This guide demonstrates an automated password rotation workflow using HashiCorp Vault and a simple Bash or Powershell script. These scripts could be run in a cron job or scheduled task to dynamically update local system passwords on a regular basis.

NOTE: This is not the be-all and end-all of password rotation. It is also not a PAM tool. It can do the following:

• Rotate local system passwords on a regular basis
• Allow systems to rotate their own passwords
• Store login credentials securely in Vault
• Ensure that passwords meet complexity requirements
• Require users to check credentials out of Vault

• HashiCorp Vault cluster that is reachable from your server instances. (Inbound TCP port 8200 to Vault)
• Seth Vargo's most excellent vault-secrets-gen plugin
• Vault command line configured for your Vault cluster. (Hint: You need to set VAULT_ADDR and VAULT_TOKEN environment variables.)
• A version 2 K/V secrets backend mounted at systemcreds
• jq installed on the linux servers

The following policies allow 'create' and 'update' rights. This essentially creates a one way door, whereby systems can update their passwords but not read them from Vault.

vault policy write rotate-linux policies/rotate-linux.hcl
vault policy write rotate-windows policies/rotate-windows.hcl

vault token create -period 24h -policy rotate-linux -orphan
vault token create -period 24h -policy rotate-windows -orphan

Append the following lines to /etc/environment. The VAULT_NAMESPACE is optional if you have one.

export VAULT_ADDR=https://your_vault.server.com:8200
export VAULT_TOKEN=4ebeb7f9-d691-c53f-d8d0-3c3d500ddda8
export VAULT_NAMESPACE=xxxxx

Windows users should set these as system environment variables.

./rotate-linux-password.sh -u root -t passphrase

REQUIRED OPTIONS:
-u USERNAME = User to change the password for
-t TYPE = Type of secret to create, this takes either password or passphrase
PASSWORD OPTIONS:
-l PW_LENGTH = Length (int)
-d PW_DIGITS = Amount of digits (int)
-s PW_SYMBOLS = Amount of symbols (int)
-c PW_ALLOW_UPPERCASE = Allow uppercase characters (bool)
-r PW_ALLOW_REPEAT = Allow repetition inside the password (bool)
PASSPHRASE OPTIONS:
-w PH_WORDS = Amount of words (int)
-p PH_SEPARATOR = Separator for the words (string)

.\rotate-windows-password.sh Administrator