dsec Vault Migration: Implementation

Phase 1: Vault KV Engine Setup

Objective: Enable KV v2 secrets engine and create path structure.

# Enable KV v2 at kv/ path
vault secrets enable -path=kv kv-v2

# Create initial structure (empty secrets as placeholders)
vault kv put kv/domus/network/ise placeholder=true
vault kv put kv/domus/servers/ise-01/admin placeholder=true

Deliverables:

  • KV v2 engine enabled

  • Path structure created

  • Documentation updated

Phase 2: Access Policies

Objective: Create Vault policies for different access levels.

Policy: dsec-admin (full access)
# Full read/write to all domus secrets
path "kv/data/domus/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "kv/metadata/domus/*" {
  capabilities = ["list", "read", "delete"]
}
Policy: dsec-network (network secrets only)
# Read-only to network secrets
path "kv/data/domus/network/*" {
  capabilities = ["read", "list"]
}

path "kv/data/domus/radius/*" {
  capabilities = ["read", "list"]
}
Policy: dsec-readonly (read all)
# Read-only to all domus secrets
path "kv/data/domus/*" {
  capabilities = ["read", "list"]
}

Deliverables:

  • dsec-admin policy created

  • dsec-network policy created

  • dsec-readonly policy created

  • Policies tested

Phase 3: Authentication Methods

Objective: Configure auth methods for dsec CLI.

Option A: Token Auth (Simple)

Use long-lived tokens stored locally (similar to current age key).

# Create token with dsec-admin policy
vault token create -policy=dsec-admin -ttl=8760h -display-name="dsec-cli"

Store token in ~/.vault-token or environment variable.

Option B: AppRole Auth (Recommended for Automation)

# Enable AppRole
vault auth enable approle

# Create role for dsec
vault write auth/approle/role/dsec-cli \
  token_policies="dsec-admin" \
  token_ttl=1h \
  token_max_ttl=4h \
  secret_id_ttl=0

# Get RoleID and SecretID
vault read auth/approle/role/dsec-cli/role-id
vault write -f auth/approle/role/dsec-cli/secret-id

Option C: OIDC Auth (Future - Keycloak Integration)

Integrate with Keycloak for SSO-based Vault access.

vault auth enable oidc

vault write auth/oidc/config \
  oidc_discovery_url="https://keycloak-01.inside.domusdigitalis.dev:8443/realms/domusdigitalis" \
  oidc_client_id="vault" \
  oidc_client_secret="<secret>" \
  default_role="dsec-user"

Deliverables:

  • Auth method selected and configured

  • Credentials distributed securely

  • Authentication tested

Phase 4: dsec CLI Modification

Objective: Update dsec to support Vault backend.

Current dsec Interface

# Current usage
dsource d000 dev/network    # Load network secrets
dsec show d000/ise/admin    # Show specific secret

New dsec Interface (Vault Backend)

# Same interface, Vault backend
dsource d000 dev/network    # Reads from kv/domus/network/*
dsec show domus/ise/admin   # Reads from kv/data/domus/servers/ise-01/admin

# New capabilities
dsec write domus/ise/admin password="newpass"  # Write secret
dsec list domus/network     # List secrets in path
dsec history domus/ise/admin # View secret versions (KV v2)

Implementation Options

Option A: Shell Functions with Vault CLI

dsource() {
  local vault_path="kv/data/domus/$1"

  # Fetch secrets from Vault and export as env vars
  eval $(vault kv get -format=json "$vault_path" | jq -r '.data.data | to_entries | .[] | "export \(.key)=\(.value)"')
}

Option B: Python CLI with hvac

import hvac
import click

@click.command()
@click.argument('path')
def dsource(path):
    client = hvac.Client(url='http://vault-01:8200')
    secret = client.secrets.kv.v2.read_secret_version(path=f"domus/{path}")
    for key, value in secret['data']['data'].items():
        click.echo(f"export {key}={value}")

Deliverables:

  • dsec Vault backend implemented

  • Backward compatibility with age files (transition period)

  • Documentation updated

  • Shell completion updated