Vault Administration
Vault Administration
Details
Administration commands for vault operators. Very few of these commands should be used without consulting the vault documentation as they affect the administration of a vault server, but they are included here for completeness.
Super class
vaultr::vault_client_object
-> vault_client_operator
Methods
Inherited methods
Method new()
Create a vault_client_operator
object. Not typically
called by users.
Usage
vault_client_operator$new(api_client)
Arguments
api_client
A vault_api_client object
Method init()
This endpoint initializes a new Vault. The Vault must not have been previously initialized.
Method rekey_start()
This method begins a new rekey attempt. Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires cancelling and starting a new rekey, which will also provide a new nonce.
Method rekey_cancel()
This method cancels any in-progress rekey. This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note verification is still a part of a rekey. If rekeying is cancelled during the verification flow, the current unseal keys remain valid.
Method rekey_submit()
This method is used to enter a single master key share to progress the rekey of the Vault. If the threshold number of master key shares is reached, Vault will complete the rekey. Otherwise, this method must be called multiple times until that threshold is met. The rekey nonce operation must be provided with each call.
Method rotate()
This method triggers a rotation of the backend encryption key. This is the key that is used to encrypt data written to the storage backend, and is not provided to operators. This operation is done online. Future values are encrypted with the new key, while old values are decrypted with previous encryption keys.
Method seal()
Seal the vault, preventing any access to it. After the vault is sealed, it must be unsealed for further use.
Method seal_status()
Check the seal status of a Vault. This method can be used even when the client is not authenticated with the vault (which will the case for a sealed vault).
Examples
server <- vaultr::vault_test_server(if_disabled = message)
#> ...waiting for Vault to start
#> ...waiting for Vault to start
if (!is.null(server)) {
client <- server$client()
# Our test server is by default unsealed:
client$status()$sealed
# We can seal the vault to prevent all access:
client$operator$seal()
client$status()$sealed
# And then unseal it again
client$operator$unseal(server$keys)
client$status()$sealed
}
#> [1] FALSE