9c4d20da9e
Mount the gpg secrets engine (the plugin is registered separately via the plugin module + config/plugins, #89) and manage OpenPGP keys with the gpgvaultsecret provider. - gpg_secret_backend module: mounts the registered plugin type; depends_on the plugin module so the mount waits for catalog registration. - gpg_key module (via the gpgvaultsecret provider, registered in root.hcl): create/configure keys; wired through vault_cluster + config discovery (config/gpg_key/<backend>/<name>.yaml). - config/gpg_secret_backend/gpg.yaml mounts at gpg/; config/gpg_key/gpg/pass.yaml is an rsa-4096 'pass' key for password-store (private key stays in Vault; clients decrypt via gpg/decrypt/pass). Rebased onto master after the access (#88) and plugin-import (#89) PRs merged.
8 lines
333 B
YAML
8 lines
333 B
YAML
# config/gpg_key/gpg/pass.yaml
|
|
# An OpenPGP key in the gpg engine for password-store (passv). The private key
|
|
# stays in Vault; clients import the exported public key to encrypt and delegate
|
|
# decryption to gpg/decrypt/pass. Key name = "pass", backend = "gpg".
|
|
algorithm: rsa-4096
|
|
identity: "pass <pass@unkin.net>"
|
|
exportable: false
|