DEV Community

Frederick Ollinger
Frederick Ollinger

Posted on • Edited on

Put an SSH Key into Hashicorp Vault

This article assumes that you have set up a minimum vault: https://dev.to/frederickollinger/production-hashicorp-vault-minimal-configuration-485a

What is a Secrets Engine

A secrets engine is a place to keep secrets. There are a number secrets backend for various reasons. For example, there is a backend for SSL certificates and one of SSH certificates.

Enable the SSH Secrets Engine

This is a one time operation that the admin must do when setting up a new Vault instance:

vault secrets enable ssh
Enter fullscreen mode Exit fullscreen mode

If

Put Existing SSH Key into Vault

Assuming we have an ssh key named fileserver.pem, put it into the vault like so:

vault write ssh/keys/fileserver key=@fileserver.pem
Enter fullscreen mode Exit fullscreen mode

Create a public key:

vault write ssh/config/ca generate_signing_key=true
Enter fullscreen mode Exit fullscreen mode

If you forget the public key, you can read it later:

vault read -field=public_key ssh-user-ca/config/ca
Enter fullscreen mode Exit fullscreen mode

Fin

That's all that's needed to get a key into Vault.

Sometimes things are easier than we imagine if we only have a good guide.

References

I relied heavily on this excellent post, and I suggest that you read it: https://brian-candler.medium.com/using-hashicorp-vault-as-an-ssh-certificate-authority-14d713673c9a

Top comments (0)