Skip to content

Commit bd429e8

Browse files
aviadhahamiaviadhahami
authored
Merge pull request #295 from nodevault/copilot/how-to-unseal-a-vault
Add unseal example and docs for already-initialized vaults
2 parents c62849a + c8d9a5e commit bd429e8

File tree

3 files changed

+56
-2
lines changed

3 files changed

+56
-2
lines changed

README.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -86,6 +86,44 @@ vault.init({ secret_shares: 1, secret_threshold: 1 })
8686
.catch(console.error);
8787
```
8888

89+
### Unseal a vault that is already initialized
90+
91+
If the vault server has been restarted or sealed, you can unseal it using
92+
the unseal keys from the original initialization. If the vault was initialized
93+
with `secret_threshold > 1`, you must call `unseal` multiple times with
94+
different keys until the threshold is met.
95+
96+
```javascript
97+
const vault = require('node-vault')({
98+
apiVersion: 'v1',
99+
endpoint: 'http://127.0.0.1:8200',
100+
});
101+
102+
// unseal vault server with a single key
103+
vault.unseal({ key: 'my-unseal-key' })
104+
.then(console.log)
105+
.catch(console.error);
106+
```
107+
108+
When the vault requires multiple unseal keys (threshold > 1):
109+
110+
```javascript
111+
vault.unseal({ key: 'first-unseal-key' })
112+
.then((result) => {
113+
// result.sealed will be true until enough keys are provided
114+
console.log('Sealed:', result.sealed);
115+
console.log('Progress:', result.progress + '/' + result.t);
116+
return vault.unseal({ key: 'second-unseal-key' });
117+
})
118+
.then((result) => {
119+
// once the threshold is met, sealed will be false
120+
console.log('Sealed:', result.sealed);
121+
})
122+
.catch(console.error);
123+
```
124+
125+
See [example/unseal.js](example/unseal.js) for a working example.
126+
89127
### Write, read, update and delete secrets
90128

91129
```javascript

example/unseal.js

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
// file: example/unseal.js
2+
3+
process.env.DEBUG = 'node-vault'; // switch on debug mode
4+
5+
const vault = require('./../src/index')();
6+
7+
// Unseal a vault server that is already initialized.
8+
// Provide one of the unseal keys from the init response.
9+
// If the vault was initialized with secret_threshold > 1,
10+
// you must call unseal multiple times with different keys
11+
// until the threshold is met.
12+
const key = process.env.UNSEAL_KEY;
13+
14+
vault.unseal({ key })
15+
.then(console.log)
16+
.catch((err) => console.error(err.message));

package-lock.json

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)