Vault

HashiCorp Vault operational patterns for the domus infrastructure.

Connection & Status

Set Vault address and check status

export VAULT_ADDR="https://vault-01.inside.domusdigitalis.dev:8200"
vault status

Authenticate — interactive token prompt

vault login

Authenticate with userpass

vault login -method=userpass username=admin

Check current token — policies, TTL, accessor

vault token lookup

KV v2 — Daily Secret Operations

Read a secret

vault kv get kv/infra/db

Read a single field — for scripting

vault kv get -field=password kv/infra/db

Read as JSON and extract with jq

vault kv get -format=json kv/infra/db | jq -r '.data.data.password'

Write a secret with key-value pairs

vault kv put kv/infra/db user=admin password=<REDACTED>

List secrets at a path

vault kv list kv/infra/

Soft-delete current version — recoverable

vault kv delete kv/infra/db

Check metadata — version history, timestamps

vault kv metadata get kv/infra/db

PKI — Certificate Issuance

Issue a server certificate from the intermediate CA

vault write pki_int/issue/domus-server \
    common_name="web.inside.domusdigitalis.dev" \
    alt_names="web" \
    ip_sans="10.50.1.100" \
    ttl=720h

Issue a client certificate for EAP-TLS

vault write pki_int/issue/domus-client \
    common_name="modestus-razer.inside.domusdigitalis.dev" \
    ttl=2160h

Read the intermediate CA certificate

vault read pki_int/cert/ca

Revoke a certificate by serial number

vault write pki_int/revoke serial_number=<serial>

Tidy expired certificates and CRLs

vault write pki_int/tidy \
    tidy_cert_store=true \
    tidy_revoked_certs=true \
    safety_buffer=72h

SSH Certificate Authority

Sign an SSH public key with Vault CA

vault write -field=signed_key ssh/sign/admin \
    public_key=@$HOME/.ssh/id_ed25519.pub > ~/.ssh/id_ed25519-cert.pub

Sign and verify in one step

vault write -field=signed_key ssh/sign/admin \
    public_key=@$HOME/.ssh/id_ed25519.pub > ~/.ssh/id_ed25519-cert.pub \
    && ssh-keygen -Lf ~/.ssh/id_ed25519-cert.pub

Seal & Unseal Operations

Check seal status

vault status | awk '/Sealed/{print $2}'

Unseal — provide one key, repeat for threshold count

vault operator unseal

Raft Backup

Create a Raft snapshot

vault operator raft snapshot save "backup-$(date +%Y%m%d-%H%M%S).snap"

Restore from snapshot

vault operator raft snapshot restore backup.snap

List Raft cluster peers

vault operator raft list-peers

Policy Management

Read a policy

vault policy read default

Write a policy from HCL file

vault policy write app-policy policy.hcl

List all policies

vault policy list

Audit & Troubleshooting

List enabled audit devices

vault audit list

List all secrets engines with config

vault secrets list -detailed

List auth methods

vault auth list -detailed

Revoke all leases under a prefix — cleanup after testing

vault lease revoke -prefix pki_int/issue/