Skip to contents

Vault Administration

Vault Administration

Details

Administration commands for vault operators. Very few of these commands should be used without consulting the vault documentation as they affect the administration of a vault server, but they are included here for completeness.

Super class

vaultr::vault_client_object -> vault_client_operator

Methods

Inherited methods


Method new()

Create a vault_client_operator object. Not typically called by users.

Usage

vault_client_operator$new(api_client)

Arguments

api_client

A vault_api_client object


Method key_status()

Return information about the current encryption key of Vault.

Usage

vault_client_operator$key_status()


Method is_initialized()

Returns the initialization status of Vault

Usage

vault_client_operator$is_initialized()


Method init()

This endpoint initializes a new Vault. The Vault must not have been previously initialized.

Usage

vault_client_operator$init(secret_shares, secret_threshold)

Arguments

secret_shares

Integer, specifying the number of shares to split the master key into

secret_threshold

Integer, specifying the number of shares required to reconstruct the master key. This must be less than or equal secret_shares


Method leader_status()

Check the high availability status and current leader of Vault

Usage

vault_client_operator$leader_status()


Method rekey_status()

Reads the configuration and progress of the current rekey attempt

Usage

vault_client_operator$rekey_status()


Method rekey_start()

This method begins a new rekey attempt. Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires cancelling and starting a new rekey, which will also provide a new nonce.

Usage

vault_client_operator$rekey_start(secret_shares, secret_threshold)

Arguments

secret_shares

Integer, specifying the number of shares to split the master key into

secret_threshold

Integer, specifying the number of shares required to reconstruct the master key. This must be less than or equal secret_shares


Method rekey_cancel()

This method cancels any in-progress rekey. This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note verification is still a part of a rekey. If rekeying is cancelled during the verification flow, the current unseal keys remain valid.

Usage

vault_client_operator$rekey_cancel()


Method rekey_submit()

This method is used to enter a single master key share to progress the rekey of the Vault. If the threshold number of master key shares is reached, Vault will complete the rekey. Otherwise, this method must be called multiple times until that threshold is met. The rekey nonce operation must be provided with each call.

Usage

vault_client_operator$rekey_submit(key, nonce)

Arguments

key

Specifies a single master share key (a string)

nonce

Specifies the nonce of the rekey operation (a string)


Method rotate()

This method triggers a rotation of the backend encryption key. This is the key that is used to encrypt data written to the storage backend, and is not provided to operators. This operation is done online. Future values are encrypted with the new key, while old values are decrypted with previous encryption keys.

Usage

vault_client_operator$rotate()


Method seal()

Seal the vault, preventing any access to it. After the vault is sealed, it must be unsealed for further use.

Usage

vault_client_operator$seal()


Method seal_status()

Check the seal status of a Vault. This method can be used even when the client is not authenticated with the vault (which will the case for a sealed vault).

Usage

vault_client_operator$seal_status()


Method unseal()

Submit a portion of a key to unseal the vault. This method is typically called by multiple different operators to assemble the master key.

Usage

vault_client_operator$unseal(key, reset = FALSE)

Arguments

key

The master key share

reset

Logical, indicating if the unseal process should start be started again.

Examples


server <- vaultr::vault_test_server(if_disabled = message)
#> ...waiting for Vault to start
#> ...waiting for Vault to start
if (!is.null(server)) {
  client <- server$client()

  # Our test server is by default unsealed:
  client$status()$sealed

  # We can seal the vault to prevent all access:
  client$operator$seal()
  client$status()$sealed

  # And then unseal it again
  client$operator$unseal(server$keys)
  client$status()$sealed
}
#> [1] FALSE