IPA Password Vault 1.0

From Dogtag
Jump to: navigation, search

Accessing vaults

Accessing private vaults

$ kinit admin
Password for admin@EXAMPLE.COM: ********

$ ipa vault-find
----------------
3 vaults matched
----------------
  Vault name: private1
  Type: standard

  Vault name: private2
  Type: symmetric

  Vault name: private3
  Type: asymmetric
----------------------------
Number of entries returned 3
----------------------------

$ ipa vault-show private1
  Vault name: private1
  Type: standard
  Owner users: admin

$ ipa vault-show private2
  Vault name: private2
  Type: symmetric
  Salt: NhmEI0NELtjZG2MfbHjjNw==
  Owner users: admin

$ ipa vault-show private3
  Vault name: private3
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUU
VGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuVDYxRUZ4VU9RZ0NKZE0wdG13LwpwUlJQRFBHY2hUQ2xuVTFlQn
RpUUQzSXRLWWYxK3dlTUd3R09TSlhQdGt0bzdObEU3UXM4V0hBcjBVanllQkRlCmsvemVCNm5TVmRrND
dPZGFXMUFIckpMKzQ0cjIzOEpibS8rN1ZPNWxUdTZaNE41cDBWcW9XTkxpMFVoL0NrcUIKdHN4WGFhQW
dqTXAwQUdxMlUvYU8vYWtlRVlXUU9ZSWRxVUtWZ0FFS1g1TW1JQTh0bWJtb1lJUStCNFEzdlg3TgpvdE
c0ZVI2YzJvOUZ5amQrTTRHYWk1Q2UwZlNyaWdSdnhBWWk4eHBSa1E1eVFuNWdmNFdWcm4rVUtUZk9Jak
xPCnBWVGhvcCtYaXZjcmUzU3BJMGt0Nm9aUGhCdzlpOGdiTW5xaWZWbUdGcFZkaHErUVZCcXArTVZKdl
RiaFJQRzYKM3dJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: admin

Accessing shared vaults

$ ipa vault-find --shared
----------------
3 vaults matched
----------------
  Vault name: shared1
  Type: standard

  Vault name: shared2
  Type: symmetric

  Vault name: shared3
  Type: asymmetric
----------------------------
Number of entries returned 3
----------------------------

$ ipa vault-show shared1 --shared
  Vault name: shared1
  Type: standard
  Owner users: admin

$ ipa vault-show shared2 --shared
  Vault name: shared2
  Type: symmetric
  Salt: Cn6ygL1aN9Je/wZ2ZTrA3w==
  Owner users: admin

$ ipa vault-show shared3 --shared
  Vault name: shared3
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUU
VGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuVDYxRUZ4VU9RZ0NKZE0wdG13LwpwUlJQRFBHY2hUQ2xuVTFlQn
RpUUQzSXRLWWYxK3dlTUd3R09TSlhQdGt0bzdObEU3UXM4V0hBcjBVanllQkRlCmsvemVCNm5TVmRrND
dPZGFXMUFIckpMKzQ0cjIzOEpibS8rN1ZPNWxUdTZaNE41cDBWcW9XTkxpMFVoL0NrcUIKdHN4WGFhQW
dqTXAwQUdxMlUvYU8vYWtlRVlXUU9ZSWRxVUtWZ0FFS1g1TW1JQTh0bWJtb1lJUStCNFEzdlg3TgpvdE
c0ZVI2YzJvOUZ5amQrTTRHYWk1Q2UwZlNyaWdSdnhBWWk4eHBSa1E1eVFuNWdmNFdWcm4rVUtUZk9Jak
xPCnBWVGhvcCtYaXZjcmUzU3BJMGt0Nm9aUGhCdzlpOGdiTW5xaWZWbUdGcFZkaHErUVZCcXArTVZKdl
RiaFJQRzYKM3dJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: admin

Accessing service vaults

$ ipa vault-find --service HTTP/server.example.com
----------------
3 vaults matched
----------------
  Vault name: service1
  Type: standard

  Vault name: service2
  Type: symmetric

  Vault name: service3
  Type: asymmetric
----------------------------
Number of entries returned 3
----------------------------

$ ipa vault-show service1 --service HTTP/server.example.com
  Vault name: service1
  Type: standard
  Owner users: admin

$ ipa vault-show service2 --service HTTP/server.example.com
  Vault name: service2
  Type: symmetric
  Salt: x5VVAO7JM5QqOkibTw9eLQ==
  Owner users: admin

$ ipa vault-show service3 --service HTTP/server.example.com
  Vault name: service3
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUU
VGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuVDYxRUZ4VU9RZ0NKZE0wdG13LwpwUlJQRFBHY2hUQ2xuVTFlQn
RpUUQzSXRLWWYxK3dlTUd3R09TSlhQdGt0bzdObEU3UXM4V0hBcjBVanllQkRlCmsvemVCNm5TVmRrND
dPZGFXMUFIckpMKzQ0cjIzOEpibS8rN1ZPNWxUdTZaNE41cDBWcW9XTkxpMFVoL0NrcUIKdHN4WGFhQW
dqTXAwQUdxMlUvYU8vYWtlRVlXUU9ZSWRxVUtWZ0FFS1g1TW1JQTh0bWJtb1lJUStCNFEzdlg3TgpvdE
c0ZVI2YzJvOUZ5amQrTTRHYWk1Q2UwZlNyaWdSdnhBWWk4eHBSa1E1eVFuNWdmNFdWcm4rVUtUZk9Jak
xPCnBWVGhvcCtYaXZjcmUzU3BJMGt0Nm9aUGhCdzlpOGdiTW5xaWZWbUdGcFZkaHErUVZCcXArTVZKdl
RiaFJQRzYKM3dJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: admin

Accessing user vaults

$ kinit testuser
Password for testuser@EXAMPLE.COM: ********

$ ipa vault-find
----------------
3 vaults matched
----------------
  Vault name: testuser1
  Type: standard

  Vault name: testuser2
  Type: symmetric

  Vault name: testuser3
  Type: asymmetric
----------------------------
Number of entries returned 3
----------------------------

$ ipa vault-show testuser1
  Vault name: testuser1
  Type: standard
  Owner users: testuser

$ kinit admin
Password for admin@EXAMPLE.COM: ********

$ ipa vault-find --user testuser
----------------
3 vaults matched
----------------
  Vault name: testuser1
  Type: standard

  Vault name: testuser2
  Type: symmetric

  Vault name: testuser3
  Type: asymmetric
----------------------------
Number of entries returned 3
----------------------------

$ ipa vault-show testuser1 --user testuser
  Vault name: testuser1
  Type: standard
  Owner users: testuser

Modifying vault properties

$ ipa vault-mod private1 --desc "Private vault"
-------------------------
Modified vault "private1"
-------------------------
  Vault name: private1
  Description: Private vault
  Type: standard
  Owner users: admin

Deleting vaults

$ ipa vault-del private1
------------------------
Deleted vault "private1"
------------------------

Archiving Secrets

Archiving into standard vaults

$ echo "Hello World" > secret.in

$ ipa vault-add StandardVault
---------------------------
Added vault "StandardVault"
----------------------------
  Vault name: StandardVault
  Type: standard
  Owner users: admin

$ ipa vault-archive StandardVault --in secret.in
----------------------------------------
Archived data into vault "StandardVault"
----------------------------------------

$ ipa vault-retrieve StandardVault --out secret.out
-----------------------------------------
Retrieved data from vault "StandardVault"
-----------------------------------------

$ cat secret.out
Hello World

Archiving into symmetric vaults

$ echo "Hello World" > secret.in

$ ipa vault-add SymmetricVault --type symmetric
New password: ********
Verify password: ********
----------------------------
Added vault "SymmetricVault"
----------------------------
  Vault name: SymmetricVault
  Type: symmetric
  Salt: aeTGZ5PjkhPorrvRD2tV/g==
  Owner users: admin

$ ipa vault-archive SymmetricVault --in secret.in
Password: ********
-----------------------------------------
Archived data into vault "SymmetricVault"
-----------------------------------------

$ ipa vault-retrieve SymmetricVault --out secret.out
Password: ********
------------------------------------------
Retrieved data from vault "SymmetricVault"
------------------------------------------

$ cat secret.out
Hello World

Archiving into asymmetric vaults

$ echo "Hello World" > secret.in

$ openssl genrsa -out private.pem 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++
...............................................................+++
e is 65537 (0x10001)

$ openssl rsa -in private.pem -out public.pem -pubout
writing RSA key

$ ipa vault-add AsymmetricVault --type asymmetric --public-key-file public.pem
-----------------------------
Added vault "AsymmetricVault"
-----------------------------
  Vault name: AsymmetricVault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUU
VGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuVDYxRUZ4VU9RZ0NKZE0wdG13LwpwUlJQRFBHY2hUQ2xuVTFlQn
RpUUQzSXRLWWYxK3dlTUd3R09TSlhQdGt0bzdObEU3UXM4V0hBcjBVanllQkRlCmsvemVCNm5TVmRrND
dPZGFXMUFIckpMKzQ0cjIzOEpibS8rN1ZPNWxUdTZaNE41cDBWcW9XTkxpMFVoL0NrcUIKdHN4WGFhQW
dqTXAwQUdxMlUvYU8vYWtlRVlXUU9ZSWRxVUtWZ0FFS1g1TW1JQTh0bWJtb1lJUStCNFEzdlg3TgpvdE
c0ZVI2YzJvOUZ5amQrTTRHYWk1Q2UwZlNyaWdSdnhBWWk4eHBSa1E1eVFuNWdmNFdWcm4rVUtUZk9Jak
xPCnBWVGhvcCtYaXZjcmUzU3BJMGt0Nm9aUGhCdzlpOGdiTW5xaWZWbUdGcFZkaHErUVZCcXArTVZKdl
RiaFJQRzYKM3dJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: admin

$ ipa vault-archive AsymmetricVault --in secret.in
------------------------------------------
Archived data into vault "AsymmetricVault"
------------------------------------------

$ ipa vault-retrieve AsymmetricVault --private-key-file private.pem --out secret.out
-------------------------------------------
Retrieved data from vault "AsymmetricVault"
-------------------------------------------

$ cat secret.out
Hello World

Controlling Vault Access

Managing vault owners/members

Assuming the user has the following vaults:

$ kinit admin
Password for admin@EXAMPLE.COM: ********

$ ipa vault-find --shared
----------------
3 vaults matched
----------------
  Vault name: shared1
  Type: standard

  Vault name: shared2
  Type: symmetric

  Vault name: shared3
  Type: asymmetric
----------------------------
Number of entries returned 3
----------------------------

To add a vault owner:

$ ipa vault-add-owner shared1 --shared --users testuser
  Vault name: shared1
  Type: standard
  Owner users: admin, testuser
------------------------
Number of owners added 1
------------------------

To add a vault member:

$ ipa vault-add-member shared2 --shared --users testuser
  Vault name: shared2
  Type: symmetric
  Salt: Cn6ygL1aN9Je/wZ2ZTrA3w==
  Owner users: admin
  Member users: testuser
-------------------------
Number of members added 1
-------------------------

Accessing vaults as owners/members

$ kinit testuser
Password for testuser@EXAMPLE.COM: ********

$ ipa vault-find --shared
----------------
2 vaults matched
----------------
  Vault name: shared1
  Type: standard

  Vault name: shared2
  Type: symmetric
----------------------------
Number of entries returned 2
----------------------------

$ ipa vault-show shared1 --shared
  Vault name: shared1
  Type: standard
  Owner users: admin, testuser

$ ipa vault-show shared2 --shared
  Vault name: shared2
  Type: symmetric
  Salt: Cn6ygL1aN9Je/wZ2ZTrA3w==
  Owner users: admin
  Member users: testuser

$ ipa vault-show shared3 --shared
ipa: ERROR: shared3: vault not found

Modifying vaults as owners/members

$ kinit testuser
Password for testuser@EXAMPLE.COM: ********

$ ipa vault-mod shared1 --shared --desc "Shared vault"
------------------------
Modified vault "shared1"
------------------------
  Vault name: shared1
  Description: Shared vault
  Type: standard
  Owner users: admin, testuser

$ ipa vault-mod shared2 --shared --desc "Shared vault"
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'description' attribute of entry 'cn=shared2,cn=shared,cn=vaults,cn=kra,dc=example,dc=com'.

$ ipa vault-mod shared3 --shared --desc "Shared vault"
ipa: ERROR: shared3: vault not found

Archiving secrets as owners/members

$ kinit testuser
Password for testuser@EXAMPLE.COM: ********

$ ipa vault-archive shared1 --shared --in secret.in
----------------------------------
Archived data into vault "shared1"
----------------------------------

$ ipa vault-archive shared2 --shared --in secret.in
Password: ********
----------------------------------
Archived data into vault "shared2"
----------------------------------

$ ipa vault-archive shared3 --shared --in secret.in
ipa: ERROR: shared3: vault not found

References