dsec Vault Migration: Operations
Phase 5: Secret Migration
Objective: Migrate existing secrets from age files to Vault.
Migration Script
#!/bin/bash
# migrate-dsec-to-vault.sh
# Source age-encrypted secrets
source <(age -d -i ~/.config/age/key.txt ~/.secrets/env/d000/dev/network.env)
# Write to Vault
vault kv put kv/domus/network/ise \
ISE_PAN_FQDN="$ISE_PAN_FQDN" \
ISE_API_USER="$ISE_API_USER" \
ISE_API_PASS="$ISE_API_PASS" \
ISE_API_TOKEN="$ISE_API_TOKEN"
vault kv put kv/domus/network/wlc \
WLC_HOST="$WLC_HOST" \
WLC_USER="$WLC_USER" \
WLC_PASS="$WLC_PASS"Phase 6: Transition Period
Objective: Run both systems in parallel for validation.
-
dsec checks Vault first, falls back to age files
-
Monitor for any missing secrets
-
Validate all workflows work with Vault backend
Duration: 2-4 weeks
Deliverables:
-
Dual-backend dsec deployed
-
All workflows validated
-
Issues documented and resolved
Phase 7: Deprecate Age Backend
Objective: Remove age file dependency.
# Archive age-encrypted files
tar -czvf ~/backups/dsec-age-archive-$(date +%Y%m%d).tar.gz ~/.secrets/env/
# Remove age backend from dsec
# Update dsec to Vault-only mode
# Keep age key for emergency recovery
# ~/.config/age/key.txt remainsDeliverables:
-
Age files archived
-
dsec updated to Vault-only
-
Documentation finalized
Phase 8: HA/Redundancy (Future)
Objective: Deploy Vault HA cluster for redundancy.
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ vault-01 │◀───▶│ vault-02 │◀───▶│ vault-03 │
│ (Leader) │ │ (Follower) │ │ (Follower) │
│ Raft Storage │ │ Raft Storage │ │ Raft Storage │
└─────────────────┘ └─────────────────┘ └─────────────────┘Components:
-
Raft integrated storage (replace file backend)
-
Auto-unseal with cloud KMS or Transit engine
-
Load balancer for client connections