a3dfde5cec
* conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
128 lines
3.9 KiB
Markdown
128 lines
3.9 KiB
Markdown
---
|
|
layout: "docs"
|
|
page_title: "TOTP - Secrets Engines"
|
|
sidebar_title: "TOTP"
|
|
sidebar_current: "docs-secrets-totp"
|
|
description: |-
|
|
The TOTP secrets engine for Vault generates time-based one-time use passwords.
|
|
---
|
|
|
|
# TOTP Secrets Engine
|
|
|
|
The TOTP secrets engine generates time-based credentials according to the TOTP
|
|
standard. The secrets engine can also be used to generate a new key and validate
|
|
passwords generated by that key.
|
|
|
|
The TOTP secrets engine can act as both a generator (like Google Authenticator)
|
|
and a provider (like the Google.com sign in service).
|
|
|
|
## As a Generator
|
|
|
|
The TOTP secrets engine can act as a TOTP code generator. In this mode, it can
|
|
replace traditional TOTP generators like Google Authenticator. It provides an
|
|
added layer of security since the ability to generate codes is guarded by
|
|
policies and the entire process is audited.
|
|
|
|
### Setup
|
|
|
|
Most secrets engines must be configured in advance before they can perform their
|
|
functions. These steps are usually completed by an operator or configuration
|
|
management tool.
|
|
|
|
1. Enable the TOTP secrets engine:
|
|
|
|
```text
|
|
$ vault secrets enable totp
|
|
Success! Enabled the totp secrets engine at: totp/
|
|
```
|
|
|
|
By default, the secrets engine will mount at the name of the engine. To
|
|
enable the secrets engine at a different path, use the `-path` argument.
|
|
|
|
1. Configure a named key. The name of this key will be a human identifier as to
|
|
its purpose.
|
|
|
|
```text
|
|
$ vault write totp/keys/my-key \
|
|
url="otpauth://totp/Vault:test@test.com?secret=Y64VEVMBTSXCYIWRSHRNDZW62MPGVU2G&issuer=Vault"
|
|
Success! Data written to: totp/keys/my-key
|
|
```
|
|
|
|
The `url` corresponds to the secret key or value from the barcode provided
|
|
by the third-party service.
|
|
|
|
### Usage
|
|
|
|
After the secrets engine is configured and a user/machine has a Vault token with
|
|
the proper permission, it can generate credentials.
|
|
|
|
1. Generate a new time-based OTP by reading from the `/code` endpoint with the
|
|
name of the key:
|
|
|
|
```text
|
|
$ vault read totp/code/my-key
|
|
Key Value
|
|
--- -----
|
|
code 260610
|
|
```
|
|
|
|
Using ACLs, it is possible to restrict using the TOTP secrets engine such
|
|
that trusted operators can manage the key definitions, and both users and
|
|
applications are restricted in the credentials they are allowed to read.
|
|
|
|
## As a Provider
|
|
|
|
The TOTP secrets engine can also act as a TOTP provider. In this mode, it can be
|
|
used to generate new keys and validate passwords generated using those keys.
|
|
|
|
### Setup
|
|
|
|
Most secrets engines must be configured in advance before they can perform their
|
|
functions. These steps are usually completed by an operator or configuration
|
|
management tool.
|
|
|
|
1. Enable the TOTP secrets engine:
|
|
|
|
```text
|
|
$ vault secrets enable totp
|
|
Success! Enabled the totp secrets engine at: totp/
|
|
```
|
|
|
|
By default, the secrets engine will mount at the name of the engine. To
|
|
enable the secrets engine at a different path, use the `-path` argument.
|
|
|
|
1. Create a named key, using the `generate` option. This tells Vault to be the
|
|
provider:
|
|
|
|
```text
|
|
$ vault write totp/keys/my-user \
|
|
generate=true \
|
|
issuer=Vault \
|
|
account_name=user@test.com
|
|
|
|
Key Value
|
|
--- -----
|
|
barcode iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BA...
|
|
url otpauth://totp/Vault:user@test.com?algorithm=SHA1&digits=6&issuer=Vault&period=30&secret=V7MBSK324I7KF6KVW34NDFH2GYHIF6JY
|
|
```
|
|
|
|
The response includes a base64-encoded barcode and OTP url. Both are
|
|
equivalent. Give these to the user who is authenticating with TOTP.
|
|
|
|
### Usage
|
|
|
|
1. As a user, validate a TOTP code generated by a third-party app:
|
|
|
|
```text
|
|
$ vault write totp/code/my-user code=886531
|
|
Key Value
|
|
--- -----
|
|
valid true
|
|
```
|
|
|
|
## API
|
|
|
|
The TOTP secrets engine has a full HTTP API. Please see the
|
|
[TOTP secrets engine API](/api/secret/totp/index.html) for more
|
|
details.
|