Safe v0.3.0

New Features

• safe rekey now exists, to assist with re-keying a Vault with
  new unseal keys. It prompts for the old unseal keys, and when
  enough have been entered, the rekey occurs, and new unseal keys
  are printed out to the user. --num-unseal-keys and --keys-to-unseal
  can be used to configure how many unseal keys are created, and
  how many are required to unseal the vault.

  Additionally, GPG keys can be specified via the --gpg flag, to encrypt
  the unseal keys. When using this mode, each unseal key is encrypted
  by a different GPG key (you should specify more than one GPG key). Keys
  are looked up from the local GPG keyring. Each encrypted unseal key is
  output at the end, tied to the GPG key that was requested.

  For example:

  $ safe rekey --gpg user1@example.com --gpg user2@example.com
  Your Vault has been re-keyed. Please take note of your new unseal keys and store them safely!
  Unseal key for user1@example.com:
  REDACTED
  Unseal key for user2@example.com:
  REDACTED
  

Safe v0.2.2

New Features

• safe auth userpass allows users to authenticate using a username and password via the Vault Username & Password auth backend.

  This backend needs to be enabled first using safe vault enable-auth userpass, then each username/password needs to be added via:

  safe vault write auth/userpass/users/<username> \
      password=<password> \
      policies=<user-policy>
  

Safe v0.2.1

Bug Fixes

• Resolved an issue where safe tree panics when processing keys
  whose name is an empty string.

Safe v0.2.0

New Features

• safe fmt picked up some new formats: bcrypt for
  Blowfish-based bcrypt (best for password storage), crypt-md5
  for legacy systems that need MD5 hashes, and crypt-sha256 for
  a middle-ground between MD5 and SHA-512.

• safe x509 show will now print out a human-readable summary of
  a given certificate, to assist operators in exploring the Vault
  and verifying certificates stored therein.

Improvements

• The pki-backend commands in safe have now been officially
  deprecated. The new safe x509 backend has been working out
  beautifully and is far easier to configure than the Vault PKI
  backend with its peculiar terminology. Specifically, the
  following commands no longer exist: pki init, ca-pem,
  crl-pem, cert, and revoke.

Safe v0.1.8

Improvements

• The get, paths and tree commands now support --keys option that
  outputs keys found under the specified path or paths.

• safe get has been refactored to have more meaningful output when
  requesting output from multiple paths and better supports mixes of path and
  path:key.

  If more than one path is specified, the output will be YAML, with
  the base map key of the specified path, followed by the found (or specified)
  keys and associated values. Single path behaviour stays the same (raw
  string for path:key, simple key:value YAML for path without specified key),
  but you can use the --yaml option to force it to use fully-qualified YAML.

Bug Fixes

• Fixed a regression that broke safe set when setting a key to an empty
  string or referencing an empty file.

Safe v0.1.7

New Features

• New global flag --no-clobber will throw a message up to the user
  that they tried to overwrite an existing credential.
  This is supported in all known write-causing commands,
  except safe import.

  When existing credentials are encountered, safe will exit 0,
  as it successfully avoided clobbering the credential.

  --quiet can be provided to suppress the clobber-noop warning
  messages

Safe v0.1.6

Bug Fixes

• safe vault now correctly passes flags to the vault binary.

Safe v0.1.5

Changes

• delete now gives you back a non-zero return code if it couldn't find the thing
  you wanted it to delete. If this seems like something you don't want to happen,
  adding the -f flag will cause it to fail silently like it used to.

Improvements

• delete, move, copy, and gen now allow you to touch specific keys in a
  secret. Give the commands their expected paths in a secret:key format and it
  should all work the way you expect.
• gen can now take multiple paths as arguments, and it will make passwords for
  all those places for you.
• gen now has a -l flag to specify length whereever you want. The old method
  of putting an integer as the first argument still works, but if you want to be
  explicit about it, you can put -l <length anywhere after the command name.
• All commands will now take a -h flag to print out their respective help
  dialogues.
• Attempting to delete, move a folder path without -R specified now gives
  you a more helpful error telling you that you've targeted a folder instead of a
  secret.

Bug Fixes

• Some time back, we made it so that the help wouldn't print if the user simply
  ran safe without any arguments. That was an accident. That's fixed now.

Safe v0.1.4

New Features

• safe x509 issue is a new command that lets you issue TLS/SSL
  certificates, with optional CA management. It supports all
  three varieties of subject alternate names (IPs, emails and DNS
  names), RSA key strength selection (1024 / 2048 / 4096), custom
  certificate lifetimes, and allows creation of CA certificates
  to arbitrary depths.

• safe x509 revoke provides certificate revocation features,
  including painless Certificate Revocation List (CRL) management.

• safe x509 validate sports a wide array of checks and
  verifications you can run against a path in the Vault, making it
  easier to ensure that (for example) the certificate and private
  key actually go together, the certificate hasn't been revoked, the
  certificate hasn't expired, and so on.

• safe x509 crl --renew path/to/ca will re-sign your CAs CRL,
  without affecting the list of revoked certificates. Trust us,
  if you need this, you'll know it.

Improvements

• A new command-line parser (go-cli) makes life easier for
  operators, and brings with it the potential to outfit existing
  commands with more flags.

Bug Fixes

• safe move, safe copy and safe delete now no longer
  short-circuit long chains of sub-commands if they are recursive,
  not forced, and the operator says "no" at the confirm prompt.
  Instead, they only terminate the current sub-command,and resume
  execution with the next command in the chain.

• safe is now built as a static binary, so it can be used in things
  like alpine-linux with more success.

Safe v0.1.3

New Features

• It is now possible to configure multiple PKI backends
  using the --backend flag to safe pki init, and reference
  those backends with the same flag using safe cert, safe ca-pem,
  and all your other familiar PKI-related safe commands.

  This is especially useful if you need to have a subset of certs only
  signed by a specific CA, like OpenVPN, and do not want all certs signed
  by that CA to be valid client certificates.