myvault

module
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 19, 2023 License: Apache-2.0

README

myvault

Description

This little application is a prototype to interconnect Yukikey with Vault using piv mode of Yubikey. This allow to build a quick and dirty password manager where information get saved in secure way into Vault and accessible from all location where the Vault server is accessible.

Prereq

Have a yubikey (or equivalent) key supporting piv mode to store private key and authentication certificate in it. Have certificate loaed to the key Have Hashicorp Vault knowledge

Environment need

You need a working Hashicorp Vault server supporting Certificates as authentication mechanism. You can found all documentation needed in following site https://developer.hashicorp.com/vault/docs/what-is-vault

Setup the Vault and Yukibey configuration

  • Configure Vault with Auth with TLS certificate : https://developer.hashicorp.com/vault/docs/auth/cert
  • Install your Yubikey Authentication Certificate into the Auth cert uisng either the UI, the CLI or the API
  • Make sure your certificate is associated with the proper Policy that allow certificates manipulation example if your kv secret is mount to kv/* 
    # Allow a token to set kv 
path "kv/*" {
capabilities = ["create", "read", "update", "delete", "list"
}
  • Set the token TTL for the certificate to be small as possible.
  • (todo renew token if expired)

If you do not have piv or equivalent this application fallback to username/password to get Vault access. Same if your pin is Invalid

Run the application

go run cmd/cli/myvault.go

or compile it

go build cmd/cli/myvault.go

Batch Load

you can use a CSV File to load your data: the format is the following if your are using the built in secret format

SecretID, Username, Credential, URL, Comment

no header are expected on the CSV file remark: do not put ',' in the comment piece if you do not want unexpected result

Packages

The application has been splited to allow flexibility for future

Bootstrap

This feature allow you to export a secret and share a one time token to retreive it. This is done using the wrap / unwrap feature and cubbyhole to store the expose secret

TODO

  • Improve the Secret
  • Improve the Error management

Known issue with piv

in case of build or run error in linux, follow this link

https://github.com/go-piv/piv-go/issues/114

Known errors

tls: failed to verify certificate: x509: certificate signed by unknown authority

This mean that your vault server certificate is not recognized by your OS. This is most probably because your Vault certificate is using a non public CA unknow by your computeur. Follow process related to your OS to make it part of trusted CA.

Dependancies

Directories

Path Synopsis
cmd
bootstrap
cli
cubbyhole
service
token
secrets module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.