUID):
sudo vaultlocker decrypt f65b9e66-8f0c-4cae-b6f5-6ec85ea134f2
Authentication to Vault is done using an AppRole with a secret_id; its assumed that a CIDR based ACL is in use to only allow permitted systems within the Data Center to login and retrieve secrets from Vault.
Free software: Apache license
Documentation: https://docs.openstack.org/vaultlocker/latest
Source: https://git.openstack.org/cgit/openstack/vaultlocker
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.