The ‘safe’ command is used to interact with HashiCorp Vault, which is a popular tool for managing secrets and sensitive data. With the ‘safe’ command, you can perform various operations such as setting and retrieving secrets, generating SSH keys, and managing the Vault environment. This article will provide examples of each of these use cases to help you understand how to use the ‘safe’ command effectively.

Use case 1: Adding a safe target

Code:

safe target vault_addr target_name

Motivation: Adding a safe target allows you to specify a Vault server and assign it a friendly name, making it easier to interact with the server.

Explanation:

• vault_addr: The address of the Vault server.
• target_name: A friendly name to assign to the target.

Example output:

Successfully added target "my_vault" with address "https://vault.example.com".

Use case 2: Authenticating the CLI client

Code:

safe auth authentication_token

Motivation: Authenticating the CLI client against the Vault server is necessary to perform any operation that requires access to secrets or sensitive data.

Explanation:

• authentication_token: The authentication token generated by the Vault server.

Example output:

Successfully authenticated.

Use case 3: Printing the environment variables

Code:

safe env

Motivation: Printing the environment variables for the current target can be useful to understand the configuration and make troubleshooting easier.

Explanation: This command does not require any arguments.

Example output:

HYDRA_TARGET=my_vault
HYDRA_ADDR=https://vault.example.com
HYDRA_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Use case 4: Displaying a tree hierarchy

Code:

safe tree path

Motivation: Displaying a tree hierarchy of all reachable keys for a given path provides a structured overview of the available secrets.

Explanation:

• path: The path to the secrets in Vault.

Example output:

path/to/secret/
  ├── key1
  ├── key2
  └── subfolder/
      └── nested_key

Use case 5: Moving a secret

Code:

safe move old/path/to/secret new/path/to/secret

Motivation: Moving a secret from one path to another can help in organizing and managing secrets in Vault.

Explanation:

• old/path/to/secret: The current path of the secret.
• new/path/to/secret: The new desired path for the secret.

Example output:

Successfully moved secret from "old/path/to/secret" to "new/path/to/secret".

Use case 6: Generating an SSH key-pair

Code:

safe ssh 2048 path/to/secret

Motivation: Generating an SSH key-pair and storing it in Vault provides a centralized location for managing SSH access.

Explanation:

• 2048: The desired key size in bits.
• path/to/secret: The path in Vault to store the generated key-pair.

Example output:

Successfully generated and stored a 2048-bit SSH key-pair at "path/to/secret".

Use case 7: Setting non-sensitive keys

Code:

safe set path/to/secret key=value

Motivation: Setting non-sensitive keys for a secret allows storing additional metadata or descriptive information.

Explanation:

• path/to/secret: The path of the secret in Vault.
• key=value: The key-value pair to set for the secret.

Example output:

Successfully set key "my_key" with value "my_value" for secret at "path/to/secret".

Use case 8: Setting auto-generated password

Code:

safe gen path/to/secret key

Motivation: Setting an auto-generated password for a secret enables easy and secure password management.

Explanation:

• path/to/secret: The path in Vault to store the auto-generated password.
• key: The key under which the password will be stored.

Example output:

Successfully generated and set an auto-generated password for key "my_password" in secret at "path/to/secret".

Conclusion

The ‘safe’ command provides a convenient and efficient way to interact with HashiCorp Vault. By following the examples provided in this article, you can easily perform various operations such as managing secrets, generating SSH keys, and organizing your Vault environment. Experimenting with different use cases will help you become more comfortable and proficient with the ‘safe’ command, enabling you to effectively manage and secure your secrets and sensitive data.