The mfsecretsadmin Utility

Use the mfsecretsadmin command line utility to setup, administer, and perform vault migration tasks.

Syntax:

To read from the vault:

mfsecretsadmin [options] read <secret name> [outpath]

where:

<secret name>
This is the name of the secret to read.
outpath
This is the path to write the secret to and is optional. This is only available with the -file option.

To write to the vault:

mfsecretsadmin [options] write <secret name> [secret]

where:

<secret name>
This is the name of the secret to write/delete.
secret
This is the value of the secret to be writen and is optional. If this is not specified, then the secret name is deleted.

To list the secrets in the path specified:

mfsecretsadmin [options] list <secret path> [outpath]

where:

<secret path>
This is the path to the secrets to be listed. You can use the * and ? wildcards.
outpath
This is the path to write the list to and is optional. This is only available with the -file option.

To migrate secrets to a new vault destination:

mfsecretsadmin [options] migrate <secret path> <to vault> <to secret path>

where:

<secret path>
This is the path to the secrets that you want to migrate. You can use the * wildcard to migrate all secrets from the specified location.
<to vault>
This is the name of the vault to be migrate to.
<to secret path>
This is the path to the vault you are migrating the secrets to. A * value maintains the secrets path.

To delete a secret:

mfsecretsadmin [options] delete <secret name>

where:

<secret name>
This is the name of the secret to be deleted.

Options:

-vault <vault>
Specifies the name of the source vault. The default vault is used if this is not set.
-file
Specifies if the read or write action is performed to or from a file rather than standard out. secret on write is expected to be a path and outpath on read is expected to be set.
-overwrite
Specifies that the write or migrate action will only replaces existing secrets.
-move
Specifies that the secrets are deleted once they have been sucessfuly migrated to the new vault.
-loglevel <level>
Specifies the level of messages output:
1
Information (all messages).
2
Warnings and errors only.
3
Only errors.