myvault

module

v1.0.2 Latest Latest Go to latest Published: Nov 19, 2023 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/abruno06/myvault

Links

Open Source Insights

README ¶

myvault

Description

This little application is a prototype to interconnect Yukikey with Vault using piv mode of Yubikey. This allow to build a quick and dirty password manager where information get saved in secure way into Vault and accessible from all location where the Vault server is accessible.

Prereq

Have a yubikey (or equivalent) key supporting piv mode to store private key and authentication certificate in it. Have certificate loaed to the key Have Hashicorp Vault knowledge

Environment need

You need a working Hashicorp Vault server supporting Certificates as authentication mechanism. You can found all documentation needed in following site https://developer.hashicorp.com/vault/docs/what-is-vault

Setup the Vault and Yukibey configuration

Configure Vault with Auth with TLS certificate : https://developer.hashicorp.com/vault/docs/auth/cert
Install your Yubikey Authentication Certificate into the Auth cert uisng either the UI, the CLI or the API
Make sure your certificate is associated with the proper Policy that allow certificates manipulation example if your kv secret is mount to kv/*
```
# Allow a token to set kv 
path "kv/*" {
capabilities = ["create", "read", "update", "delete", "list"
}
```
Set the token TTL for the certificate to be small as possible.
(todo renew token if expired)

If you do not have piv or equivalent this application fallback to username/password to get Vault access. Same if your pin is Invalid

Run the application

go run cmd/cli/myvault.go

or compile it

go build cmd/cli/myvault.go

Batch Load

you can use a CSV File to load your data: the format is the following if your are using the built in secret format

SecretID, Username, Credential, URL, Comment

no header are expected on the CSV file remark: do not put ',' in the comment piece if you do not want unexpected result

Packages

The application has been splited to allow flexibility for future

Bootstrap

This feature allow you to export a secret and share a one time token to retreive it. This is done using the wrap / unwrap feature and cubbyhole to store the expose secret

TODO

Improve the Secret
Improve the Error management

Known issue with piv

in case of build or run error in linux, follow this link

https://github.com/go-piv/piv-go/issues/114

Known errors

tls: failed to verify certificate: x509: certificate signed by unknown authority

This mean that your vault server certificate is not recognized by your OS. This is most probably because your Vault certificate is using a non public CA unknow by your computeur. Follow process related to your OS to make it part of trusted CA.

Dependancies

Directories ¶

Path	Synopsis
cmd
bootstrap
cli
cubbyhole
service
token
config
crypto
interactif
secret
secrets module
securestore
smartcard

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL