Skip to content
/ age-plugin-vault Public

Age plugin to encrypt files with HashiCorp Vault's Transit secrets engine

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

stsch9/age-plugin-vault

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
cmd/age-plugin-vault
cmd/age-plugin-vault
 
 
internal
internal
 
 
pkg/plugin
pkg/plugin
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

age-plugin-vault 🔒

Warning

This is currently an experimental plugin.

age-plugin-vault is a plugin for the age encryption tool that uses HashiCorp Vault's Transit secrets engine to encrypt and decrypt the age file key. This means that a transit key is used as the recipient and identity. This has the advantage that the wrap key never leaves the vault server and is also unknown to the user.

🔧 Prerequisites

  • Go (1.20+ recommended)
  • A running HashiCorp Vault server with the transit engine enabled
  • A Vault token available in ~/.vault-token

Note: The Vault client uses vault.DefaultConfig(). If Vault is not at http://127.0.0.1:8200, set Vault environment variable VAULT_ADDR accordingly.

🚀 Quickstart — Build

From the project root:

# Clone repo
git clone [email protected]:stsch9/age-plugin-vault.git
cd age-plugin-vault

# Build the plugin binary
go build -o age-plugin-vault ./cmd/age-plugin-vault/main.go

Ensure that age-plugin-vault is stored in a directory that is included in the PATH variable.

🔧 Configure Vault

  1. Enable the Transit engine (if not already enabled):
vault secrets enable transit
  1. Create a transit key:
vault write -f transit/keys/my-keyname type=<KEY_TYP>

Only use key types that support encryption.

  1. Ensure the Vault token you use has permissions to call transit/encrypt/my-keyname and transit/decrypt/my-keyname.

🔧 Generate an Identity / Recipient

The name of the vault key is used as the age identity. Generate an identity string (key name) that can be used with age for encryption/decryption:

# Generates an identity string for 'my-keyname'
./age-plugin-vault -generate my-keyname

The output is an age identity (bech32-encoded) for this plugin, e.g. AGE-PLUGIN-VAULT-....

🔐 Encrypt & Decrypt with age

  • Encrypt (use the identity):
age -e -i <identity-file-or-string> -o secret.txt.age secret.txt
  • Decrypt (provide the identity string or file):
age -d -i <identity-file-or-string> -o secret.txt secret.txt.age

🧪 Tests

Tbd

go test ./...

Questions

The vault key name is used as the identity, and the recipient stanza always contains

-> age-encryption.org/vault vault-recipient

Would it make more sense to use the vault key name in the recipient stanza?

Contributing 🤝

Contributions, issues and feature requests are welcome. Please open an issue or a pull request.

License

This project is licensed under the MIT License. See LICENSE for details.

If you need help setting up Vault or integrating the plugin with age, please open an issue. 💬

About

Age plugin to encrypt files with HashiCorp Vault's Transit secrets engine

Topics

plugin vault age age-encryption age-plugin

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages