Sometimes I find myself needing to stash a couple files away somewhere safe. Here is a quick trick to that I use to store files in my Hashicorp Vault instance.
Create a gzip’d tarball of the directory of files.
tar -cvzf secrets.tar.gz secrets_dir/*
This next line does two things. The first thing is it base64 encodes the tarball, turning the binary representation of the file into a text representation of your file. The second part of this command sends the file into Vault at the path
kv/secret_tar under the key
vault kv put kv/secret_tar filecontents="$(base64 secrets.tar.gz)"
The file now rests securely in Vault. When we need the file again, do something like this:
base64 --decode <(vault kv get -format=json kv/secret_tar | jq -r .data.data | jq -r .) > retrieved_secrets.tar.gz
There is a lot going on here. This command leverages a trick called process substitution “
<()” in BASH. Vault outputs data in a table format by default, which is nice to look at but a poor format for automation. Using the Vault CLI flag
-format=json along with
jq, we are able to extract the base64-encoded file from vault. Pass the string from Vault into
base64 --decode to translate the file back into its binary representation.
tar xvzf retrieved_secrets.tar.gz
Finally untar the directory and the original files will be available for consumption.