Service Operations#

Creating service vault#

Assuming the owner is authenticated:

$ kinit admin
Password for admin@EXAMPLE.COM: ********

To create a vault for a service:

$ ipa vault-add password --service HTTP/server.example.com --type asymmetric --public-key-file public.pem
----------------------
Added vault "password"
----------------------
  Vault name: password
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUU
VGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEwdmtobGpYSyswVXU2dVg5SFJuNQplb0doL2tnZEN4NTBDWjBreT
NzLzY2MHF6VUdKTXEzbDJZSCtTbU05Qm1hUWRTa01NNWhzSnQ5WDVSenQvQ3lOCkpPOTdrUzFzK0F6YW
RaaCs1SE5tWkNoZHNCQnFNVnNKYjdQaVhkOStjSWF5RTAzdUg2dFk3eEN1dXN5S3V5TjUKYmdsdDBkMU
5GcE1FZkMxVXV4bDA0Z0lpcmJZa3ZQMDNoZmpJaFBaaytHTFRFeUV5bUNocllYL0I3WXl5RWdlaAp0K3
dHc2VtVmgwMEVmaHRhamFnZWZSRTdPZDVNWUd2RytqaFRRV3NuWncraWxsemRaVHVSWGJuSS8vaVFjNF
MyCkRyTjgyQ29vUS9QU3NrWEJlZmtEeFBmSVRwQ0RoRG1CeDVxUkI2cElHL1RnZmNiOC9QVkdIKzNYV1
VhVzhseXUKY3dJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: admin

To add a service as a member of the vault:

$ ipa vault-add-member password --service HTTP/server.example.com --services HTTP/server.example.com
  Vault name: password
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUU
VGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEwdmtobGpYSyswVXU2dVg5SFJuNQplb0doL2tnZEN4NTBDWjBreT
NzLzY2MHF6VUdKTXEzbDJZSCtTbU05Qm1hUWRTa01NNWhzSnQ5WDVSenQvQ3lOCkpPOTdrUzFzK0F6YW
RaaCs1SE5tWkNoZHNCQnFNVnNKYjdQaVhkOStjSWF5RTAzdUg2dFk3eEN1dXN5S3V5TjUKYmdsdDBkMU
5GcE1FZkMxVXV4bDA0Z0lpcmJZa3ZQMDNoZmpJaFBaaytHTFRFeUV5bUNocllYL0I3WXl5RWdlaAp0K3
dHc2VtVmgwMEVmaHRhamFnZWZSRTdPZDVNWUd2RytqaFRRV3NuWncraWxsemRaVHVSWGJuSS8vaVFjNF
MyCkRyTjgyQ29vUS9QU3NrWEJlZmtEeFBmSVRwQ0RoRG1CeDVxUkI2cElHL1RnZmNiOC9QVkdIKzNYV1
VhVzhseXUKY3dJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: admin
  Member services: HTTP/server.example.com@EXAMPLE.COM
-------------------------
Number of members added 1
-------------------------

To archive a secret into the vault:

$ echo "Hello World" > secret.in

$ ipa vault-archive password --service HTTP/server.example.com --in secret.in
-----------------------------------
Archived data into vault "password"
-----------------------------------

Retrieving secrets from service vault#

Assuming the service is authenticated:

$ kinit HTTP/server.example.com -k -t /etc/httpd/conf/ipa.keytab

To retrieve a secret from a service vault:

$ ipa vault-retrieve password --service HTTP/server.example.com --private-key-file private.pem --out secret.out
------------------------------------
Retrieved data from vault "password"
------------------------------------

$ cat secret.out
Hello World

References#