Skip to content

Automatically unseals configured Vault instances using a push mechanism.

Notifications You must be signed in to change notification settings

soerenschneider/vault-unsealer

Repository files navigation

vault-unsealer

Go Report Card test-workflow release-workflow golangci-lint-workflow

Automatically unseals configured Vault instances using a push mechanism.

Key Features

🔐 Retrieve Vault's unseal key from Vault's KV2 or transit secret engine
🛂 Authenticate against Vault using AppRole, (explicit) token or implicit auth
🔭 Robust automation through observability

FAQ

Q: Why would I need auto-unsealing?
A: I'm trying to push OS-, container image- and Vault-updates itself rather aggressively, therefore I'm not patching any machines manually, but automatically (see conditional-reboot). Hence, I need a mechanism that unseals preconfigured Vault instances automatically without human intervention.


Q: Ok, but why not using auto-unsealing using AWS KMS / Azure Key Vault / GCP KMS?
A: If your Vault clusters / instances do not run one of the specified cloud providers (like mine), you'll have to issue and deal with access keys to said platforms: distribute them secretly, keep them safe and rotate them frequently. Vault-unsealer reads the unseal key from Vault itself (make sure it's well protected!) as I've written enough tooling that helps me keep my Vault credentials safe and rotate them both frequently and automatically (e.g. vault-approle-cli or vault-mfa).


Q: Why not using auto-unsealing using Vault Transit?
A: I did not want to manage another cluster / production instances of Hashicorp Vault even though I built some tooling around it that keeps maintenance low.


Q: Do only three real question justify an own FAQ section?
A: Probably not, but here we are.


Installation

Docker / Podman

$ git clone https://github.com/soerenschneider/vault-unsealer.git
$ cd vault-unsealer
$ docker run -v $(pwd)/contrib:/config ghcr.io/soerenschneider/vault-unsealer:main -conf /config/example-config.json

Binaries

Download prebuilt binaries from the releases section for your system. Use the example systemd service file to run it at boot.

From Source

As a prerequisite, you need to have Golang SDK installed. Then you can install vault-unsealer from source by invoking:

$ go install github.com/soerenschneider/vault-unsealer@latest

Configuration

An example configuration can be found here. Note that this example is oversimplified and not secure. Head over to the configuration section to see more details.

Observability

Check here

How does it work?

unsealer

CHANGELOG

The changelog can be found here