vimc/vaultr
Vault Client for Secrets and Sensitive Data

Package index
Search the vimc/vaultr package
Vignettes
Functions
103
Source code
55
Man pages
21
Home
/
GitHub
/
vimc/vaultr
/
vault_client_operator: Vault Administration

vault_client_operator: Vault Administration
In vimc/vaultr: Vault Client for Secrets and Sensitive Data

vault_client_operatorR Documentation

Vault Administration

Description

Vault Administration

Vault Administration

Details

Administration commands for vault operators. Very few of these commands should be used without consulting the vault documentation as they affect the administration of a vault server, but they are included here for completeness.

Super class

vaultr::vault_client_object -> vault_client_operator

Methods

Public methods

Inherited methods

Method new()

Create a vault_client_operator object. Not typically called by users.

Usage
vault_client_operator$new(api_client)
Arguments
api_client

A vault_api_client object

Method key_status()

Return information about the current encryption key of Vault.

Usage
vault_client_operator$key_status()

Method is_initialized()

Returns the initialization status of Vault

Usage
vault_client_operator$is_initialized()

Method init()

This endpoint initializes a new Vault. The Vault must not have been previously initialized.

Usage
vault_client_operator$init(secret_shares, secret_threshold)
Arguments
secret_shares

Integer, specifying the number of shares to split the master key into

secret_threshold

Integer, specifying the number of shares required to reconstruct the master key. This must be less than or equal secret_shares

Method leader_status()

Check the high availability status and current leader of Vault

Usage
vault_client_operator$leader_status()

Method rekey_status()

Reads the configuration and progress of the current rekey attempt

Usage
vault_client_operator$rekey_status()

Method rekey_start()

This method begins a new rekey attempt. Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires cancelling and starting a new rekey, which will also provide a new nonce.

Usage
vault_client_operator$rekey_start(secret_shares, secret_threshold)
Arguments
secret_shares

Integer, specifying the number of shares to split the master key into

secret_threshold

Integer, specifying the number of shares required to reconstruct the master key. This must be less than or equal secret_shares

Method rekey_cancel()

This method cancels any in-progress rekey. This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note verification is still a part of a rekey. If rekeying is cancelled during the verification flow, the current unseal keys remain valid.

Usage
vault_client_operator$rekey_cancel()

Method rekey_submit()

This method is used to enter a single master key share to progress the rekey of the Vault. If the threshold number of master key shares is reached, Vault will complete the rekey. Otherwise, this method must be called multiple times until that threshold is met. The rekey nonce operation must be provided with each call.

Usage
vault_client_operator$rekey_submit(key, nonce)
Arguments
key

Specifies a single master share key (a string)

nonce

Specifies the nonce of the rekey operation (a string)

Method rotate()

This method triggers a rotation of the backend encryption key. This is the key that is used to encrypt data written to the storage backend, and is not provided to operators. This operation is done online. Future values are encrypted with the new key, while old values are decrypted with previous encryption keys.

Usage
vault_client_operator$rotate()

Method seal()

Seal the vault, preventing any access to it. After the vault is sealed, it must be unsealed for further use.

Usage
vault_client_operator$seal()

Method seal_status()

Check the seal status of a Vault. This method can be used even when the client is not authenticated with the vault (which will the case for a sealed vault).

Usage
vault_client_operator$seal_status()

Method unseal()

Submit a portion of a key to unseal the vault. This method is typically called by multiple different operators to assemble the master key.

Usage
vault_client_operator$unseal(key, reset = FALSE)
Arguments
key

The master key share

reset

Logical, indicating if the unseal process should start be started again.

Examples


server <- vaultr::vault_test_server(if_disabled = message)
if (!is.null(server)) {
  client <- server$client()

  # Our test server is by default unsealed:
  client$status()$sealed

  # We can seal the vault to prevent all access:
  client$operator$seal()
  client$status()$sealed

  # And then unseal it again
  client$operator$unseal(server$keys)
  client$status()$sealed
}

vimc/vaultr documentation built on Nov. 11, 2023, 8:21 a.m.

Related to vault_client_operator in vimc/vaultr...

vimc/vaultr index
README.md

R Package Documentation

rdrr.io home R language documentation Run R code online

Browse R Packages

CRAN packages Bioconductor packages R-Forge packages GitHub packages

We want your feedback!

Note that we can't provide technical support on individual packages. You should contact the package authors for that.
GitHub issue tracker
ian@mutexlabs.com
Personal blog

 
Embedding an R snippet on your website

Add the following code to your website.

For more information on customizing the embed code, read Embedding Snippets.

Close