Automatically unseals configured Vault instances using a push mechanism.
🔐 Retrieve Vault's unseal key from Vault's KV2 or transit secret engine
🛂 Authenticate against Vault using AppRole, (explicit) token or implicit auth
🔭 Robust automation through observability
Q: Why would I need auto-unsealing?
A: I'm trying to push OS-, container image- and Vault-updates itself rather aggressively, therefore I'm not patching any machines manually, but automatically (see conditional-reboot). Hence, I need a mechanism that unseals preconfigured Vault instances automatically without human intervention.
Q: Ok, but why not using auto-unsealing using AWS KMS / Azure Key Vault / GCP KMS?
A: If your Vault clusters / instances do not run one of the specified cloud providers (like mine), you'll have to issue and deal with access keys to said platforms: distribute them secretly, keep them safe and rotate them frequently. Vault-unsealer reads the unseal key from Vault itself (make sure it's well protected!) as I've written enough tooling that helps me keep my Vault credentials safe and rotate them both frequently and automatically (e.g. vault-approle-cli or vault-mfa).
Q: Why not using auto-unsealing using Vault Transit?
A: I did not want to manage another cluster / production instances of Hashicorp Vault even though I built some tooling around it that keeps maintenance low.
Q: Do only three real question justify an own FAQ section?
A: Probably not, but here we are.
$ git clone https://github.com/soerenschneider/vault-unsealer.git
$ cd vault-unsealer
$ docker run -v $(pwd)/contrib:/config ghcr.io/soerenschneider/vault-unsealer:main -conf /config/example-config.json
Download prebuilt binaries from the releases section for your system. Use the example systemd service file to run it at boot.
As a prerequisite, you need to have Golang SDK installed. Then you can install vault-unsealer from source by invoking:
$ go install github.com/soerenschneider/vault-unsealer@latest
An example configuration can be found here. Note that this example is oversimplified and not secure. Head over to the configuration section to see more details.
Check here
The changelog can be found here