Vault

HashiCorp Vault operations for secrets management, PKI, and SSH certificate authority.

Cluster Operations

Check cluster seal status, HA mode, version
vault status
Initialize Vault with Shamir key splitting
vault operator init -key-shares=5 -key-threshold=3
Provide one unseal key — repeat for threshold
vault operator unseal <key>

Authentication

Authenticate interactively — prompts for token
vault login
Authenticate with userpass auth method
vault login -method=userpass username=admin
Current token info — policies, TTL, accessor
vault token lookup
Create child token with specific policy and TTL
vault token create -policy=app -ttl=1h
Revoke a specific token
vault token revoke <token>

Secrets Engines

List all enabled secrets engines with config
vault secrets list -detailed
Enable KV v2 secrets engine at path
vault secrets enable -path=kv kv-v2
List enabled auth methods with config
vault auth list -detailed

KV v2 Secrets

Read KV v2 secret at path
vault kv get kv/infra/db
Read single field from KV secret
vault kv get -field=password kv/infra/db
Read KV secret as JSON, extract data
vault kv get -format=json kv/infra/db | jq '.data.data'
Write KV secret with key-value pairs
vault kv put kv/infra/db user=admin password=s3cret
List secrets at path
vault kv list kv/infra/
Soft-delete current version
vault kv delete kv/infra/db
Secret metadata — versions, timestamps, custom metadata
vault kv metadata get kv/infra/db

PKI Secrets Engine

Read intermediate CA certificate
vault read pki_int/cert/ca
Issue TLS certificate from PKI role
vault write pki_int/issue/domus-client common_name=host.domain ttl=720h
Revoke a specific certificate
vault write pki_int/revoke serial_number=<serial>

SSH Secrets Engine

Sign SSH public key with Vault CA
vault write ssh/sign/admin public_key=@~/.ssh/id_ed25519.pub

Policies

Read a named policy
vault policy read default
Create or update policy from HCL file
vault policy write app-policy policy.hcl

Audit

List enabled audit devices
vault audit list
Enable file-based audit logging
vault audit enable file file_path=/var/log/vault_audit.log

Raft Storage

Raft cluster membership and leader
vault operator raft list-peers
Create Raft storage snapshot for backup
vault operator raft snapshot save backup.snap
Restore Raft storage from snapshot
vault operator raft snapshot restore backup.snap

Lease Management

Revoke all leases under prefix
vault lease revoke -prefix pki_int/issue/

Transit Encryption

Encrypt data with Transit secrets engine
vault write transit/encrypt/mykey plaintext=$(echo -n "secret" | base64)