Hashicorp Vault | Dev and Prod server setup | Unseal | Policies | TLS setup

Hashicorp Vault

Mindmap of Vault Intro

What is a secret?

Vault setup

  1. Install Vault package
  2. Initialize the Vault server. On the dev setup, the Vault server comes initialized with default playground configurations. This is not recommended for production setup.
  3. Unseal Vault server ( More about unseal in the next section )
  4. Create policies for users
  5. Enable secret management mechanisms
  6. Make sure to adhere to the production hardening tips from Vault

Seal/Unseal Vault server

credits: vaultproject.io

What are policies?

Setup commands

Dev mode

# install Vault from Vault websitecurl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"sudo apt-get update && sudo apt-get install vault# test with the below commandvault### DEV MODE# start dev servertmux new -s vaultvault server -dev # and detach tmux ( Ctrl+b d )
# export variables that will be used by Vault when commands# are run in the current terminal sessionexport VAULT_ADDR='http://127.0.0.1:8200'export VAULT_TOKEN='s.hfAJfADfj...'# check Vault server statusvault status
# login into Vaultvault login# view current logged in token informationvault token lookup# create policies and respective tokensvim secret-user-policy.hclpath "secret/data/*" { capabilities = ["read"] }vim secret-admin-policy.hclpath "secret/data/*" { capabilities = ["read", "create", "update"] }# command to write policyvault policy write secret-user-policy secret-user-policy.hclvault policy write secret-admin-policy secret-admin-policy.hcl# now open two tmux sessions for each type of user to test policiestmux new -s demo # and split screens for admin and user# at each of the tmux windowexport VAULT_ADDR='http://127.0.0.1:8200'export VAULT_TOKEN='s.hfAJfADfj...'vault login # enter respective tokensvault token lookup # to view current logged in token information# on admin window & notice versionsvault kv put secret/data/mysql username=root# add multiple keys in a single commandvault kv put secret/data/mysql username=root password=root# prevent recording the value of the token in terminal historyvault kv put secret/data/googlecloud token=-# read from a json filevault kv put secret/data/googlecloud @apitoken.json# add multiple keys in a single commandvault kv put secret/data/aerospike \username=root \password=root \tlsname=securecert \namespace=hashicorp# read secretvault kv get secret/data/mysql# ON USER WINDOWvault kv put secret/data/mysql username=root # Will not work since this user does not have privilegesvault kv get secret/data/mysql

Prod mode

# install Vault from Vault websitecurl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"sudo apt-get update && sudo apt-get install vault# test with the below commandvault### DEPLOY PROD MODE# Generate the certsmkdir -p /opt/vault/{tls,data}cd /opt/vault/tlsopenssl req   -out tls.crt   -new   -keyout tls.key   -newkey rsa:4096   -nodes   -sha256   -x509   -subj "/O=HashiCorp/CN=Vault"   -addext "subjectAltName = IP:<loopbackIP>,DNS:<host>"   -days 3650cat /etc/vault/vault.hcl# Full configuration options can be found at https://www.vaultproject.io/docs/configurationui = truestorage "file" {path = "/opt/vault/data"}# HTTPS listenerlistener "tcp" {address       = "0.0.0.0:8200"tls_cert_file = "/opt/vault/tls/tls.crt"tls_key_file  = "/opt/vault/tls/tls.key"}############################################### End of filechown vault: /opt/vault/tls/*service vault start
# make sure DNS record is present, else TLS certificate verification# will failexport VAULT_ADDR='https://<hostname>:8200'export VAULT_CACERT="/opt/vault/tls/tls.crt"# either visit https://<IP>:8200 and enter values as 5 as number of keys and 3 keys needed to unseal or regenerate keys# copy the root token & keysvault operator init
root@mac-saltmaster:/opt/vault/tls# vault statusroot@mac-saltmaster:/opt/vault/tls# vault operator unseal --ca-cert=/opt/vault/tls/tls.crtvault login
# Refer production hardening for more: https://learn.hashicorp.com/tutorials/vault/production-hardening
  1. Link to Hashicorp Vault
  2. An Introduction to Hashicorp Vault by Armon
  3. Vault tutorial

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store