vault-加密解密内容transit

一、加密解密流程

1.激活功能

[root@test132 ~]# vault secrets enable transit

Success! Enabled the transit secrets engine at: transit/

2.

[root@test132 ~]# vault write -f transit/keys/orders

Success! Data written to: transit/keys/orders

3.生成策略

[root@test132 ~]# 

vault policy write app-orders -<<EOF
path "transit/encrypt/orders" {
capabilities = [ "update" ]
}
path "transit/decrypt/orders" {
capabilities = [ "update" ]
}
EOF

 

Success! Uploaded policy: app-orders

4.创建token

[root@test132 ~]# vault token create -policy=app-orders

Key Value

--- -----

token s.Z3zFmqhh45j6XT4FGgSyA9vc

token_accessor 6JMSkVJJT50ecyOLxw8BtAcC

token_duration 768h

token_renewable true

token_policies ["app-orders" "default"]

identity_policies []

policies ["app-orders" "default"]

5.登录此token

[root@test132 ~]# vault login s.Z3zFmqhh45j6XT4FGgSyA9vc

Success! You are now authenticated. The token information displayed below

is already stored in the token helper. You do NOT need to run "vault login"

again. Future Vault requests will automatically use this token.

 

Key Value

--- -----

token s.Z3zFmqhh45j6XT4FGgSyA9vc

token_accessor 6JMSkVJJT50ecyOLxw8BtAcC

token_duration 767h58m27s

token_renewable true

token_policies ["app-orders" "default"]

identity_policies []

policies ["app-orders" "default"]

6.加密内容

[root@k8s ~]# vault write transit/encrypt/orders plaintext=$(base64 <<< "this is my first test")
Key Value
--- -----
ciphertext vault:v1:AqysJBS71wTmzZknhpVAZVCnNt8LhzfXNNPW3XRrMwz5djNDIzgfa2fTCcyQ1kdgQpU=
key_version 1

7.解密内容

[root@k8s ~]# vault write -force transit/decrypt/orders ciphertext="vault:v1:AqysJBS71wTmzZknhpVAZVCnNt8LhzfXNNPW3XRrMwz5djNDIzgfa2fTCcyQ1kdgQpU="
Key Value
--- -----
plaintext dGhpcyBpcyBteSBmaXJzdCB0ZXN0Cg==
[root@k8s ~]# base64 --decode <<< dGhpcyBpcyBteSBmaXJzdCB0ZXN0Cg==
this is my first test
[root@k8s ~]# echo -n "dGhpcyBpcyBteSBmaXJzdCB0ZXN0Cg==" | base64 -d
this is my first test

参考官网：Encryption as a Service: Transit Secrets Engine | Vault - HashiCorp Learn