Vault is an awesome project and it comes with superb documentation, a rock-solid server component and a flexible and capable command-line interface.

So, why safe? To solve the following problems:

1. Securely generate new SSH public / private keys
2. Securely generate random RSA key pairs
3. Auto-generate secure, random passwords
4. Securely provide credentials, without files
5. Dumping multiple paths

Primarily, these are things encountered in trying to build secure BOSH deployments using Vault and Spruce.

To make it easier to target multiple Vaults from one client (i.e. your work laptop), safe lets you track and authenticate against targets, each representing a different vault.

To get started, you'll need to add a new target:

safe target https://vault.example.com myvault

The first argument is the URL to the Vault; the second is a shorthand alias for the target. Later, you can retarget this Vault with just:

safe target myvault

You can see what Vaults you have targeted by running

safe targets

All commands will be run against the currently targeted Vault.

To authenticate:

safe auth [token]
safe auth ldap
safe auth github

(Other authentication backends are not yet supported)

For each type (token, ldap or github), you will be prompted for the necessary credentials to authenticated against the Vault.

safe operates by way of sub-commands. To generate a new 2048-bit SSH keypair, and store it in secret/ssh:

safe ssh 2048 secret/ssh

To set non-sensitive keys, you can just specify them inline:

safe set secret/ssh username=system

If you use a password manager (good for you!) and don't want to have to paste passwords twice, use the passte subcommand:

safe paste secret/1pass/managed

Commands can be chained by separating them with the argument terminator, --, so to both create a new SSH keypair and set the username:

safe ssh 2048 secret/ssh -- set secret/ssh username=system

Auto-generated passwords are easy too:

safe gen secret/account passphrase

Sometimes, you just want to import passwords from another source (like your own password manager), without the hassle of writing files to disk or the risk of leaking credentials via the process table or your shell history file. For that, safe provides a double-confirmation interactive mode:

safe set secret/ssl/ca passphrase
passphrase [hidden]:
passphrase [confirm]:

What you type will not be echoed back to the screen, and the confirmation prompt is there to make sure your fingers didn't betray you.

All operations (except for delete) are additive, so the following:

safe set secret/x a=b c=d

is equivalent to this:

safe set secret/x a=b -- set secret/x c=d

Need to take an existing password, and generate a crypt-sha512 hash, or base64 encode it? safe fmt will do this, and store the results in a new key for you, making it easy to generate a password, and then format that password as needed.

safe gen secret/account password
safe fmt base64 secret/account password base64_pass
safe fmt crypt-sha512 secret/account password crypt_pass
safe get secret/account

Updates a single path with new keys. Any existing keys that are not specified on the command line are left intact.

You will be prompted to enter values for any keys that do not have values. This can be used for more sensitive credentials like passwords, PINs, etc.

Example:

safe set secret/root username=root password
<prompts for 'password' here...>

Retrieve and print the values of one or more paths, to standard output. This is most useful for piping credentials through keybase or pgp for encrypting and sending to others.

safe get secret/root secret/whatever secret/key
--- # secret/root
username: root
password: it's a secret

--- # secret/whatever
whatever: is clever

--- # secret/key
private: |
   -----BEGIN RSA PRIVATE KEY-----
   ...
   -----END RSA PRIVATE KEY-----
public: |
  -----BEGIN RSA PUBLIC KEY-----
  ...
  -----END RSA PRIVATE KEY-----

Provide a tree hierarchy listing of all reachable keys in the Vault.

safe tree secret/dc1
secret/dc1
  concourse/
    pipeline-the-first/
      aws
      dockerhub
      github
    pipeline-the-second/
      aws
      dockerhub
      github

Provide a flat listing of all reachable keys in the Vault.

safe paths secret/dc1
secret/dc1concourse/pipeline-the-first/aws
secret/dc1concourse/pipeline-the-first/dockerhub
secret/dc1concourse/pipeline-the-first/github
secret/dc1concourse/pipeline-the-second/aws
secret/dc1concourse/pipeline-the-second/dockerhub
secret/dc1concourse/pipeline-the-second/github

Removes multiple paths from the Vault.

safe delete secret/unused

Move a secret from oldpath to newpath, a rename of sorts.

safe move secret/staging/user secret/prod/user

(or, more succinctly, using brace expansion):

safe move secret/{staging,prod}/user

Any credentials at newpath will be completely overwritten. The secret at oldpath will no longer exist.

Copy a secret from oldpath to newpath.

safe copy secret/staging/user secret/prod/user

(or, as with move, using brace expansion):

save copy secret/{staging,prod}/user

Any credentials at newpath will be completely overwritten. The secret at oldpath will still exist after the copy.

Generate a new, random password. By default, the generated password will be 64 characters long.

safe gen secret/account secretkey

To get a shorter password, only 16 characters long:

safe gen 16 secret/account password

Take the key at path:oldKey, reformat it according to format_type, and save it in path:newKey. Useful for hashing, or encoding passwords in an alternate format (for htpass files, or /etc/shadow).

Currently supported formats:

• base64
• crypt-sha512

safe fmt base64 secret/account password base64_password
safe fmt crypt-sha512 secret/account password crypt_password

Generate a new SSH RSA keypair, adding the keys "private" and "public" to each path. The public key will be encoded as an authorized keys. The private key is a PEM-encoded DER private key.

By default, a 2048-bit key will be generated. The nbits parameter allows you to change that.

Each path gets a unique SSH keypair.

Generate a new RSA keypair, adding the keys "private" and "public" to each path. Both keys will be PEM-encoded DER.

By default, a 2048-bit key will be generated. The nbits parameter allows you to change that.

Each path gets a unique RSA keypair.

Echo the arguments, space-separated, as a single line to the terminal. This is a convenience helper for long pipelines of chained commands.

Export the given subtree(s) in a format suitable for migration (via a future import call), or long-term storage offline. Secrets will not be encrypted in this representation, so care should be taken in handling it. Output will be printed to standard output.

Read an export file (as produced by the export subcommand) and write all of the secrets contained therein to the same paths inside the Vault. Trees will be imported in an additive nature, so existing credentials in the same subtree as imported credentials will be left intact.

Import and export can be combined in a pipeline to facilitate movement of credentials from one Vault to another, like so:

VAULT_ADDR=$OLD_VAULT safe export secret/sub/tree | \
  VAULT_ADDR=$NEW_VAULT safe import