Dump your Hashicorp Vault to a file. Not guaranteed to be consistent. Dump is a form of commands to inject keys into vault, so it is convenient to use it later on to restore to different vault, for example
vault write /secret/dev/ \
test1_user='test_pass'
vault write /secret/dev/bash-org-244321 \
AzureDiamond='hunter2'The following environment variables are used:
- PYTHONIOENCODING is used to ensure your keys are exported in valid encoding, make sure to use the same during import/export
- VAULT_ADDR - vault address enpoint to use, default is http://localhost:8200
- VAULT_TOKEN - after succesful authorization, should be detected by script itself
- VAULT_CACERT - cert if using https:// with client cert, but actually not tested
- TOP_VAULT_PREFIX - path to dump, optional, useful when dumping only a fraction of the strucutre of the vault
You still need vault client. You must have right to list keys for TOP_VAULT_PREFIX, otherwise you' will get error with trace.
Under Ubuntu you need below packages:
- python-pip
- python-virtualenv
virtualenv .venv
. .venv/bin/activate
pip install --upgrade pip
pip install -r requirements.txtActivate virtualenv.
Export some vars:
export PYTHONIOENCODING=utf-8
export VAULT_ADDR=https://vault.tld:12345
export TOP_VAULT_PREFIX=/secret/dev/Authorize in vault, I use here ldap auth:
vault auth -method=ldap username=your-usernameAfter succesful authorization you can run dump script and encrypt it with gpg to the output file:
python vault-dump.py | gpg -e -r GPG_KEY_ID > vault.dump.txt.gpg
Warning, all corresponding keys will be overwritten.
Activate virtualenv. Export some vars:
export PYTHONIOENCODING=utf-8
export VAULT_ADDR=https://vault.tld:9001
export TOP_VAULT_PREFIX=/secret/over9000/Authorize in vault:
vault auth -method=ldap username=user-in-new-vaultDisable bash history, decrypt encrypted file and execute commands stored inside:
set +o history
. <(gpg -qd vault.dump.txt.gpg)