Skip to content

Month: February 2023

Protecting personal secrets in vault with encryption

One of the issues when using personal secrets in vault is the admin/root user being able to access everything in vault, thus making usage of personal secret less secure.

In order to protect the personal secret from root/admin access we can however keep secret in an encrypted way, using private key, gpg, or just a password. Below is an example how to protect the secret with a password.

Comments closed

Using hashicorp vault for personal secrets

Today I will show you how to use vault for your personal secrets. Normally you would auth and get access to some path in vault where everyone in your team have access too, but in some cases you may want to use vault for your own secrets as well, i.e for storing passphrase for the ssh private key or email or something similar.

So here is a list of commands that needs to be run, first as an admin to set up auth and policies, and then as a user, auth and read/write secrets.

Create a policy that allows actions under ones identity:

cat <<EOF | vault policy write identity -
path "secret/data/{{identity.entity.id}}/*" {
	capabilities = ["create", "read", "update", "delete"]
}
EOF
Comments closed

How to remove default route to vpn

Quite often especially on corporate networks, once connected to company VPN, all your traffic starts going via your company VPN, meaning – they watching what you do.
Most people may not even suspect that but it is quite simple to find out.
So I am gonna show how to do that on Mac with few commands everyone can run.

OK, lets check out routing tables when connected to VPN:

netstat -nr | grep '0/1\'
0/1                10.225.222.129     UGSc           70        0   utun3
default            192.168.0.1        UGSc           12       11     en0
128.0/1            10.225.222.129     UGSc            0        0   utun3
Comments closed

How to use echo or cat when nc, ss, netstat, curl, etc not available on the host to check if the port is listening

I came across this amazing way of testing if I could reach a port on the host, when literally nothing I tried was available:

vagrant@ ~ () $ echo hi |  nc -l -p  8089 &
[1] 13651
vagrant@ ~ () $ cat < /dev/tcp/127.0.0.1/8089
hi
[1]+  Done                    echo hi | nc -l -p 8089
vagrant@ ~ () $
vagrant@ ~ () $ cat < /dev/tcp/127.0.0.1/8089
-bash: connect: Connection refused
-bash: /dev/tcp/127.0.0.1/8089: Connection refused
Comments closed