Hashicorp Vault Key Backend

Vault Backend

Remote Signer does support storing private keys (and its passwords) inside a Hashicorp Vault key-value backend. To enable it you should set a few environment variables should be set:

• VAULT_STORAGE => Set to true to use Vault instead Disk Storage
• VAULT_ADDRESS => Vault URL (example: https://vault:8200/)
• VAULT_SKIP_VERIFY => Vault Skip Verify SSL Certs on Connection (true or false)
• VAULT_BACKEND => Vault Backend to use (for example secret)
• VAULT_NAMESPACE => Vault Namespace to use (appended to VAULT_BACKEND, for example if namespace is remote-signer and backend is secret, the keys are stored under secret/remote-signer)

Then there is two modes that you can operate: Using a root token or a userpass.

Using Root Token

• VAULT_USE_USERPASS => Set to false
• VAULT_ROOT_TOKEN => Hashicorp Vault Root Token

Using UserPass

For userpass, two additional variables should be set:

• VAULT_USE_USERPASS => Set to true
• VAULT_USERNAME => The username that remote-signer should use to login to vault
• VAULT_PASSWORD => The password that remote-signer should use to login to vault

Running

If everything goes right, you should see something like that in the logs:

 INFO| Vault | Initialized Vault Backend at https://vault:8200/ with prefix __master__
 WARN| Vault | WARNING: Vault Skip Verify is enable. We will not check for SSL Certs in Vault!
 INFO| Vault | Userpass mode enabled. Logging with dev-remote-signer
 INFO| Vault | Logged in successfully.
(...)
 INFO| Vault | Initialized Vault Backend at https://vault:8200/ with prefix softkey_
 WARN| Vault | WARNING: Vault Skip Verify is enable. We will not check for SSL Certs in Vault!
 INFO| Vault | Userpass mode enabled. Logging with dev-remote-signer
 INFO| Vault | Logged in successfully.