myvault

module
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 15, 2023 License: Apache-2.0

README

myvault

description

This little application is a prototype to interconnect Yukikey with Vault using piv mode of Yubikey. This allow to build a quick and dirty password manager where information get saved in secure way into Vault and accessible from all location where the Vault server is accessible.

pre req

Have a yubikey (or equivalent) key supporting piv mode to store private key and authentication certificate in it. Have certificate loaed to the key Have Hashicorp Vault knowledge

environment need

You need a working Hashicorp Vault server supporting Certificates as authentication mechanism you can found all documentation needed https://developer.hashicorp.com/vault/docs/what-is-vault

setup the Vault and Yukibey configuration

  • Configure Vault with Auth with TLS certificate : https://developer.hashicorp.com/vault/docs/auth/cert
  • Install your Yubikey Authentication Certificate into the Auth cert uisng either the UI, the CLI or the API
  • Make sure your certificate is associated with the proper Policy that allow certificates manipulation example if your kv secret is mount to kv/*
    # Allow a token to set kv 
    path "kv/*" {
    capabilities = ["create", "read", "update", "delete", "list"
    }
    
  • Set the token TTL for the certificate to be small as possible.
  • (todo renew token if expired)

If you do not have piv or equivalent this application fallback to username/password to get Vault access. Same if your pin is Invalid

Run the application

go run cmd/cli/myvault.go

or compile it

go build cmd/cli/myvault.go

Batch Load

you can use a CSV File to load your data: the format is the following: SecretID, Username, Credential, Comment no header are expected on the CSV file

TODO

Split in several files

Directories

Path Synopsis
cmd
cli
secrets module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL