-
@ cadayton
2025-04-28 16:29:23security #vault #veracrypt #powershell
VaultApi a self-host method for securing data
VaultApi is dependent upon both HashiCorp Vault and VeraCrypt to work it's magic.
Hashicorp Vault and KeePassXC are the primary password manager applications that I'm using currently and for the most part the entries in each should be mirroring each other. The functional difference between these two are KeePassXC has a graphical interface. While Hashicorp Vault has a web interface, the key value VaultApi makes use of is the REST Api to perform ACID operations on secured data for automation purposes.
The vault keys and root token associated with HashiCorp Vault are stored in an encrypted file that is kept in cold storage. Prior to starting HashiCrop Vault server, the cold storage file is mounted on the system using VeraCrypt.
Also, this implementation is on my non-routed network primarily being used by my Linux systems but any OS supporting PowerShell on the non-routed network should be able to access the Vault as a client.
Additionally, the Vault is only ran on an on-demand basis.
The startup process is as follows:
VaultApi start VaultApi unseal VaultApi login VaultApi KeyPathsThe command VaultApi KeyPaths dumps a list of key paths to a local file to make the finding of key paths simpler.The path lookup process is as follows:
VaultApi FindPaths VehicleThis command returns a list of paths matching the specified value of Vehicle.VaultApi FindPaths Vehicle kv1/Vehicle/1995-Mustang-GT500 kv1/Vehicle/2003-DodgeViper kv1/Vehicle/2012-Nissan kv1/Vehicle/2016-TelsaTo lookup all the keys associated to a given path:VaultApi kv1Read kv1/Vehicle/2012-Nissan -kvkey _ReturnKeys plate VINTo return a value associated with a key of a given path to the clipboard:VaultApi kv1Read kv1/Vehicle/2012-Nissan -kvkey plateIf the -raw options is included the value will be returned to the console.To add a new key/value pair to an existing path:
VaultApi kv1Update kv1/Vehicle/2012-Nissan 21000000 -kvkey mileageTo add a new path and key/value pair:VaultApi kv1Create kv1/Vehicle/2025-Lambo Bitcoin -kvkey plateTo list the 2nd level path names: ``` Default level 1 path name is "kv1"VaultApi kv1list
To list 3rd level path names:
VaultApi kv1list kv1/Vehicle
To Delete a **path** and it's associated key/value pairs:VaultApi kv1Delete kv1/Vehicle/2012-NissanTo just delete a single key/value pair for a given path use the HashiCorp Vault Web interface.
To launch the **HashiCorp Vault** web interface:VaultApi WebUITo return status information about the **Vault**:VaultApi status sealed initialized version n t
False True 1.15.6 5 3
To return process information about the **Vault**:VaultApi Check Hashicorp Vault (v1.15.6) is running...116147 ``` To show the hash value of the VaultApi script:VaultApi ShowHash 3D47628ECB3FA0E7DBD28BA7606CE5BFTo return a 20 character randomized value to the clipboard:VaultApi SetValueTo create a backup of the HashiCorp Vault : ``` Must be logged in with the root token.VaultApi Backup
A snapshot file will be created in the $HOME/Downloads directory by default. ``` To stop the HashiCorp Vault server:
``` VaultApi seal The vault is sealed.
VaultApi stop The server is stopped.
```
To get help information about VaultApi
``` Get-Help VaultApi -Full | more
OR
Get-Help VaultApi -Examples | more ```
Here are some past articles I wrote about setting up HashiCorp Vault and VeraCrypt.
Bitcoin and key/value using Hashicorp Vault
Bitcoin and Cold Storage using VeraCrypt
More information on VaultApi.