HashiCorp Vault 0.2

$ vault key-status
Key Term: 1
Installation Time: 2015-07-14 20:46:31 +1000 AEST

$ vault rotate
Key Term: 2
Installation Time: 2015-07-14 20:46:36 +1000 AEST

$ vault key-status
Key Term: 2
Installation Time: 2015-07-14 20:46:36 +1000 AEST

$ vault rekey -init
Started: true
Key Shares: 5
Key Threshold: 3
Rekey Progress: 0
Required Keys: 1

$ vault rekey
Rekey already in progress
Key Shares: 5
Key Threshold: 3

Key (will be hidden):
Key 1: 9de4b5732ad06ca5c982ebc189d100763e0dfa88afc44ebfe2d707237cde17c001
Key 2: 54cc5de89f2731e46eaac690b3b017fa6173acab9375285bfb360c6b6c6bc15902
Key 3: 2f216b05195ae4b454f98c23ed0aa9a966cb4e187f54a71a1253ab975b0f1d6403
Key 4: 9288da985a7956255b7e8ee75220e27fcaa0dc99b4bb953314822aeb3a674dfb04
Key 5: e965ec75dc048375612dc4540c9a5c2ccd183e2a589a1a72fde78d170d0391c605

Vault rekeyed with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the Vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.

Vault does not store the master key. Without at least 3 keys,
your Vault will remain permanently sealed.

$ vault write pki/issue/common common_name=www\.hashicorp\.com
Key             Value
lease_id        pki/issue/common/819393b5-e1a1-9efd-b72f-4dc3a1972e31
lease_duration  259200
lease_renewable false
certificate     -----BEGIN CERTIFICATE-----
MIIECDCCAvKgAwIBAgIUXmLrLkTdBIOOIYg2/BXO7docKfUwCwYJKoZIhvcNAQEL
...
az3gfwlOqVTdgi/ZVAtIzhSEJ0OY136bq4NOaw==
-----END CERTIFICATE-----
issuing_ca      -----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
...
-----END CERTIFICATE-----
private_key     -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0cczc7Y2yIu7aD/IaDi23Io+tvvDS9XaXXDUFW1kqd58P83r
...
3xhCNnZ3CMQaM2I48sloVK/XoikMLb5MZwOUQn/V+TrhWP4Lu7qD
-----END RSA PRIVATE KEY-----
serial          5e:62:eb:2e:44:dd:04:83:8e:21:88:36:fc:15:ce:ed:da:1c:29:f5

$ vault write transit/keys/foo derived=true
Success! Data written to: transit/keys/foo

$ CTX=`echo -n foo | base64`
$ vault write transit/encrypt/foo context=$CTX plaintext=`echo -n bar | base64`
Key         Value
ciphertext  vault:v0:DykggPIDCMz+vqrWsqa309HtQs2c3Y2BxedNCTlQQQ==

$ vault write transit/decrypt/foo context=$CTX ciphertext="vault:v0:DykggPIDCMz+vqrWsqa309HtQs2c3Y2BxedNCTlQQQ=="
Key         Value
plaintext   YmFy

$ echo YmFy | base64 -D
bar

path "sys/" {
    policy = "read"
}

path "secret/" {
    policy = "write"
}

path "sys/*" {
    policy = "read"
}

path "secret/*" {
    policy = "write"
}

# Only permit the 'foo' key exactly
path "transit/encrypt/foo" {
    policy = "write"
}

path "secret/*" {
    policy = "read"
}

path "secret/super-secret" {
    policy = "deny"
}