Skip to content

"Transit like" secret backend plugin for PGP/GPG in Hashicorp Vault

License

Notifications You must be signed in to change notification settings

LeSuisse/vault-gpg-plugin

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Vault Plugin: GPG Secret Backend Build Status Code coverage

This is a standalone plugin for HashiCorp Vault. This plugin handles GPG operations on data-in-transit in a similar fashion to what the transit secret backend proposes. Data sent to the backend are not stored.

As of today, the backend does not support encrypting data.

This backend has similar use cases with the transit secret backend and the latter should be preferred if you do not need to interact with existing tools that are only GPG-aware.

Usage & setup

This is a Vault plugin, you need to have a working installation of Vault to use it.

To learn how to use plugins with Vault, see the documentation on plugin backends on the official Vault website. You can download and decompress the pre-compiled plugin binary for your architecture from the latest release on GitHub. SHA256 checksum for the pre-compiled plugin binary is also provided in the archive so it can be registered to your Vault plugin catalog.

All archives available from the release tab on GitHub. All archives are signed using Cosign:

$ cosign verify-blob <file> --bundle <file>.bundle \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    --certificate-identity-regexp='https://github.com/LeSuisse/vault-gpg-plugin/\.github/workflows/Release\.yml'

Once mounted in Vault, this plugin exposes this HTTP API.