vault-exporter-importer is a command-line tool written in Go that allows you to export and import Vault secrets, encrypted at rest using age encryption.
- Export Vault Secrets: Securely export secrets from Vault, encrypting them with age.
- Import Vault Secrets: Import previously exported and age secrets back into Vault.
- Backup To S3 Bucket: Export and upload secrets to an S3 bucket for backup.
- Dry-Run Mode: Test import and export operations without making actual changes.
- Configurable Export Directory: Specify where exported secrets should be stored.
- Configurable Logging: Adjust the logging level to suit your needs.
(!builds are coming soon!)
You can build it from source:
git clone https://github.com/openresearch/vault-exporter-importer.git
cd vault-exporter-importer
go build -o vault-exporter-importer cmd/- Vault access configured (
VAULT_ADDRandVAULT_TOKENenviroment variables) - Minio access configured (
MINIO_KEY_IDandMINIO_SECRET_KEYenviroment variables) - Go (if building from source).
NAME:
vault-exporter-importer - Vault Exporter/Importer
USAGE:
vault-exporter-importer [global options] [command [command options]]
VERSION:
0.1.0
COMMANDS:
import import secrets into Vault
export export secrets from Vault
backup export and backup secrets to s3 bucket
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--exportdir value, -e value export directory to store files (created if it does not exist) (default: "export")
--log-level value, -l value logging level to use (default: "info") [$LOG_LEVEL]
--dry-run run in dry-run mode (just lists what would be exported) (default: false)
--help, -h show help
--version, -v print the version
To export secrets from Vault, use the export command.
vault-exporter-importer export --mountpath /secret--mountpathor-m: Specifies the vault mount path to export. (Default:all)
To import secrets into Vault, use the import command.
vault-exporter-importer import --force-overwrite--force-overwriteor-f: Force overwrites existing secrets in Vault. (Default:false)
To backup secrets to S3, use the backup command.
vault-exporter-importer backup --bucket backup--exportdiror-e: Specifies the directory where the exported secrets are located.--versionor-v: Displays the version ofvault-exporter-importer.--log-levelor-l: Allows you to change the log level, you can also use the enviroment variable$LOG_LEVEL.--dry-run: Allows you to run the export command in dry run mode.--helpor-h: Displays help information.
To decrypt the secrets at rest, you can use the age tool like this:
age --decrypt -i export/.age.privatekey export/ccf90d27-55aa-6e3c-2764-e8bf4dd6e1e1/a9d26f20-f506-7650-4725-5b6f4305ffe1.json.age|jq
This project is licensed under the MIT License