Saturday, 26 September 2020

HashiCorp Vault: Start a Vault Server

 Step 1: Define a configuration file ‘vault.conf’

 

vault.conf

storage "inmem" {
}

listener "tcp" {
  address = "0.0.0.0:9999"
  tls_disable = 1
}

disable_mlock = true

Step 2: Start a vault server by executing below command.

 

vault server -config vault.conf

$vault server -config vault.conf
==> Vault server configuration:

                     Cgo: disabled
              Listener 1: tcp (addr: "0.0.0.0:9999", cluster address: "0.0.0.0:10000", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: false, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.4.2
             Version Sha: 18f1c494be8b06788c2fdda1a4296eb3c4b174ce+CHANGES

==> Vault server started! Log data will stream in below:

2020-06-01T18:03:39.121+0530 [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2020-06-01T18:03:39.122+0530 [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set


Step 3: Open other terminal and set VAULT_ADDR variable by executing below command.

export VAULT_ADDR=http://127.0.0.1:9999

 

Initialize and unseal vault

 

Initialize Vault

It is a process of initial key generation. Vault create two thing in initialization process.

 

a.   The master key and key splits

b.   A root token

 

Execute below command in terminal.

vault operator init -key-shares=5 -key-threshold=2

 

As per the above command, to unseal vault, minimum two shared keys should be provided.

$vault operator init -key-shares=5 -key-threshold=2
Unseal Key 1: SjtWQ+s+30GmiXfGqz/CWTmVs5or3yCVF8wcYMhJJj/E
Unseal Key 2: zH2n8A4H+3MyG5hD0WQsAHyv4wSJyju2nl2cbx7L2DSw
Unseal Key 3: dHEuNdy6jX6x+OrLMKNO50AilCdHgZCw1o5En9EzoYSx
Unseal Key 4: TuK5YEUmYjpxzHSLsUMPoqnErOCSUBd0ZcCKFtNYv1xm
Unseal Key 5: ex2DgsSYZhtGQiVvmAYReYerdgejpBSG6J8GrjxKPcO4

Initial Root Token: s.E3BRk50CvwMf7nWA0of9qsQB

Vault initialized with 5 key shares and a key threshold of 2. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 2 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 2 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

 

As you see the output, Vault is initialized with 5 key shared and key threshold of 2. When the Vault is re-sealed, restarted, or stopped, you must supply at least 2 of these keys to unseal it before it can start servicing requests.

 

Unsealing the Vault

In Unsealing process, we supply keys to Vault so Vault can decrypt the encrypted data and start serving clients.

 

Execute below command twice with different shared keys generated in initialization process.

 

vault operator unseal {Unseal key}. We need to execute unseal command with two different unseal keys.

$vault operator unseal ex2DgsSYZhtGQiVvmAYReYerdgejpBSG6J8GrjxKPcO4
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          2
Unseal Progress    1/2
Unseal Nonce       04a05ef6-1d8c-971b-dbad-684ab3efdf78
Version            1.4.2
HA Enabled         false

$vault operator unseal zH2n8A4H+3MyG5hD0WQsAHyv4wSJyju2nl2cbx7L2DSw
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       2
Version         1.4.2
Cluster Name    vault-cluster-5d1876f0
Cluster ID      86774adb-7768-ac51-d7e2-a7ec1cfde4c4
HA Enabled      false

 

Store secrets into vault

Once Vault unsealed, you can store the secrets into vault. Secrets written to vault are encrypted and stored to backed configured storage.

 

To perform any CRUD with Vault, we need to provide vault token that is generated as part of initialization process.

 

export VAULT_TOKEN=s.E3BRk50CvwMf7nWA0of9qsQB

 

Enable kv secret engine at path secret/kv.

$vault secrets enable -path=secret/ kv
Success! Enabled the kv secrets engine at: secret/

 

Now you can add secrets to the path secret/..

$vault kv put secret/my-app username=krishna123 password=password123
Success! Data written to: secret/my-app

 

Read the secrets

$vault kv get secret/my-app
====== Data ======
Key         Value
---         -----
password    password123
username    krishna123

 

Delete Secrets

$vault kv delete secret/my-app
Success! Data deleted (if it existed) at: secret/my-app
$
$vault kv get secret/my-app
No value found at secret/my-app

 

 

 

Previous                                                    Next                                                    Home

No comments:

Post a Comment