// rekeyStatus is used just to fetch and dump the status
func (c *RekeyCommand) rekeyStatus(client *api.Client) int {
// Check the status
status, err := client.Sys().RekeyStatus()
if err != nil {
c.Ui.Error(fmt.Sprintf("Error reading rekey status: %s", err))
return 1
}
// Dump the status
statString := fmt.Sprintf(
"Nonce: %s\n"+
"Started: %v\n"+
"Key Shares: %d\n"+
"Key Threshold: %d\n"+
"Rekey Progress: %d\n"+
"Required Keys: %d",
status.Nonce,
status.Started,
status.N,
status.T,
status.Progress,
status.Required,
)
if len(status.PGPFingerprints) != 0 {
statString = fmt.Sprintf("\nPGP Key Fingerprints: %s", status.PGPFingerprints)
statString = fmt.Sprintf("\nBackup Storage: %t", status.Backup)
}
c.Ui.Output(statString)
return 0
}
// cancelRekey is used to abort the rekey process
func (c *RekeyCommand) cancelRekey(client *api.Client) int {
err := client.Sys().RekeyCancel()
if err != nil {
c.Ui.Error(fmt.Sprintf("Failed to cancel rekey: %s", err))
return 1
}
c.Ui.Output("Rekey canceled.")
return 0
}
// cancelGenerateRoot is used to abort the generation process
func (c *GenerateRootCommand) cancelGenerateRoot(client *api.Client) int {
err := client.Sys().GenerateRootCancel()
if err != nil {
c.Ui.Error(fmt.Sprintf("Failed to cancel root generation: %s", err))
return 1
}
c.Ui.Output("Root generation canceled.")
return 0
}
func (c *RekeyCommand) rekeyDeleteStored(client *api.Client) int {
err := client.Sys().RekeyDeleteStored()
if err != nil {
c.Ui.Error(fmt.Sprintf("Failed to delete stored keys: %s", err))
return 1
}
c.Ui.Output("Stored keys deleted.")
return 0
}
// rekeyStatus is used just to fetch and dump the status
func (c *RekeyCommand) rekeyStatus(client *api.Client) int {
// Check the status
status, err := client.Sys().RekeyStatus()
if err != nil {
c.Ui.Error(fmt.Sprintf("Error reading rekey status: %s", err))
return 1
}
return c.dumpRekeyStatus(status)
}
// initGenerateRoot is used to start the generation process
func (c *GenerateRootCommand) initGenerateRoot(client *api.Client, otp string, pgpKey string) int {
// Start the rekey
err := client.Sys().GenerateRootInit(otp, pgpKey)
if err != nil {
c.Ui.Error(fmt.Sprintf("Error initializing root generation: %s", err))
return 1
}
// Provide the current status
return c.rootGenerationStatus(client)
}
// rootGenerationStatus is used just to fetch and dump the status
func (c *GenerateRootCommand) rootGenerationStatus(client *api.Client) int {
// Check the status
status, err := client.Sys().GenerateRootStatus()
if err != nil {
c.Ui.Error(fmt.Sprintf("Error reading root generation status: %s", err))
return 1
}
c.dumpStatus(status)
return 0
}
// initGenerateRoot is used to start the generation process
func (c *GenerateRootCommand) initGenerateRoot(client *api.Client, otp string, pgpKey string) int {
// Start the rekey
status, err := client.Sys().GenerateRootInit(otp, pgpKey)
if err != nil {
c.Ui.Error(fmt.Sprintf("Error initializing root generation: %s", err))
return 1
}
c.dumpStatus(status)
return 0
}
func initializeNewVault(vc *vault.Client) *vault.InitResponse {
log.Info("Initialize fresh vault")
vaultInit := &vault.InitRequest{
SecretShares: 1,
SecretThreshold: 1,
}
initResponse, err := vc.Sys().Init(vaultInit)
fatal(err)
return initResponse
}
func (c *RekeyCommand) rekeyRetrieveStored(client *api.Client) int {
storedKeys, err := client.Sys().RekeyRetrieveStored()
if err != nil {
c.Ui.Error(fmt.Sprintf("Error retrieving stored keys: %s", err))
return 1
}
secret := &api.Secret{
Data: structs.New(storedKeys).Map(),
}
return OutputSecret(c.Ui, "table", secret)
}
// cancelRekey is used to abort the rekey process
func (c *RekeyCommand) cancelRekey(client *api.Client, recovery bool) int {
var err error
if recovery {
err = client.Sys().RekeyRecoveryKeyCancel()
} else {
err = client.Sys().RekeyCancel()
}
if err != nil {
c.Ui.Error(fmt.Sprintf("Failed to cancel rekey: %s", err))
return 1
}
c.Ui.Output("Rekey canceled.")
return 0
}
// initRekey is used to start the rekey process
func (c *RekeyCommand) initRekey(client *api.Client, shares, threshold int) int {
// Start the rekey
err := client.Sys().RekeyInit(&api.RekeyInitRequest{
SecretShares: shares,
SecretThreshold: threshold,
})
if err != nil {
c.Ui.Error(fmt.Sprintf("Error initializing rekey: %s", err))
return 1
}
// Provide the current status
return c.rekeyStatus(client)
}
func (c *RekeyCommand) rekeyDeleteStored(client *api.Client, recovery bool) int {
var err error
if recovery {
err = client.Sys().RekeyDeleteRecoveryBackup()
} else {
err = client.Sys().RekeyDeleteBackup()
}
if err != nil {
c.Ui.Error(fmt.Sprintf("Failed to delete stored keys: %s", err))
return 1
}
c.Ui.Output("Stored keys deleted.")
return 0
}
func (c *InitCommand) checkStatus(client *api.Client) int {
inited, err := client.Sys().InitStatus()
switch {
case err != nil:
c.Ui.Error(fmt.Sprintf(
"Error checking initialization status: %s", err))
return 1
case inited:
c.Ui.Output("Vault has been initialized")
return 0
default:
c.Ui.Output("Vault is not initialized")
return 2
}
}
// rekeyStatus is used just to fetch and dump the status
func (c *RekeyCommand) rekeyStatus(client *api.Client, recovery bool) int {
// Check the status
var status *api.RekeyStatusResponse
var err error
if recovery {
status, err = client.Sys().RekeyRecoveryKeyStatus()
} else {
status, err = client.Sys().RekeyStatus()
}
if err != nil {
c.Ui.Error(fmt.Sprintf("Error reading rekey status: %s", err))
return 1
}
return c.dumpRekeyStatus(status)
}
// initRekey is used to start the rekey process
func (c *RekeyCommand) initRekey(client *api.Client,
shares, threshold int,
pgpKeys pgpkeys.PubKeyFilesFlag,
backup, recoveryKey bool) int {
// Start the rekey
request := &api.RekeyInitRequest{
SecretShares: shares,
SecretThreshold: threshold,
PGPKeys: pgpKeys,
Backup: backup,
}
var status *api.RekeyStatusResponse
var err error
if recoveryKey {
status, err = client.Sys().RekeyRecoveryKeyInit(request)
} else {
status, err = client.Sys().RekeyInit(request)
}
if err != nil {
c.Ui.Error(fmt.Sprintf("Error initializing rekey: %s", err))
return 1
}
if pgpKeys == nil || len(pgpKeys) == 0 {
c.Ui.Output(`
WARNING: If you lose the keys after they are returned to you, there is no
recovery. Consider using the '-pgp-keys' option to protect the returned unseal
keys along with '-backup=true' to allow recovery of the encrypted keys in case
of emergency. They can easily be deleted at a later time with
'vault rekey -delete'.
`)
}
if pgpKeys != nil && len(pgpKeys) > 0 && !backup {
c.Ui.Output(`
WARNING: You are using PGP keys for encryption, but have not set the option to
back up the new unseal keys to physical storage. If you lose the keys after
they are returned to you, there is no recovery. Consider setting '-backup=true'
to allow recovery of the encrypted keys in case of emergency. They can easily
be deleted at a later time with 'vault rekey -delete'.
`)
}
// Provide the current status
return c.dumpRekeyStatus(status)
}
// initRekey is used to start the rekey process
func (c *RekeyCommand) initRekey(client *api.Client,
shares, threshold int,
pgpKeys pgpkeys.PubKeyFilesFlag,
backup bool) int {
// Start the rekey
err := client.Sys().RekeyInit(&api.RekeyInitRequest{
SecretShares: shares,
SecretThreshold: threshold,
PGPKeys: pgpKeys,
Backup: backup,
})
if err != nil {
c.Ui.Error(fmt.Sprintf("Error initializing rekey: %s", err))
return 1
}
// Provide the current status
return c.rekeyStatus(client)
}
func (c *RekeyCommand) rekeyRetrieveStored(client *api.Client, recovery bool) int {
var storedKeys *api.RekeyRetrieveResponse
var err error
if recovery {
storedKeys, err = client.Sys().RekeyRetrieveRecoveryBackup()
} else {
storedKeys, err = client.Sys().RekeyRetrieveBackup()
}
if err != nil {
c.Ui.Error(fmt.Sprintf("Error retrieving stored keys: %s", err))
return 1
}
secret := &api.Secret{
Data: structs.New(storedKeys).Map(),
}
return OutputSecret(c.Ui, "table", secret)
}
// rekeyStatus is used just to fetch and dump the status
func (c *RekeyCommand) rekeyStatus(client *api.Client) int {
// Check the status
status, err := client.Sys().RekeyStatus()
if err != nil {
c.Ui.Error(fmt.Sprintf("Error reading rekey status: %s", err))
return 1
}
// Dump the status
c.Ui.Output(fmt.Sprintf(
"Started: %v\n"+
"Key Shares: %d\n"+
"Key Threshold: %d\n"+
"Rekey Progress: %d\n"+
"Required Keys: %d",
status.Started,
status.N,
status.T,
status.Progress,
status.Required,
))
return 0
}
func unsealVault(vc *vault.Client, initResponse *vault.InitResponse) string {
log.Info("Unseal vault")
_, err := vc.Sys().Unseal(initResponse.Keys[0])
fatal(err)
return initResponse.RootToken
}