Easily start, unseal, login, seal, and stop the Hashicorp Vault server.
It is intended that the implementation of Hashicorp Vault server be restricted to only a home non-routed network and only ran on a "on-demand" bases.
Supports all CRUD operations for interacting with the kv Secrets Engine (v1).
This implementation supports both a model of a single path with one key/value pair or a single path with multiple key/value pairs.
For remote access to the Vault server, the script can be copied to other computers on the non-routed network along with the config.hcl.
THE SETUP SHOULD BE LIMITED TO A NON-ROUTED NETWORK.
This script can be executed on any device supporting PowerShell Core.
Currently only tested on Linux OS.
PS> Get-Help VaultApi
PS> Get-Help VaultApi -full
PS> Get-Help VaultApi -Examples
-Examples option shows the full set commands
SYNTAX
VaultApi [-action] 'String' [-kvpath] 'String' [-kvalue] 'String' [-kvkey] 'String' [-info] 'switch' [-Raw] 'switch'
Version Date Whom Notes
======= ==== ======== =====================================================
0.6.4 02/18/2025 cadayton Added optional feature supporting encryption of the VaultApi.json file.
0.6.3 05/18/2024 cadayton Backup option now uses CLI command to create snapshot file
0.6.2 05/18/2024 cadayton Kv1Read kvKey param "_ReturnKeys" returns list of keys in a path
0.6.1 03/09/2024 cadayton On 'Vault Stop' command history is cleared.
0.6.0 03/04/2024 cadayton Default is to read vault keys from VaultApi.json in the .ssh directory.
0.5.9 02/28/2024 cadayton SetValue action creates randomized 20 char value
Kv1Create and Kv1Update supports key word 'setvalue' for a keyvalue
0.5.8 02/27/2024 cadayton Kv1Read output defaults to the clipboard rather than the console
Raw switch overrides this default.
0.5.7 02/27/2024 cadayton Experimental ShowHash action to detect code changes
0.5.6 02/26/2024 cadayton Added FindPaths for searching for paths matching a pattern
0.5.5 02/25/2024 cadayton Added support for mulitple key/value pairs per path
0.5.4 02/24/2024 cadayton Added KeyPaths functionality
0.5.3 02/23/2024 cadayton Added snapshot backup of the Vault data.
0.5.2 02/21/2024 cadayton Update allow reading of specific keyname
Added logic to prevent overwrite of path with multiple key/value entries.
0.5.1 02/20/2024 cadayton Updates to make the script OS neutral
0.5.0 01/25/2024 cadayton initial release.
The input file, $HOME/config.hcl Hashicorp Vault configuration file
ui = true
disable_mlock = true
storage "raft" {
path = "./vault/data"
node_id = "my computer name"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = "true"
}
api_addr = "http://192.168.5.209:8200"
cluster_addr = "https://192.168.5.209:8201"
Linux based computer on a non-routed home network.
HashicorpVault server installed with config.hcl located in the home directory
Install Gpaste for clipboard functionality
sudo apt install xclip xsel
sudo apt install gpaste
See the following links for a guide on how to setup a Bitcoin wallet and use it with Cold Storage
Bitcoin and key/value using Hashicorp Vault
Previous versions only supported unencrypted VaultApi.json file in the .ssh directory.
Version 0.6.4 optionally supports encrypting the VaultApi.json
To implement, the PSKeybase module and gpg must be installed. Note the KeyBase client is not required for this feature.
Encrypt VaultApi.json
Add-PSKEncryption -FolderPath $HOME/.ssh/VaultApi.json -NoKB
You'll be prompted to enter a passphrase token for decrypting the file. VaultApi.json.gpg will now exist and VaultApi.json will be removed.
Securely save the passphrase token
Get-Credential | Export-Clixml -Path $HOME/.ssh/token.xml
Store token file on offline media
A more secure method of maintaining the token file is keep the file on offline media and mount when needed.
Create a new configuration file in your home directory call configv.hcl with the following content.
# config for VaultApi.ps1
# where is token.xml file located. on startup value is stored in environmental variable VAULT_MEDIA
vault_media = /media/veracrypt3/token.xml
Now before starting Hashicorp Vault, you'll need to make the offline media available for the vault to be available.
Valid values for the action parameter
"Start" # Start the Hashicorp Vault server
"Stop" # Stop the Hashicorp Vault server
"Check" # Check Vault running process info
"Status" # Hashicorp Vault status info
"login" # username or token login
"Seal" # Seal the Hashicorp Vault server
"Unseal" # UnSeal the Hashicorp Vault server
"WebUI" # Launch the Web UI
"Kv1List" # List existing Key paths
"Kv1Read" # return VALUE of a key/value pair
"Kv1Create" # create a key/value pair
"Kv1Delete" # delete a key/value pair
"Kv1Update" # update existing key/value pair with new value
"Backup" # Snapshot file backup of the Vault data
"KeyPaths" # List all entries in a path
"FindPaths" # Search for specific path(s) matching a pattern
"SetValue" # Creates a randomized 20 char value and copies it to the clipboard
See the Get-Help above for a full set of examples
In this set of command you'll not see prompts for a password
or prompts for keys to unseal the Vault because the values are
retreived from the VaultApi.json file or the Keybase KV store.
VaultApi Start
Do you want to START Hashicorp Vault? [Yes or No]: Yes
Vault Unseal
Unseal the Vault [Yes or No]: Yes
Vault login
Choose a login method [token or userpass] userpass
Enter username: bitcoin
Enter password: ********
VAULT_TOKEN set to bitcoin
VaultApi Kv1Create /kv1/API/Test10 testvalue
Creates a new path with the key/value pair of "Test10/testvalue"
**Note**: Test10 is both last item name in the path
and the key name associated with 'testvalue'
VaultApi Kv1List /kv1/API
Test10
Tester1
VaultApi Kv1Read kv1/API/Test10
testvalue
VaultApi Kv1Update kv1/API/Test10 newvalue
newvalue
VaultApi Kv1Delete kv1/API/Test10
VaultApi Seal
Seal the Vault [Yes or No]: Yes
Vault has been sealed
VaultApi Stop
Do you want to STOP Hashicorp Vault? [Yes or No]: Yes
Stopping Hashicorp Vault...117030