hv credentials
In order to connect to the vault server, hv must at least have:
- a username
- a password
- a hostname
For example:
$ hv -hhexvault.acme.com:65433 -uadmin -psecret users
LastActive Adm Login Email
---------- --- ------------ ------------
2022-06-27 * admin
2022-06-22 alice Alice <[email protected]>
Never bob Bob <[email protected]>
...
There are 3 ways to specify credentials (in decreasing order of priority):
- providing them as command-line arguments (as in the example above)
- storing them in environment variables
- storing them in the registry+keychain (recommended)
All credentials, including usernames, are case-senstive, meaning that "Joe" and "joe" would be different users.
Command line
Passing credentials on the command line will always take precedence over environment variables and registry+keychain.
-uUSERNAME |
specify username |
-pPASSWORD |
specify password |
-hHOST |
specify host (server:port) (if port is omitted, defaults to 65433) |
-sSITENAME |
specify site |
--set |
remember credentials. This option doesn’t require the credentials to be passed through the command line, credentials passed through environment variables will work as well |
Environment variables
Credentials can also be passed through environment variables. They will take precedence over those possibly found in the registry+keychain.
VAULT_HOST |
the server host name |
VAULT_PORT |
the server port |
VAULT_USER |
the username to connect to the server |
VAULT_PASS |
the user’s password |
VAULT_SITE |
the site to use (most commands need a site to operate) |
Registry + keychain
Unless environment variables or command-line arguments are provided, hv will look for credentials in the registry (and the OS’s keychain for passwords.)
Credentials can be stored in the registry (and keychain) like so:
alice@alice_PC$ hv --set -ualice -palice -hvaultserver -salice_on_alicepc
The user, host (and optional site) will be persisted in the registry, while the password will be saved to the OS’s keychain.
For this operation to succeed, at least a user and host must be provided
In order to keep the various commands' syntax as clear as possible, we will assume that the user has stored credentials (in either the registry+keychain or environment variables) for the rest of this manual.
Best practices
We recommend persisting credentials using the registry+keychain method.
Once that is done, commands will become cleaner:
>./hv info
Hex-Rays Vault Server v1
Vault time: 2022-04-14 15:36:29, up since 2022-04-14 15:17:25
...
if you login to the server using hvui and save the login information, it will end up in the the registry+keychain method, and thus hv will then be able to use that information as well.