README

Vault Build Status vault enterprise


Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at security@hashicorp.com.


Vault Logo

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Understanding who is accessing what secrets is already very difficult and platform-specific. Adding on key rolling, secure storage, and detailed audit logs is almost impossible without a custom solution. This is where Vault steps in.

The key features of Vault are:

  • Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.

  • Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.

  • Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.

  • Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.

  • Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.

For more information, see the introduction section of the Vault website.

Getting Started & Documentation

All documentation is available on the Vault website.

Developing Vault

If you wish to work on Vault itself or any of its built-in systems, you'll first need Go installed on your machine (version 1.10.1+ is required).

For local dev first make sure Go is properly installed, including setting up a GOPATH. Next, clone this repository into $GOPATH/src/github.com/hashicorp/vault. You can then download any required build tools by bootstrapping your environment:

$ make bootstrap
...

To compile a development version of Vault, run make or make dev. This will put the Vault binary in the bin and $GOPATH/bin folders:

$ make dev
...
$ bin/vault
...

To run tests, type make test. Note: this requires Docker to be installed. If this exits with exit status 0, then everything is working!

$ make test
...

If you're developing a specific package, you can run tests for just that package by specifying the TEST variable. For example below, only vault package tests will be run.

$ make test TEST=./vault
...
Acceptance Tests

Vault has comprehensive acceptance tests covering most of the features of the secret and auth methods.

If you're working on a feature of a secret or auth method and want to verify it is functioning (and also hasn't broken anything else), we recommend running the acceptance tests.

Warning: The acceptance tests create/destroy/modify real resources, which may incur real costs in some cases. In the presence of a bug, it is technically possible that broken backends could leave dangling data behind. Therefore, please run the acceptance tests at your own risk. At the very least, we recommend running them in their own private account for whatever backend you're testing.

To run the acceptance tests, invoke make testacc:

$ make testacc TEST=./builtin/logical/consul
...

The TEST variable is required, and you should specify the folder where the backend is. The TESTARGS variable is recommended to filter down to a specific resource to test, since testing all of them at once can sometimes take a very long time.

Acceptance tests typically require other environment variables to be set for things such as access keys. The test itself should error early and tell you what to set, so it is not documented here.

For more information on Vault Enterprise features, visit the Vault Enterprise site.

Expand ▾ Collapse ▴

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

Directories

Path Synopsis
api
audit
builtin/audit/file
builtin/audit/socket
builtin/audit/syslog
builtin/credential/app-id
builtin/credential/app-id/cmd/app-id
builtin/credential/approle
builtin/credential/approle/cmd
builtin/credential/aws
builtin/credential/aws/cmd/aws
builtin/credential/cert
builtin/credential/cert/cmd/cert
builtin/credential/github
builtin/credential/github/cmd/github
builtin/credential/ldap
builtin/credential/ldap/cmd/ldap
builtin/credential/okta
builtin/credential/okta/cmd/okta
builtin/credential/radius
builtin/credential/radius/cmd/radius
builtin/credential/token
builtin/credential/userpass
builtin/credential/userpass/cmd/userpass
builtin/logical/aws
builtin/logical/aws/cmd/aws
builtin/logical/cassandra
builtin/logical/cassandra/cmd/cassandra
builtin/logical/consul
builtin/logical/consul/cmd/consul
builtin/logical/database
builtin/logical/database/dbplugin
builtin/logical/mongodb
builtin/logical/mongodb/cmd/mongodb
builtin/logical/mssql
builtin/logical/mssql/cmd/mssql
builtin/logical/mysql
builtin/logical/mysql/cmd/mysql
builtin/logical/nomad
builtin/logical/nomad/cmd/nomad
builtin/logical/pki
builtin/logical/pki/cmd/pki
builtin/logical/postgresql
builtin/logical/postgresql/cmd/postgresql
builtin/logical/rabbitmq
builtin/logical/rabbitmq/cmd/rabbitmq
builtin/logical/ssh
builtin/logical/ssh/cmd/ssh
builtin/logical/totp
builtin/logical/totp/cmd/totp
builtin/logical/transit
builtin/logical/transit/cmd/transit
builtin/plugin
command
command/agent
command/agent/auth
command/agent/auth/alicloud
command/agent/auth/aws
command/agent/auth/azure
command/agent/auth/gcp
command/agent/auth/jwt
command/agent/auth/kubernetes
command/agent/config
command/agent/sink
command/agent/sink/file
command/config
command/server
command/server/seal
command/token
helper/awsutil
helper/base62 Package base62 provides utilities for working with base62 strings.
helper/builtinplugins
helper/certutil Package certutil contains helper functions that are mostly used with the PKI backend but can be generally useful.
helper/cidrutil
helper/compressutil
helper/consts
helper/dbtxn
helper/dhutil
helper/errutil
helper/flag-kv
helper/flag-slice
helper/forwarding
helper/gated-writer
helper/hclutil
helper/identity
helper/identity/mfa
helper/jsonutil
helper/kdf This package is used to implement Key Derivation Functions (KDF) based on the recommendations of NIST SP 800-108.
helper/keysutil
helper/kv-builder
helper/ldaputil
helper/license
helper/locksutil
helper/logging
helper/mfa Package mfa provides wrappers to add multi-factor authentication to any auth method.
helper/mfa/duo Package duo provides a Duo MFA handler to authenticate users with Duo.
helper/mlock
helper/namespace
helper/parseutil
helper/password password is a package for reading a password securely from a terminal.
helper/pathmanager
helper/pgpkeys
helper/pluginutil
helper/policies
helper/policyutil
helper/proxyutil
helper/reload
helper/salt
helper/storagepacker
helper/strutil
helper/testhelpers
helper/tlsutil
helper/useragent
helper/wrapping
helper/xor
http
logical
logical/framework
logical/plugin
logical/plugin/mock
logical/plugin/mock/mock-plugin
logical/plugin/pb
logical/testing
physical
physical/alicloudoss
physical/azure
physical/cassandra
physical/cockroachdb
physical/consul
physical/couchdb
physical/dynamodb
physical/etcd
physical/file
physical/foundationdb
physical/gcs
physical/inmem
physical/manta
physical/mssql
physical/mysql
physical/postgresql
physical/s3
physical/spanner
physical/swift
physical/zookeeper
plugins
plugins/database/cassandra
plugins/database/cassandra/cassandra-database-plugin
plugins/database/hana
plugins/database/hana/hana-database-plugin
plugins/database/mongodb
plugins/database/mongodb/mongodb-database-plugin
plugins/database/mssql
plugins/database/mssql/mssql-database-plugin
plugins/database/mysql
plugins/database/mysql/mysql-database-plugin
plugins/database/mysql/mysql-legacy-database-plugin
plugins/database/postgresql
plugins/database/postgresql/postgresql-database-plugin
plugins/helper/database/connutil
plugins/helper/database/credsutil
plugins/helper/database/dbutil
shamir
vault
vault/seal
version