Run vault as a service with password protected private key

[JoostvdB94]

Feature request?

Environment:
Vault v0.9.1

• Vault Version: v0.9.1
• Operating System/Architecture: CentOS

Vault Config File:

storage "file" {
  path = "/home/joost/.vault"
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_cert_file = "/etc/pki/tls/certs/vault.cert.pem"
  tls_key_file = "/etc/pki/tls/private/vault.key.pem"
  tls_min_version = "tls12"
  tls_disable_client_certs = false
  tls_require_and_verify_client_cert = true
}

Startup Log Output:
None, see error in Actual behaviour

Expected Behavior:
TLS password can be passed using a pipe when starting vault process in background
like: read -s password | ( echo $password | vault server -config /etc/vault/vault.conf &> ./vaultout &)

Actual Behavior:
When i run the command above, the following error get outputted to ./vaultout

Enter passphrase for /etc/pki/tls/private/vault.key.pem: panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x4fd9fa]

goroutine 16 [running]:
bufio.(*Reader).fill(0xc420455f58)
        /goroot/src/bufio/bufio.go:97 +0xea
bufio.(*Reader).ReadSlice(0xc42017af58, 0xc420455d0a, 0x410446, 0x7fb7348ff690, 0x0, 0x0, 0xc420455dc0)
        /goroot/src/bufio/bufio.go:338 +0x2c
bufio.(*Reader).ReadBytes(0xc42017af58, 0xa, 0x0, 0xc420455e90, 0x441ef7, 0x1000, 0x1b76fe0)
        /goroot/src/bufio/bufio.go:416 +0x6b
bufio.(*Reader).ReadString(0xc420455f58, 0x100a, 0x1000, 0xc42008a000, 0x1000, 0x1000)
        /goroot/src/bufio/bufio.go:456 +0x38
github.com/hashicorp/vault/vendor/github.com/mitchellh/cli.(*BasicUi).ask.func1(0xc42004e901, 0xc4203fdce0, 0xc42004e8a0, 0xc42004e900)
        /gopath/src/github.com/hashicorp/vault/vendor/github.com/mitchellh/cli/ui.go:83 +0xb5
created by github.com/hashicorp/vault/vendor/github.com/mitchellh/cli.(*BasicUi).ask
        /gopath/src/github.com/hashicorp/vault/vendor/github.com/mitchellh/cli/ui.go:76 +0x288

Steps to Reproduce:
run read -s password | ( echo $password | vault server -config /etc/vault/vault.conf &> ./vaultout &)
with a password protected private key

Important Factoids:
None

I think piping input to a process should not fail. Especially because this is used for many other applications that run in background. Running vault as a service when using a password protected priavte key is made (nearly) impossible.

If there is already a way to run vault as a service with a password protected private key, i would love to hear it.

[JoostvdB94]

Also confirmed that running in foreground gives me the same error:
read -s pass && echo $pass | vault server -config /etc/vault/vault.conf

while (read -s pass && echo $pass) | (read test && echo $test) | cat does output my read-input.
(to confirm that piping a echo into a command that accepts stdin does work)

[ncabatoff]

Hi @JoostvdB94, thank you for the bug report. I can confirm that you've identified a bug. When support for password protected keys was introduced, there were two code paths added.

The first is used for the interactive case where we have a tty, in which case we change the tty's mode so that the password isn't echoed as it's being typed, then read it in. That case works fine.

The second case is meant to handle your scenario, where the password is piped in to stdin. That code path code relies on the BasicUi.Reader field being populated, and we get the nil pointer panic because it hasn't been set.

Until a fix is available, the only workaround I can think of would be to use something like expect.

[saikrishnakatakam]

Hi @ncabatoff ,
I am also looking for the same use case, when can we expect the fix possibly?