vault_client_operator: Vault Administration

Description

Administration commands for vault operators. Very few of these commands should be used without consulting the vault documentation as they affect the administration of a vault server, but they are included here for completeness.

Arguments

Methods

key_status

Return information about the current encryption key of Vault. Usage:

key_status()

is_initialized

Returns the initialization status of Vault Usage:

is_initialized()

init

This endpoint initializes a new Vault. The Vault must not have been previously initialized. Usage:

init(secret_shares, secret_threshold)

Arguments:

secret_shares: Integer, specifying the number of shares to split the master key into
secret_threshold: Integer, specifying the number of shares required to reconstruct the master key. This must be less than or equal secret_shares

leader_status

Check the high availability status and current leader of Vault Usage:

leader_status()

rekey_status

Reads the configuration and progress of the current rekey attempt Usage:

rekey_status()

rekey_start

This method begins a new rekey attempt. Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires cancelling and starting a new rekey, which will also provide a new nonce. Usage:

rekey_start(secret_shares, secret_threshold)

Arguments:

secret_shares: Integer, specifying the number of shares to split the master key into
secret_threshold: Integer, specifying the number of shares required to reconstruct the master key. This must be less than or equal secret_shares

rekey_cancel

This method cancels any in-progress rekey. This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is cancelled during the verification flow, the current unseal keys remain valid. Usage:

rekey_cancel()

rekey_submit

This method is used to enter a single master key share to progress the rekey of the Vault. If the threshold number of master key shares is reached, Vault will complete the rekey. Otherwise, this method must be called multiple times until that threshold is met. The rekey nonce operation must be provided with each call. Usage:

rekey_submit(key, nonce)

Arguments:

key: Specifies a single master share key (a string)
nonce: Specifies the nonce of the rekey operation (a string)

rotate

This method triggers a rotation of the backend encryption key. This is the key that is used to encrypt data written to the storage backend, and is not provided to operators. This operation is done online. Future values are encrypted with the new key, while old values are decrypted with previous encryption keys. Usage:

rotate()

seal

Seal the vault, preventing any access to it. After the vault is sealed, it must be unsealed for further use. Usage:

seal()

seal_status

Check the seal status of a Vault. This method can be used even when the client is not authenticated with the vault (which will the case for a sealed vault). Usage:

seal_status()

unseal

Submit a portion of a key to unseal the vault. This method is typically called by multiple different operators to assemble the master key. Usage:

unseal(key, reset = FALSE)

Arguments:

key: The master key share
reset: Logical, indicating if the unseal process should start be started again.

Examples

Run this code

# NOT RUN {
server <- vaultr::vault_test_server(if_disabled = message)
if (!is.null(server)) {
  client <- server$client()

  # Our test server is by default unsealed:
  client$status()$sealed

  # We can seal the vault to prevent all access:
  client$operator$seal()
  client$status()$sealed

  # And then unseal it again
  client$operator$unseal(server$keys)
  client$status()$sealed
}
# }

Run the code above in your browser using DataCamp Workspace