Accessing vaults#
Accessing private vaults#
$ kinit admin
Password for admin@EXAMPLE.COM: ********
$ ipa vault-find
----------------
3 vaults matched
----------------
Vault name: private1
Type: standard
Vault name: private2
Type: symmetric
Vault name: private3
Type: asymmetric
----------------------------
Number of entries returned 3
----------------------------
$ ipa vault-show private1
Vault name: private1
Type: standard
Owner users: admin
$ ipa vault-show private2
Vault name: private2
Type: symmetric
Salt: NhmEI0NELtjZG2MfbHjjNw==
Owner users: admin
$ ipa vault-show private3
Vault name: private3
Type: asymmetric
Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUU
VGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuVDYxRUZ4VU9RZ0NKZE0wdG13LwpwUlJQRFBHY2hUQ2xuVTFlQn
RpUUQzSXRLWWYxK3dlTUd3R09TSlhQdGt0bzdObEU3UXM4V0hBcjBVanllQkRlCmsvemVCNm5TVmRrND
dPZGFXMUFIckpMKzQ0cjIzOEpibS8rN1ZPNWxUdTZaNE41cDBWcW9XTkxpMFVoL0NrcUIKdHN4WGFhQW
dqTXAwQUdxMlUvYU8vYWtlRVlXUU9ZSWRxVUtWZ0FFS1g1TW1JQTh0bWJtb1lJUStCNFEzdlg3TgpvdE
c0ZVI2YzJvOUZ5amQrTTRHYWk1Q2UwZlNyaWdSdnhBWWk4eHBSa1E1eVFuNWdmNFdWcm4rVUtUZk9Jak
xPCnBWVGhvcCtYaXZjcmUzU3BJMGt0Nm9aUGhCdzlpOGdiTW5xaWZWbUdGcFZkaHErUVZCcXArTVZKdl
RiaFJQRzYKM3dJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
Owner users: admin
Accessing service vaults#
$ ipa vault-find --service HTTP/server.example.com
----------------
3 vaults matched
----------------
Vault name: service1
Type: standard
Vault name: service2
Type: symmetric
Vault name: service3
Type: asymmetric
----------------------------
Number of entries returned 3
----------------------------
$ ipa vault-show service1 --service HTTP/server.example.com
Vault name: service1
Type: standard
Owner users: admin
$ ipa vault-show service2 --service HTTP/server.example.com
Vault name: service2
Type: symmetric
Salt: x5VVAO7JM5QqOkibTw9eLQ==
Owner users: admin
$ ipa vault-show service3 --service HTTP/server.example.com
Vault name: service3
Type: asymmetric
Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUU
VGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuVDYxRUZ4VU9RZ0NKZE0wdG13LwpwUlJQRFBHY2hUQ2xuVTFlQn
RpUUQzSXRLWWYxK3dlTUd3R09TSlhQdGt0bzdObEU3UXM4V0hBcjBVanllQkRlCmsvemVCNm5TVmRrND
dPZGFXMUFIckpMKzQ0cjIzOEpibS8rN1ZPNWxUdTZaNE41cDBWcW9XTkxpMFVoL0NrcUIKdHN4WGFhQW
dqTXAwQUdxMlUvYU8vYWtlRVlXUU9ZSWRxVUtWZ0FFS1g1TW1JQTh0bWJtb1lJUStCNFEzdlg3TgpvdE
c0ZVI2YzJvOUZ5amQrTTRHYWk1Q2UwZlNyaWdSdnhBWWk4eHBSa1E1eVFuNWdmNFdWcm4rVUtUZk9Jak
xPCnBWVGhvcCtYaXZjcmUzU3BJMGt0Nm9aUGhCdzlpOGdiTW5xaWZWbUdGcFZkaHErUVZCcXArTVZKdl
RiaFJQRzYKM3dJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
Owner users: admin
Accessing user vaults#
$ kinit testuser
Password for testuser@EXAMPLE.COM: ********
$ ipa vault-find
----------------
3 vaults matched
----------------
Vault name: testuser1
Type: standard
Vault name: testuser2
Type: symmetric
Vault name: testuser3
Type: asymmetric
----------------------------
Number of entries returned 3
----------------------------
$ ipa vault-show testuser1
Vault name: testuser1
Type: standard
Owner users: testuser
$ kinit admin
Password for admin@EXAMPLE.COM: ********
$ ipa vault-find --user testuser
----------------
3 vaults matched
----------------
Vault name: testuser1
Type: standard
Vault name: testuser2
Type: symmetric
Vault name: testuser3
Type: asymmetric
----------------------------
Number of entries returned 3
----------------------------
$ ipa vault-show testuser1 --user testuser
Vault name: testuser1
Type: standard
Owner users: testuser
Modifying vault properties#
$ ipa vault-mod private1 --desc "Private vault"
-------------------------
Modified vault "private1"
-------------------------
Vault name: private1
Description: Private vault
Type: standard
Owner users: admin
Deleting vaults#
$ ipa vault-del private1
------------------------
Deleted vault "private1"
------------------------
Archiving Secrets#
Archiving into standard vaults#
$ echo "Hello World" > secret.in
$ ipa vault-add StandardVault
---------------------------
Added vault "StandardVault"
----------------------------
Vault name: StandardVault
Type: standard
Owner users: admin
$ ipa vault-archive StandardVault --in secret.in
----------------------------------------
Archived data into vault "StandardVault"
----------------------------------------
$ ipa vault-retrieve StandardVault --out secret.out
-----------------------------------------
Retrieved data from vault "StandardVault"
-----------------------------------------
$ cat secret.out
Hello World
Archiving into symmetric vaults#
$ echo "Hello World" > secret.in
$ ipa vault-add SymmetricVault --type symmetric
New password: ********
Verify password: ********
----------------------------
Added vault "SymmetricVault"
----------------------------
Vault name: SymmetricVault
Type: symmetric
Salt: aeTGZ5PjkhPorrvRD2tV/g==
Owner users: admin
$ ipa vault-archive SymmetricVault --in secret.in
Password: ********
-----------------------------------------
Archived data into vault "SymmetricVault"
-----------------------------------------
$ ipa vault-retrieve SymmetricVault --out secret.out
Password: ********
------------------------------------------
Retrieved data from vault "SymmetricVault"
------------------------------------------
$ cat secret.out
Hello World
Archiving into asymmetric vaults#
$ echo "Hello World" > secret.in
$ openssl genrsa -out private.pem 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++
...............................................................+++
e is 65537 (0x10001)
$ openssl rsa -in private.pem -out public.pem -pubout
writing RSA key
$ ipa vault-add AsymmetricVault --type asymmetric --public-key-file public.pem
-----------------------------
Added vault "AsymmetricVault"
-----------------------------
Vault name: AsymmetricVault
Type: asymmetric
Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUU
VGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuVDYxRUZ4VU9RZ0NKZE0wdG13LwpwUlJQRFBHY2hUQ2xuVTFlQn
RpUUQzSXRLWWYxK3dlTUd3R09TSlhQdGt0bzdObEU3UXM4V0hBcjBVanllQkRlCmsvemVCNm5TVmRrND
dPZGFXMUFIckpMKzQ0cjIzOEpibS8rN1ZPNWxUdTZaNE41cDBWcW9XTkxpMFVoL0NrcUIKdHN4WGFhQW
dqTXAwQUdxMlUvYU8vYWtlRVlXUU9ZSWRxVUtWZ0FFS1g1TW1JQTh0bWJtb1lJUStCNFEzdlg3TgpvdE
c0ZVI2YzJvOUZ5amQrTTRHYWk1Q2UwZlNyaWdSdnhBWWk4eHBSa1E1eVFuNWdmNFdWcm4rVUtUZk9Jak
xPCnBWVGhvcCtYaXZjcmUzU3BJMGt0Nm9aUGhCdzlpOGdiTW5xaWZWbUdGcFZkaHErUVZCcXArTVZKdl
RiaFJQRzYKM3dJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
Owner users: admin
$ ipa vault-archive AsymmetricVault --in secret.in
------------------------------------------
Archived data into vault "AsymmetricVault"
------------------------------------------
$ ipa vault-retrieve AsymmetricVault --private-key-file private.pem --out secret.out
-------------------------------------------
Retrieved data from vault "AsymmetricVault"
-------------------------------------------
$ cat secret.out
Hello World
Controlling Vault Access#
Managing vault owners/members#
Assuming the user has the following vaults:
$ kinit admin
Password for admin@EXAMPLE.COM: ********
$ ipa vault-find --shared
----------------
3 vaults matched
----------------
Vault name: shared1
Type: standard
Vault name: shared2
Type: symmetric
Vault name: shared3
Type: asymmetric
----------------------------
Number of entries returned 3
----------------------------
To add a vault owner:
$ ipa vault-add-owner shared1 --shared --users testuser
Vault name: shared1
Type: standard
Owner users: admin, testuser
------------------------
Number of owners added 1
------------------------
To add a vault member:
$ ipa vault-add-member shared2 --shared --users testuser
Vault name: shared2
Type: symmetric
Salt: Cn6ygL1aN9Je/wZ2ZTrA3w==
Owner users: admin
Member users: testuser
-------------------------
Number of members added 1
-------------------------
Accessing vaults as owners/members#
$ kinit testuser
Password for testuser@EXAMPLE.COM: ********
$ ipa vault-find --shared
----------------
2 vaults matched
----------------
Vault name: shared1
Type: standard
Vault name: shared2
Type: symmetric
----------------------------
Number of entries returned 2
----------------------------
$ ipa vault-show shared1 --shared
Vault name: shared1
Type: standard
Owner users: admin, testuser
$ ipa vault-show shared2 --shared
Vault name: shared2
Type: symmetric
Salt: Cn6ygL1aN9Je/wZ2ZTrA3w==
Owner users: admin
Member users: testuser
$ ipa vault-show shared3 --shared
ipa: ERROR: shared3: vault not found
Modifying vaults as owners/members#
$ kinit testuser
Password for testuser@EXAMPLE.COM: ********
$ ipa vault-mod shared1 --shared --desc "Shared vault"
------------------------
Modified vault "shared1"
------------------------
Vault name: shared1
Description: Shared vault
Type: standard
Owner users: admin, testuser
$ ipa vault-mod shared2 --shared --desc "Shared vault"
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'description' attribute of entry 'cn=shared2,cn=shared,cn=vaults,cn=kra,dc=example,dc=com'.
$ ipa vault-mod shared3 --shared --desc "Shared vault"
ipa: ERROR: shared3: vault not found
Archiving secrets as owners/members#
$ kinit testuser
Password for testuser@EXAMPLE.COM: ********
$ ipa vault-archive shared1 --shared --in secret.in
----------------------------------
Archived data into vault "shared1"
----------------------------------
$ ipa vault-archive shared2 --shared --in secret.in
Password: ********
----------------------------------
Archived data into vault "shared2"
----------------------------------
$ ipa vault-archive shared3 --shared --in secret.in
ipa: ERROR: shared3: vault not found