HashiCorp Vault
What is HashiCorp Vault?
HashiCorp Vault is a secrets management solution that brokers access for both humans and machines, through programmatic access, to systems. Secrets can be stored, dynamically generated, and in the case of encryption, keys can be consumed as a service without the need to expose the underlying key materials.
What is the purpose of Hashicorp Vault?
Ease of use for developers to access/use confidential secrets, keys, and credentials
Confidentiality for secrets, keys, and credentials
Provide mechanisms for key rotation in case of compromise
Create an audit log to keep track of what systems and users access confidential data
Set up a HashiCorp server
Steps for Installing Vault on Linux Ubuntu
Prerequisites
Ubuntu 18.04
A user account with sudo privileges
Access to a terminal window/command-line (Ctrl-Alt-T)
Install Consul
Consul is a highly scalable and distributed service discovery and configuration system. You can coordinate Consul Storage as a backend to Vault to ensure the software is highly available and fault-tolerant.
The first step is to install and configure Consul on Ubuntu 18.04.
Start by navigating to the Consul webpage and clicking on the Download icon.
The browser then takes you to the Download page with all the available packages. Search for the Linux section and right-click on the 32 or 64-bit version. Copy the link location, as you will need it in the next step.
Open the terminal (Ctrl+Alt+T) and use the wget command to download the Consul package: wget https://releases.hashicorp.com/consul/1.6.1/consul_1.6.1_linux_amd64.zip
Next, unzip the package with the command: unzip consul_1.6.1_linux_amd64.zipNote:To download unzip software, use the command: sudo apt install unzip –y.
Then, move the installation package by typing the following command: sudo mv consul /usr/bin
End by verifying the installation with the command: consul
The output should list all available consul commands, as in the image below:
Configure Consul
Create and open a new file with sudo nano /etc/system/system/consul.service
Add the following content to the consul.service file: ActionScript
Save and exit the file.
Then, move on to creating a configuration directory and adding a new .json file in it: ActionScript
To set up the UI to connect to anything, add the following content to the newly created file: ActionScript
Make sure to save before exiting the file.
For the changes to occur, you must reload, start, and enable the consul service.
Reload the system with the command: systemctl daemon-reload
Run the command for starting the service: systemctl start consul
Then, enable it by using: systemctl enable consul
Verify that the service is up and running with the command: journalctl –f –u consul
This followed by opening a web browser and navigating to the URL: vault.admintome.lab:8500/ui/
This opens HashiCorp’s online management platform and displays available services. If you see consul as a service, you have successfully set up the software.
Installing Vault on Ubuntu
With Consul in place, move on to installing Vault on your Ubuntu 18.04 system.
Go to Vault’s official website, click on Download, and find the available package for Linux distributions.
Right-click on the Download icon and copy the link location.
Using the wget command, download the package by pasting the link location copied in the previous step: wget https://releases.hashicorp.com/vault/1.2.3/vault_1.2.3_linux_amd64.zip
Next, unzip the package using the following command: unzip vault_1.2.3_linux_amd64.zip
Then, move the package to the /usr/bin directory: mv vault /usr/bin
Check the installation using the following command: vault
As a result, a list of all available vault commands should appear, as in the image below:
Configure Vault
Start by creating a configuration directory and a file within it: sudo nano /etc/vault/config.hcl
Then, type or paste the following content in the file: ActionScript
Again, save and exit the file.
Next, you need to create a UNI (.uni) file, a commonly used extension for configuration files. The easiest way to do this is to copy Consul’s configuration file and modify the specifications to suit Vault.
Duplicate the existing service configuration file under a new name with the command: cp /etc/system.system/consul.service /etc/system/system/vault.service
Open the new vault.service file: vim /etc/system/system/vault.service
Make sure the content of the file matches the one below. Essentially, you’ll need to change all Consul-specific values with the appropriate Vault ones. ActionScript
After saving the file, exit back to the terminal shell and launch the service with the following commands: ActionScript
The status should show the service is active (running).
Using a vault client, connect to the running service with the command: export VAULT_ADDR=http://IP.ADDRESS.OF.VAULT:CLIENT
Initialize Vault
As you have already installed Consul to serve as the back-end storage, you’ll now need to initialize Vault manually for it to work correctly.
First, run the following command to see current Vault status: vault status.
As in the image above, the output displays that Vault is sealed and not initialized yet.
To change its status, you need three (3) keys you can find by running the command: vault operator init
The terminal will return five (5) Unseal Keys as well as an Initial Root Token. Also, it explains that anytime the Vault package is re-sealed, restarted, or stopped, you will need to supply at least three (3) of these keys.
If you do not provide the specified keys, Vault will remain sealed. Therefore, copy all five keys and paste them into a separate file.
Once you have at least 3 unseal keys, run the command: vault operator unseal
Copy and paste the first key and hit Enter.
Repeat the same procedure for Unseal Key 2 and 3.
The last step to unseal Vault is to run the following command with the Initial Root Token (listed with the Unseal Keys): vault login [root_token]
Now, check the status again to verify that the software has been initialized: vault status
Steps for Installing Vault on Windows
Install Chocolatey (free and open-source package management system for Windows).
Open PowerShell with Admin privileges
Enter the below command:ActionScript
Open PowerShell and enter the below command: choco install vault
After installing Vault, verify the installation worked by opening a new terminal session and checking that the vault binary is available. By executing vault, you should see help output similar to the following:
Vault Server
Vault operates as a client/server application. The Vault server is the only piece of the Vault architecture that interacts with the data storage and backends. All operations are done via the Vault CLI interact with the server over a TLS connection.
Starting the Dev Server
Open PowerShell.
With the dev server started, perform the following:
Launch a new terminal session.
Copy and run the export VAULT_ADDR ... command from the terminal output. This will configure the Vault client to talk to the dev server.
Vault CLI determines which Vault servers to send requests using the VAULT_ADDR environment variable.
Save the unseal key somewhere. Don't worry about how to save this securely. For now, just save it anywhere.
Set the VAULT_TOKEN environment variable value to the generated Root Token value displayed in the terminal output.
Verify the server is running.
HashiCorp Vault- Basic Commands
Once you start the server (as mentioned in the section: Starting the Dev Server), the server will be on sealed mode, by default. Therefore, it is required to initialize the server first.
Important Note: Step to initialize the server is not required for dev mode server.
Initialize the server
The operator init command initializes a Vault server. Initialization is the process by which Vault's storage backend is prepared to receive data. Since Vault servers share the same storage backend in HA mode, you only need to initialize one Vault to initialize the storage backend.
During initialization, Vault generates an in-memory master key and applies Shamir's secret sharing algorithm to disassemble that master key into a configuration number of key shares such that a configurable subset of those key shares must come together to regenerate the master key. These keys are often called "unseal keys" in Vault's documentation.
This command cannot be run against an already-initialized Vault cluster: vault operator init
Default it will generate 5 share keys and a master token.
Verify the Server is Running
Check for the server is running successfully by using the command: vault status
Unsealing
The unseal process is done by running vault operator unseal or via the API. This process is stateful: each key can be entered via multiple mechanisms on multiple computers, and it will work. This allows each share of the master key to be on a distinct machine for better security.
vault operator unseal <code>
Log in to the Vault Server
Authenticate by using root key:
vault login <Initial_Root_Token>
or,
set VAULT_TOKEN=<Initial_Root_Token>
Enable KV
Most secrets engines must be configured in advance before they can perform their functions. These steps are usually completed by an operator or configuration management tool.
A v2 kv secrets engine can be enabled by:
vault secrets enable -version=2 kv
or,
vault secrets enable kv-v2
An existing version 1 kv can be upgraded to a version 2 KV store with the CLI command: vault kv enable-versioning secret/
Note: Above all steps are one-time setup only.
Commands to add or get secrets from Vault
kv put
The kv put command writes the data to the given path in the K/V secrets engine.
Command: vault kv put secret/data key=value
kv get
The kv get command retrieves the value from K/V secrets engine at the given key name. If no key exists with that name, an error is returned. If a key exists with the name but has no data, nothing is returned.
Command: vault kv get secret/creds
Adding HashiCorp Credential into AutoRABIT
Follow the below steps to integrate HashiCorp Vault with AutoRABIT:
Go to Admin > Credentials and click on Create Credential
On the next pop-up screen, give a Credential Name.
Choose the Credential Type as HashiCorp Vault
Choose the Credential Scope. The Credential Scope lets you specify exactly what type of access you need.
Global: Credential can be accessed within the team
Private: Credential to be used for private usage
Fill in the below details:
Vault Server URL: Enter the Vault server to configure with AutoRABIT. The Vault dev server defaults to running at http://127.0.0.1:8200. The server is initialized and unsealed.
Authentication Method AWS: This checkbox will be selected by default. After you enter the remaining details, the Vault token will automatically be generated through the AWS login authentication method whenever the existing token expires.
If you deselect the Authentication Method AWS checkbox, then the below Vault Token mandatory field will be displayed.
Vault Token: Enter the Vault token that you generated earlier using unseal key. For more information, refer HERE.
Key Name: Enter the Key Name that you have obtained in HashiCorp CLI.
Secret Path: Enter the Secret Path.
Click Validate and Save. This validates the credentials and if all the fields are correctly added, the credentials get saved in AutoRABIT.
TLS Support for Hashicorp Vault Integration
Hashicorp Vault integration runs on TLS 1.2 version.
Last updated