vault_client_operator | R Documentation |
Vault Administration
Vault Administration
Administration commands for vault operators. Very few of these commands should be used without consulting the vault documentation as they affect the administration of a vault server, but they are included here for completeness.
vaultr::vault_client_object
-> vault_client_operator
new()
Create a vault_client_operator
object. Not typically
called by users.
vault_client_operator$new(api_client)
api_client
A vault_api_client object
key_status()
Return information about the current encryption key of Vault.
vault_client_operator$key_status()
is_initialized()
Returns the initialization status of Vault
vault_client_operator$is_initialized()
init()
This endpoint initializes a new Vault. The Vault must not have been previously initialized.
vault_client_operator$init(secret_shares, secret_threshold)
secret_shares
Integer, specifying the number of shares to split the master key into
secret_threshold
Integer, specifying the number of shares required to reconstruct the master key. This must be less than or equal secret_shares
leader_status()
Check the high availability status and current leader of Vault
vault_client_operator$leader_status()
rekey_status()
Reads the configuration and progress of the current rekey attempt
vault_client_operator$rekey_status()
rekey_start()
This method begins a new rekey attempt. Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires cancelling and starting a new rekey, which will also provide a new nonce.
vault_client_operator$rekey_start(secret_shares, secret_threshold)
secret_shares
Integer, specifying the number of shares to split the master key into
secret_threshold
Integer, specifying the number of shares required to reconstruct the master key. This must be less than or equal secret_shares
rekey_cancel()
This method cancels any in-progress rekey. This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note verification is still a part of a rekey. If rekeying is cancelled during the verification flow, the current unseal keys remain valid.
vault_client_operator$rekey_cancel()
rekey_submit()
This method is used to enter a single master key share to progress the rekey of the Vault. If the threshold number of master key shares is reached, Vault will complete the rekey. Otherwise, this method must be called multiple times until that threshold is met. The rekey nonce operation must be provided with each call.
vault_client_operator$rekey_submit(key, nonce)
key
Specifies a single master share key (a string)
nonce
Specifies the nonce of the rekey operation (a string)
rotate()
This method triggers a rotation of the backend encryption key. This is the key that is used to encrypt data written to the storage backend, and is not provided to operators. This operation is done online. Future values are encrypted with the new key, while old values are decrypted with previous encryption keys.
vault_client_operator$rotate()
seal()
Seal the vault, preventing any access to it. After the vault is sealed, it must be unsealed for further use.
vault_client_operator$seal()
seal_status()
Check the seal status of a Vault. This method can be used even when the client is not authenticated with the vault (which will the case for a sealed vault).
vault_client_operator$seal_status()
unseal()
Submit a portion of a key to unseal the vault. This method is typically called by multiple different operators to assemble the master key.
vault_client_operator$unseal(key, reset = FALSE)
key
The master key share
reset
Logical, indicating if the unseal process should start be started again.
server <- vaultr::vault_test_server(if_disabled = message)
if (!is.null(server)) {
client <- server$client()
# Our test server is by default unsealed:
client$status()$sealed
# We can seal the vault to prevent all access:
client$operator$seal()
client$status()$sealed
# And then unseal it again
client$operator$unseal(server$keys)
client$status()$sealed
}
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.