From 9c97dc9e19056eb9ee2404779f87a03e5b69e843 Mon Sep 17 00:00:00 2001 From: "Regis A. Despres" Date: Sat, 2 Jan 2021 19:36:04 +0100 Subject: [PATCH] Update README.md --- README.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 71f923e..b76326e 100644 --- a/README.md +++ b/README.md @@ -90,9 +90,10 @@ Set it to a valid address through 'vault_cluster_addr' then enable the port forw (it's untested, no automated setup for multi nodes for now) ## Downgrading from keybase to unsafe local storage -It's a bit tricky: +It's a bit tricky and those commands need to be exec outside of the addon container: -- Retrieve the needed values from the logs (keys_b64 and encoded_root_token) +- Retrieve the needed values from the logs (keys_b64, encoded_root_token and adm.asc) +- Config your local vault client to reach your vault server addon (export VAULT_ADDR=..) - Unseal the vault using your keybase - Create a provisioning token - Set it in the config, restart @@ -101,9 +102,9 @@ It's a bit tricky: ```bash #!/usr/bin/env bash -# $1 is the encrypted unseal key (from the logs) -# $2 is the encrypted root key -# $3 is the gpg key of the local unsafe storage +# $1 is the encrypted unseal key (keys_b64 from the logs) +# $2 is the encrypted root key (encoded_root_token from the logs) +# $3 is the gpg key of the local unsafe storage (adm.asc from the logs) decrypt () { echo $1 | base64 -d | keybase pgp decrypt