straight forward secure vault using s3 as the repository
MIT License
store and deploy secrets, secured.
With a 12-factor system where local storage is not persistent, there are no simple solutions to storing secrets, in particular if those secrets have to be accessible as actual files (such as certificates and key files). While there are some distributed secret solutions (e.g. vaultproject), they have their own complexity that needs to be set up and managed.
SimpleVault provides a straight forward, secure solution. Use it to create a secure vault file from a plain files directory, store the vault file on S3 and retrieve it back on a deployed instance.
Features
Installation
$ pip install simplevault
Usage
# shortcuts
$ mkvault vaultname /path/to/source bucket/path
$ unvault vaultname bucket/path /path/to/target
# cli
$ simplevault --write -l=/path/to/source -n=vaultname -b=bucket -p=path
$ simplevault --extract -l=/path/to/target -n=vaultname -b=bucket -p=path
# local use
vault = SimpleVault(location='/path/to/vault')
crypt = vault.make('myvault', '/path/to/source', upload=False)
files = vault.unvault('myvault', '/path/to/target', download=False)
# using with s3
vault = SimpleVault(location='/path/to/vault')
crypt = vault.make('myvault', '/path/to/source', upload=True)
files = vault.unvault('myvault', '/path/to/target', download=True)
The s3 vault is simply the name of the vault stored in a s3 bucket key.
E.g. vault name test is stored at s3://bucket/path/test.crypt
.
For this work the following environment variables are required on the machine creating the vault.
# -- standard aws setup
$ export AWS_ACCESS_KEY_ID=
$ export AWS_SECRET_ACCESS_KEY=
$ export AWS_ENDPOINT=
On your deployed server instance (where you want the vault files to be extract), all you need are S3_VAULT_USER_AGENT and S3_VAULT_KEY. All other parameters are passed on the command line.
# -- SimpleVault settings
$ export S3_VAULT_KEY=key to use for encryption/decryption
$ export S3_VAULT_BUCKET=bucket name
$ export S3_VAULT_PATH=path in bucket
$ export S3_VAULT_USERAGENT=user agent set on S3 policy
To enable secure downloads from s3, set the following policy on your bucket:
# s3 policy example
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "deny-other-actions",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucketname>/vault/*",
"Condition": {
"StringEquals": {
"aws:UserAgent": "some key value (e.g. uuid4)"
}
}
},
}