"brew services start vault",但解封密钥和根令牌是什么?

"brew services start vault", but what's the unseal key and root token?

在我的 mac 上安装 vault 时,我收到如下提示:

==> Pouring vault-1.6.1.catalina.bottle.tar.gz
==> Caveats
To have launchd start vault now and restart at login:
  brew services start vault
Or, if you don't want/need a background service you can just run:
  vault server -dev
==> Summary

如果我使用 vault server -dev 启动保管库,它会直接给我解封密钥和根令牌,但如果我选择在 mac、

上启动保管库作为服务
brew services start vault

我可以通过 https://127.0.0.1:8200

访问保险库

但是从哪里获得它的解封密钥和根令牌?

我自己得到了答案。

$ brew services list
Name       Status  User Plist
...
vault      started bill /Users/bill/Library/LaunchAgents/homebrew.mxcl.vault.plist

$ cat /Users/bill/Library/LaunchAgents/homebrew.mxcl.vault.plist

...
    <key>WorkingDirectory</key>
    <string>/usr/local/var</string>
    <key>StandardErrorPath</key>
    <string>/usr/local/var/log/vault.log</string>
    <key>StandardOutPath</key>
    <string>/usr/local/var/log/vault.log</string>

所以保管库日志位于 /usr/local/var/log/vault.log,带有解封密钥和根令牌。

$ cat /usr/local/var/log/vault.log

...
2020-12-25T22:07:01.747+1100 [INFO]  secrets.kv.kv_516b0983: upgrading keys finished
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

    $ export VAULT_ADDR='http://127.0.0.1:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: XhctKSIXlx2zjd1arUGBucprBXxXmzoygjpGR0S62T4=
Root Token: s.Gd5HSuBB87nSeYMOsdwaMOCk

Development mode should NOT be used in production installations!