A Quick Overview of VaultApi
VaultApi a self-host method for securing data
Introduction
VaultApi is dependent upon both HashiCorp Vault and VeraCrypt to work it's magic.
Hashicorp Vault and KeePassXC are the primary password manager applications that I'm using currently and for the most part the entries in each should be mirroring each other. The functional difference between these two are KeePassXC has a graphical interface. While Hashicorp Vault has a web interface, the key value VaultApi makes use of is the REST Api to perform ACID operations on secured data for automation purposes.
The vault keys and root token associated with HashiCorp Vault are stored in an encrypted file that is kept in cold storage. Prior to starting HashiCrop Vault server, the cold storage file is mounted on the system using VeraCrypt.
Also, this implementation is on my non-routed network primarily being used by my Linux systems but any OS supporting PowerShell on the non-routed network should be able to access the Vault as a client.
Additionally, the Vault is only ran on an on-demand basis.
The startup process is as follows:
VaultApi start
VaultApi unseal
VaultApi login
VaultApi KeyPathsThe command VaultApi KeyPaths dumps a list of key paths to a local file to make the finding of key paths simpler.
Inquiry operation with VaultApi
The path lookup process is as follows:
VaultApi FindPaths VehicleThis command returns a list of paths matching the specified value of Vehicle.
VaultApi FindPaths Vehicle
kv1/Vehicle/1995-Mustang-GT500
kv1/Vehicle/2003-DodgeViper
kv1/Vehicle/2012-Nissan
kv1/Vehicle/2016-TelsaTo lookup all the keys associated to a given path:
VaultApi kv1Read kv1/Vehicle/2012-Nissan -kvkey _ReturnKeys
plate
VINTo return a value associated with a key of a given path to the clipboard:
VaultApi kv1Read kv1/Vehicle/2012-Nissan -kvkey plateIf the -raw options is included the value will be returned to the console.
Update and Add operations with VaultApi
To add a new key/value pair to an existing path:
VaultApi kv1Update kv1/Vehicle/2012-Nissan 21000000 -kvkey mileageTo add a new path and key/value pair:
VaultApi kv1Create kv1/Vehicle/2025-Lambo Bitcoin -kvkey plateList operation with VaultApi
To list the 2nd level path names:
Default level 1 path name is "kv1"
VaultApi kv1list
To list 3rd level path names:
VaultApi kv1list kv1/VehicleDelete operation with VaultApi
To Delete a path and it's associated key/value pairs:
VaultApi kv1Delete kv1/Vehicle/2012-Nissan
To just delete a single key/value pair for a given path
use the HashiCorp Vault Web interface.
Other VaultApi operations
To launch the HashiCorp Vault web interface:
VaultApi WebUITo return status information about the Vault:
VaultApi status
sealed initialized version n t
----- ----------- ------- - -
False True 1.15.6 5 3To return process information about the Vault:
VaultApi Check
Hashicorp Vault (v1.15.6) is running...116147To show the hash value of the VaultApi script:
VaultApi ShowHash
3D47628ECB3FA0E7DBD28BA7606CE5BFTo return a 20 character randomized value to the clipboard:
VaultApi SetValueTo create a backup of the HashiCorp Vault :
Must be logged in with the root token.
VaultApi Backup
A snapshot file will be created in the $HOME/Downloads directory by default.To stop the HashiCorp Vault server:
VaultApi seal
The vault is sealed.
VaultApi stop
The server is stopped.To get help information about VaultApi
Get-Help VaultApi -Full | more
OR
Get-Help VaultApi -Examples | moreOther References
Here are some past articles I wrote about setting up HashiCorp Vault and VeraCrypt.
Bitcoin and key/value using Hashicorp Vault
Bitcoin and Cold Storage using VeraCrypt
More information on VaultApi.
Cody AI Analysis Summary of VaultApi.ps1
The VaultApi.ps1 script is generally well-structured and follows many PowerShell best practices. It has comprehensive documentation, version history, and clear parameter definitions. The suggestions below would further enhance what is already a solid codebase. The author has clearly put significant effort into making the script functional and user-friendly, with good attention to cross-platform compatibility and security considerations.
VaultApi.ps1 Explanation
VaultApi.ps1 is a PowerShell script that helps users interact with HashiCorp Vault, which is a tool for securely storing and managing sensitive information like passwords and API keys.
Purpose of the Code
This script makes it easier to use Vault by providing simple commands to start the Vault server, unlock it (unseal), log in, store secrets, retrieve secrets, and shut down the server. Think of it as a friendly interface that simplifies all the complex operations you would otherwise need to do manually with Vault.
Inputs
The script takes several inputs:
An
actionparameter that tells the script what operation to perform (likeStart
,Stop
,Kv1Create
,Kv1Read
)A
kvpathparameter that specifies where in Vault to store or retrieve informationA
kvalueparameter for the actual secret value you want to storeA
kvkeyparameter that lets you specify a custom name for your secretOptional switches like
-Infoto show more detailed information and-Rawto display output directly instead of copying to clipboard
Outputs
Depending on the action performed, the script produces different outputs:
Text messages in the console showing the status of operations
Secret values retrieved from Vault (either displayed or copied to clipboard)
Lists of available secret paths
Status information about the Vault server
Backup files of your Vault data
How It Works
The script works by:
First checking if Vault is installed and running
Setting up communication with the Vault server using its API address
Performing the requested action by sending the appropriate commands to Vault
Processing any responses and displaying results to the user
For example, when you use the Kv1Create
action, the script:
Checks if you're logged in
Verifies the path doesn't already exist
Formats your data correctly
Sends a request to Vault to create the new secret
Shows you the result
Important Logic Flows
Some key processes in the script include:
Authentication flow: The script helps you log in using either a token or username/password, then stores your authentication token for future commands.
Unsealing process: Vault requires multiple keys to unlock (unseal) it after starting. The script can retrieve these keys from a secure file or prompt you to enter them.
Secret management: The script handles creating, reading, updating, and deleting secrets, supporting both single values and multiple key-value pairs at a path.
Path management: The script can list all available paths and help you search for specific ones, making it easier to organize and find your secrets.
Value generation: When creating or updating secrets, you can use the keyword
setvalue
to automatically generate a random 20-character value, which is then copied to your clipboard.
The script uses a configuration file in your home directory to know how to connect to Vault, and it can optionally use encrypted files to store sensitive information like unlock keys. It communicates with Vault using REST API calls, which are like special messages that tell Vault what to do.
In summary, VaultApi.ps1 is a helper tool that makes it much easier to use HashiCorp Vault for securely storing and managing your sensitive information, without needing to remember all the complex commands and procedures.
| Version | Date | Whom | Notes | ||
|---|---|---|---|---|---|
| 0.6.4 | 02/18/2025 | cadayton | Added optional feature supporting encryption of the VaultApi.json file. | ||
| 0.6.3 | 05/18/2024 | cadayton | Backup option now uses CLI command to create snapshot file | ||
| 0.6.2 | 05/18/2024 | cadayton | Kv1Read kvKey param _ReturnKeysreturns list of keys in a path | ||
| 0.6.1 | 03/09/2024 | cadayton | On 'Vault Stop' command history is cleared. | ||
| 0.6.0 | 03/04/2024 | cadayton | Default is to read vault keys from VaultApi.json in the .ssh directory | ||
| 0.5.9 | 02/28/2024 | cadayton | SetValue action creates randomized 20 char value | ||
| Kv1Create and Kv1Update supports key word 'setvalue' for a keyvalue | |||||
| 0.5.8 | 02/27/2024 | cadayton | Kv1Read output defaults to the clipboard | ||
| 0.5.7 | 02/26/2024 | cadayton | Experimental ShowHash action to detect code changes | ||