Skip to content

Instantly share code, notes, and snippets.

@stenio123

stenio123/Cubbyhole.md

Created October 12, 2018 15:44
Show Gist options
  • Save stenio123/1fc5b1e8f570bd9f62cc7ac16ac9c484 to your computer and use it in GitHub Desktop.
Save stenio123/1fc5b1e8f570bd9f62cc7ac16ac9c484 to your computer and use it in GitHub Desktop.
Download ZIP
Share single use secret stored in Vault
Raw
Cubbyhole.md

Cubbyhole Single Use Secret

By leveraging the Cubbyhole secret engine, we can store a secret that only one token can retrieve. Once that token is expired or revoked, the secret is gone. When creating the token, you can limit number of uses.

# Creates token that will be shared. It will be used once to write a secret, second time to read then it is revoked
vault token create -use-limit=2 -policy=default -metadata="name=stenio"
# Output -<TOKEN>

# Write to this token's cubbyhole, regardless of which VAULT_TOKEN you are using right now
VAULT_TOKEN=<TOKEN> vault write cubbyhole/mysecret value=ThisIsASecret!

# Validate that no one else can read this cubbyhole secret (not even root!)
vault read cubbyhole/mysecret 

# User can read secret once
VAULT_TOKEN=<TOKEN> vault read cubbyhole/mysecret 

# Second and subsequent times will fail
VAULT_TOKEN=<TOKEN> vault read cubbyhole/mysecret 

# Token and secret are automatically deleted.

Using similar concept, but UI, an open source project created by the community: https://blog.algolia.com/secure-tool-for-one-time-self-destructing-messages/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment