Skip to content

Secure store for your tokens. Top security. It uses shamir: at least three of wise-team members has to type their keys to start the vault.

License

Notifications You must be signed in to change notification settings

wise-team/wise-vault

Repository files navigation

Wise Vault

License PRs Welcome Chat Wise operations count

User security is a top priority for us at @wise-team. That is why Wise uses industry-standard top-security Hashicopr's vault to store steemconnect tokens.

Instructions

Deployment

Vault is deployed with ansible playbooks. Just run the wise-vote playbook with --tags "vault"

Init

# 1.
$ ./scripts/vault-exec.sh status # check if vault is accessible
$ ./scripts/vault-exec.sh operator init 
# This command will output 5 unseal keys. Distribute them among wise-team members.
# Warning! This can be done only once. There is no possibility to reset unseal keys. 

# 2.
# After init, please do unseal with three keys as shown below.

# 3. Enter vault and execute the following commands:
$ ./scripts/vault-enter.sh
$ vault operator unseal
$ vault operator unseal
$ vault operator unseal

$ export VAULT_TOKEN="...root token" # we will revoke it later
$ vault policy write admin /wise-vault/policies/admin.hcl
$ vault policy write provisioner /wise-vault/policies/provisioner.hcl

$ vault auth enable userpass
$ vault write auth/userpass/users/noisy password=... policies=admin,provisioner
$ vault write auth/userpass/users/jblew password=... policies=admin,provisioner
$ vault write auth/userpass/users/perduta password=... policies=admin,provisioner

Unseal

At least three of us has to run to the production server and run:

$ ./scripts/vault-exec.sh status # check if vault is accessible
$ ./scripts/vault-exec.sh operator unseal 
# The command will prompt for unseal key.

Backup

Manual backup is done with ansible. Run the wise-vote playbook with --tags "vault-backup". It will download sealed and sealed and gzipped version of vault to the local machine. As it is sealed, it can be securely stored anywhere. To unseal it someone needs at least 3 of the 5 unseal keys that are distributed among @wise-team members.

Where to get help?

You can also ask questions as issues in appropriate repository: See issues for this repository.

Contribute to steem Wise

We welcome warmly:

Before contributing please read Wise CONTRIBUTING guide.

Thank you for developing WISE together!

Like the project? Let @wise-team become your favourite witness!

If you use & appreciate our software — you can easily support us. Just vote for "wise-team" to become you one of your witnesses. You can do it here: https://steemit.com/~witnesses.

About

Secure store for your tokens. Top security. It uses shamir: at least three of wise-team members has to type their keys to start the vault.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published