Skip to content

openresearch/vault-exporter-importer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Vault Exporter/Importer

vault-exporter-importer is a command-line tool written in Go that allows you to export and import Vault secrets, encrypted at rest using age encryption.

Features

  • Export Vault Secrets: Securely export secrets from Vault, encrypting them with age.
  • Import Vault Secrets: Import previously exported and age secrets back into Vault.
  • Backup To S3 Bucket: Export and upload secrets to an S3 bucket for backup.
  • Dry-Run Mode: Test import and export operations without making actual changes.
  • Configurable Export Directory: Specify where exported secrets should be stored.
  • Configurable Logging: Adjust the logging level to suit your needs.

Installation

(!builds are coming soon!)

You can build it from source:

git clone https://github.com/openresearch/vault-exporter-importer.git
cd vault-exporter-importer
go build -o vault-exporter-importer cmd/

Prerequisites

  • Vault access configured (VAULT_ADDR and VAULT_TOKEN enviroment variables)
  • Minio access configured (MINIO_KEY_ID and MINIO_SECRET_KEY enviroment variables)
  • Go (if building from source).

Usage

NAME:
   vault-exporter-importer - Vault Exporter/Importer

USAGE:
   vault-exporter-importer [global options] [command [command options]]

VERSION:
   0.1.0

COMMANDS:
   import     import secrets into Vault
   export     export secrets from Vault
   backup     export and backup secrets to s3 bucket
   help, h    Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --exportdir value, -e value  export directory to store files (created if it does not exist) (default: "export")
   --log-level value, -l value  logging level to use (default: "info") [$LOG_LEVEL]
   --dry-run                    run in dry-run mode (just lists what would be exported) (default: false)
   --help, -h                   show help
   --version, -v                print the version

Exporting Secrets

To export secrets from Vault, use the export command.

vault-exporter-importer export --mountpath /secret
  • --mountpath or -m: Specifies the vault mount path to export. (Default: all)

Importing Secrets

To import secrets into Vault, use the import command.

vault-exporter-importer import --force-overwrite
  • --force-overwrite or -f: Force overwrites existing secrets in Vault. (Default: false)

Backing-up Secrets

To backup secrets to S3, use the backup command.

vault-exporter-importer backup --bucket backup

Global Options

  • --exportdir or -e: Specifies the directory where the exported secrets are located.
  • --version or -v: Displays the version of vault-exporter-importer.
  • --log-level or -l: Allows you to change the log level, you can also use the enviroment variable $LOG_LEVEL.
  • --dry-run: Allows you to run the export command in dry run mode.
  • --help or -h: Displays help information.

Decrypting at rest

To decrypt the secrets at rest, you can use the age tool like this:

age --decrypt -i export/.age.privatekey export/ccf90d27-55aa-6e3c-2764-e8bf4dd6e1e1/a9d26f20-f506-7650-4725-5b6f4305ffe1.json.age|jq

License

This project is licensed under the MIT License

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors