A simple CLI tool for securely performing common Vault unseal key operations. Unseal keys are secured by private keys that are stored in hardware via the YubiKey OpenPGP application. Vervet streamlines Vault unseal key decryption and common unseal key workflows into single commands for ease of use. Yubico YubiKeys ensure that private keys used to decrypt Vault unseal keys are stored in hardware and non-exportable. Vervet is designed for Vault key officers responsible for managing unseal and recovery keys.
YubiKeys 5 series and above implement the OpenPGP application by emulating an ISO-compliant smart card. This allows vervet to use standard APDU commands to interact with the OpenPGP application. Vervet currently only supports Yubico YubiKeys and will ignore other smart card manufacturers. At this time, OpenPGP management operations such as key generation, key export, and PIN/PUK changes must take via other utility. GNU Privacy Guard offers full support for the OpenPGP application on ISO smart cards.
Please reference Dr. Duh's YubiKey Guide for additional information on securely generating, handling, and storing PGP keys.
- Written in uncomplicated Go (Golang)
- Simplifies common Vault unseal key workflows
- Provides a central location for securely storing Vault unseal keys
- Enables non-exportable hardware storage for PGP keys that encrypt unseal keys
- Easy to use
- Works on Mac, Linux and (maybe) Windows
$ git clone [email protected]:onryo/vervet.git
$ cd vervet
$ make installgenerate-root Generate Vault root token
help Help about any command
list List connected YubiKeys and configured Vault clusters
show Show details of YubiKeys and Vault clusters
unseal Unseal Vault by server or cluster
The default vervet configuration file location is ~/.vervet/vervet.hcl. The configuration file can be overridden at runtime with the --config flag. Keys can be specified directly in the configuration file using the keys attribute. Alternatively, keys can be placed in a separate file and linked via the key_file attribute. Vervet will open key files relative to the ~/.vervet directory. Keys located in a seprate key file should be base64 encoded and new line delimited. Any duplicate unseal keys will be automatically deduplicated.
cluster "us-west" {
servers = [
"https://prod-vault-01.example.local:8200",
"https://prod-vault-02.example.local:8200",
"https://prod-vault-03.example.local:8200"
]
keys = [
"base64-encoded Vault unseal key"
]
key_file = "us-west.pgp"
}
cluster "us-east" {
[...]
}
$ vervet list clusters # list Vault clusters defined in vervet configuration$ vervet list yubikeys # list connected YubiKeys that support OpenPGP$ vervet unseal cluster us-west # decrypts unseal key(s) and unseals us-west Vault serversTo unseal an individual server:
$ vervet unseal server prod-vault-01.example.local key_file.pgp # decrypt unseal key in key_file.pgp and unseal prod-vault-01$ vervet generate-root cluster us-west # generate token for us-west Vault clusterTo target an individual server for root token generation:
$ vervet generate-root server prod-vault-01.example.local key_file.pgp # decrypt unseal key in key_file.pgp and generate root tokenPlease use the issue tracker to report any bugs or file feature requests.
PRs are welcome. To begin developing, do this:
$ git clone [email protected]:onryo/vervet.git
$ cd vervet
$ make
$ ./bin/vervetVervet would not be possible without the following projects and resources.
- HashiCorp Vault
- ebfe/scard - Go bindings to the PC/SC API
- Go Cryptography
- Go Ethereum
- Cobra
- Viper
- Functional Specification of the OpenPGP application on ISO Smart Card Operating Systems
- RFC 4880 - OpenPGP Message Format
- joe - README file inspiration
- Dr. Duh's YubiKey Guide