All subcommands are:
vaulted version
vaulted help
vaulted encrypt
vaulted decrypt
vaulted rotate
vaulted rekey
vaulted terraform vault ini
vaulted terraform vault migrate
vaulted terraform vault new-resource
vaulted terraform vault rekey
vaulted terraform vault rotate
Shows the version of vaulted
> vaulted version
0.6.0
Shows usage help
> vaulted help
Vault encrypt/decrypt using asymmetric RSA keys and AES
Usage:
vaulted [flags]
vaulted [command]
Available Commands:
decrypt Decrypt a file/value
encrypt Encrypt a file/value
help Help about any command
rekey Rekey (decrypt and encrypt using different keypair) a file/value
rotate Rotate (decrypt and encrypt) a file/value
terraform Terraform resources related commands
version Print the version of vaulted
Flags:
-h, --help help for vaulted
Use "vaulted [command] --help" for more information about a command.
Encrypts an in
file source or from stdin and
writes to out
file source or to stdout.
It uses encrypt flow specified in How it works.
> vaulted encrypt \
--public-key-path pubkey.pem \
--in ./my_secrets.raw \
--out ./my_secrets.enc
Decrypts an in
file source or from stdin and
writes to out
file source or to stdout.
It uses decrypt flow specified in How it works.
> vaulted decrypt \
--private-key-path privkey.pem \
--in ./my_secrets.enc \
--out ./my_secrets.raw
Rotates an in
file source or from stdin and
writes to out
file source or to stdout.
It uses rotate flow specified in How it works.
> vaulted rotate \
--private-key-path privkey.pem \
--public-key-path pubkey.pem \
--in ./my_secrets.enc \
--out ./rotated_my_secrets.enc
Rekeys an in
file source or from stdin and
writes to out
file source or to stdout.
Rekeying is the process of decrypting an encrypted payload with old private key and encrypting with new public key (from new keypair).
It uses rekeys flow specified in How it works.
> vaulted rekey \
--old-private-key-path privkey.pem \
--new_public-key-path pubkey.pem \
--in ./my_secrets.enc \
--out ./rekeyed_my_secrets.enc
Converts an INI file to terraform file. It uses "future-proof"
vaulted_vault_secret
terraform resources.
> vaulted terraform vault ini \
--public-key-path pubkey.pem \
--in ./my_secrets.ini \
--out ./my_secrets.tf
Migrates a terraform in
file with vault_encrypted_secret
resources generated from legacy ini
,
to terraform vaulted_vault_secret
resources as you would generate them from terraform vault ini
.
If specified out
already exists, it does not overwrite, it appends.
Terraform resources different than vault_encrypted_secret
are not modified. They're simply moved to out
> vaulted terraform vault migrate \
--public-key-path ./my-pubkey.pem \
--private-key-path ./my-privkey.pem \
--in ./mysecret.tf \
--out ./migrated.tf
Create new terraform vaulted_vault_secret
resource with specified path
and resource-name
(as suffix).
in
will be encrypted and serialized. Result is terraform file at out
.
If specified out
already exists, it does not overwrite, it appends.
> vaulted terraform new-resource \
--public-key-path ./my-pubkey.pem \
--in ./mysecret.txt \
--out ./mysecret.tf \
--path secret/example-app/example-key \
--resource-name example_app_example_key
Rekeys an in
terraform file and writes to out
terraform file with rekeyed resources.
Rekeying is the process of decrypting an encrypted payload with old private key and encrypting with new public key (from new keypair).
It uses rekeys flow specified in How it works.
If specified out
already exists, it does not overwrite, it appends.
Terraform resources different than vaulted_vault_secret
are not modified. They're simply moved to out
> vaulted terraform vault rekey \
--new-public-key-path ./my-pubkey.pem \
--old-private-key-path ./my-privkey.pem \
--in new.tf \
--out test.tf
Rotates an in
terraform file and writes to out
terraform file with rekeyed resources.
It uses rotate flow specified in How it works.
If specified out
already exists, it does not overwrite, it appends.
Terraform resources different than vaulted_vault_secret
are not modified. They're simply moved to out
> vaulted terraform vault rotate \
--public-key-path ./my-pubkey.pem \
--private-key-path ./my-privatekey.pem \
--in ./in.tf \
--out ./out.tf