# Vault operations recipes for SecretumVault [doc("Show vault operations help")] help: @echo "VAULT OPERATIONS COMMANDS"; \ echo ""; \ echo "Health & Status:"; \ echo " just vault::health Check vault health"; \ echo " just vault::status Get seal status"; \ echo " just vault::version Show vault version"; \ echo ""; \ echo "Initialization:"; \ echo " just vault::init SHARES THRESH Initialize with Shamir"; \ echo " just vault::init-default Init with default (5 shares, 3 threshold)"; \ echo ""; \ echo "Unsealing:"; \ echo " just vault::unseal KEY Unseal with key"; \ echo " just vault::unseal-status Show unseal progress"; \ echo ""; \ echo "Token Operations:"; \ echo " just vault::create-token Create auth token"; \ echo " just vault::revoke-token TOKEN Revoke token"; \ echo " just vault::lookup-token TOKEN Get token info"; \ echo ""; \ echo "Secrets:"; \ echo " just vault::list-secrets List all secrets"; \ echo " just vault::read-secret PATH Read secret"; \ echo " just vault::write-secret PATH Write secret"; \ echo " just vault::delete-secret PATH Delete secret"; \ echo "" # Variables VAULT_ADDR := "http://localhost:8200" # Health check [doc("Check vault health")] health: @curl -s {{ VAULT_ADDR }}/v1/sys/health | jq . || echo "Vault unreachable" # Seal status [doc("Get seal/unseal status")] status: @curl -s {{ VAULT_ADDR }}/v1/sys/seal-status | jq . # Version [doc("Show vault version")] version: @curl -s {{ VAULT_ADDR }}/v1/sys/health | jq '.version' # Initialize vault (Shamir) [doc("Initialize vault with Shamir Secret Sharing")] init SHARES="5" THRESHOLD="3": @echo "Initializing vault with {{ SHARES }} shares, {{ THRESHOLD }} threshold..." @curl -X POST {{ VAULT_ADDR }}/v1/sys/init \ -H "Content-Type: application/json" \ -d "{ \"shares\": {{ SHARES }}, \"threshold\": {{ THRESHOLD }} }" | jq . # Initialize with defaults [doc("Initialize vault (5 shares, 3 threshold)")] init-default: @just vault::init 5 3 # Unseal with key [doc("Unseal vault with single key")] unseal KEY: @curl -X POST {{ VAULT_ADDR }}/v1/sys/unseal \ -H "Content-Type: application/json" \ -d "{ \"key\": \"{{ KEY }}\" }" | jq . # Show unseal progress [doc("Show unseal progress")] unseal-status: @curl -s {{ VAULT_ADDR }}/v1/sys/seal-status | jq '.{sealed, t, n, progress}' # Create token [doc("Create authentication token")] create-token ROOT_TOKEN: @curl -X POST {{ VAULT_ADDR }}/v1/auth/token/create \ -H "X-Vault-Token: {{ ROOT_TOKEN }}" \ -H "Content-Type: application/json" \ -d '{"policies": ["default"], "ttl": "24h"}' | jq '.auth' # Revoke token [doc("Revoke token")] revoke-token ROOT_TOKEN TOKEN: @curl -X POST {{ VAULT_ADDR }}/v1/auth/token/revoke \ -H "X-Vault-Token: {{ ROOT_TOKEN }}" \ -H "Content-Type: application/json" \ -d "{ \"token\": \"{{ TOKEN }}\" }" | jq . # Lookup token [doc("Get token information")] lookup-token TOKEN: @curl -s {{ VAULT_ADDR }}/v1/auth/token/self \ -H "X-Vault-Token: {{ TOKEN }}" | jq '.auth' # List all secrets [doc("List all secrets in KV engine")] list-secrets TOKEN: @curl -X LIST {{ VAULT_ADDR }}/v1/secret/metadata \ -H "X-Vault-Token: {{ TOKEN }}" | jq '.data.keys' # Read secret [doc("Read secret (requires: TOKEN PATH)")] read-secret TOKEN PATH: @curl -s {{ VAULT_ADDR }}/v1/secret/data/{{ PATH }} \ -H "X-Vault-Token: {{ TOKEN }}" | jq '.data.data' # Write secret [doc("Write secret (requires: TOKEN PATH DATA_JSON)")] write-secret TOKEN PATH DATA: @curl -X POST {{ VAULT_ADDR }}/v1/secret/data/{{ PATH }} \ -H "X-Vault-Token: {{ TOKEN }}" \ -H "Content-Type: application/json" \ -d "{ \"data\": {{ DATA }} }" | jq . # Delete secret [doc("Delete secret")] delete-secret TOKEN PATH: @curl -X DELETE {{ VAULT_ADDR }}/v1/secret/data/{{ PATH }} \ -H "X-Vault-Token: {{ TOKEN }}" | jq . # Encrypt with transit [doc("Encrypt data with Transit engine")] encrypt TOKEN KEY PLAINTEXT: @ENCODED=$(echo -n "{{ PLAINTEXT }}" | base64) && \ curl -X POST {{ VAULT_ADDR }}/v1/transit/encrypt/{{ KEY }} \ -H "X-Vault-Token: {{ TOKEN }}" \ -H "Content-Type: application/json" \ -d "{ \"plaintext\": \"$ENCODED\" }" | jq '.data.ciphertext' # Decrypt with transit [doc("Decrypt data with Transit engine")] decrypt TOKEN KEY CIPHERTEXT: @curl -X POST {{ VAULT_ADDR }}/v1/transit/decrypt/{{ KEY }} \ -H "X-Vault-Token: {{ TOKEN }}" \ -H "Content-Type: application/json" \ -d "{ \"ciphertext\": \"{{ CIPHERTEXT }}\" }" | jq '.data.plaintext' | tr -d '"' | base64 -d && echo # Get metrics [doc("Get Prometheus metrics")] metrics: @curl -s {{ VAULT_ADDR }}:9090/metrics | grep vault_ | head -20 # Full initialization workflow [doc("Full initialization: init + display keys + instructions")] init-workflow: @echo "=== SecretumVault Initialization Workflow ===" && echo @echo "1. Initializing vault..." @INIT_RESPONSE=$(curl -s -X POST {{ VAULT_ADDR }}/v1/sys/init \ -H "Content-Type: application/json" \ -d '{"shares": 5, "threshold": 3}') @echo "$INIT_RESPONSE" | jq '{keys: .keys, root_token: .root_token}' | tee init-response.json @echo "" @echo "2. ⚠️ CRITICAL: Save keys and root token to secure location!" @echo " File saved: init-response.json" @echo "" @echo "3. To unseal vault:" @echo " just vault::unseal " @echo " just vault::unseal " @echo " just vault::unseal " @echo "" @echo "4. Check unsealing progress:" @echo " just vault::unseal-status" # Kubernetes setup: init and unseal [doc("K8s: Initialize vault in cluster")] k8s-init: @echo "Initializing vault in Kubernetes..." @kubectl -n secretumvault port-forward svc/vault 8200:8200 & @sleep 2 @just vault::init-workflow # Kubernetes: display unsealing instructions [doc("K8s: Show unsealing instructions")] k8s-unseal-instructions: @echo "To unseal vault in Kubernetes:" @echo "" @echo "1. Port-forward to vault:" @echo " kubectl -n secretumvault port-forward svc/vault 8200:8200 &" @echo "" @echo "2. Unseal with keys:" @echo " just vault::unseal " @echo " just vault::unseal " @echo " just vault::unseal " @echo "" @echo "3. Verify unsealed:" @echo " just vault::status"