Step 1: Define a configuration file ‘vault.conf’
vault.conf
storage "inmem" {
}
listener "tcp" {
address = "0.0.0.0:9999"
tls_disable = 1
}
disable_mlock = true
Step 2: Start a vault server by executing below command.
vault server -config vault.conf
$vault server -config vault.conf
==> Vault server configuration:
Cgo: disabled
Listener 1: tcp (addr: "0.0.0.0:9999", cluster address: "0.0.0.0:10000", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: false, enabled: false
Recovery Mode: false
Storage: inmem
Version: Vault v1.4.2
Version Sha: 18f1c494be8b06788c2fdda1a4296eb3c4b174ce+CHANGES
==> Vault server started! Log data will stream in below:
2020-06-01T18:03:39.121+0530 [INFO] proxy environment: http_proxy= https_proxy= no_proxy=
2020-06-01T18:03:39.122+0530 [WARN] no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
Step 3: Open other terminal and set VAULT_ADDR variable by executing below command.
export VAULT_ADDR=http://127.0.0.1:9999
Initialize and unseal vault
Initialize Vault
It is a process of initial key generation. Vault create two thing in initialization process.
a. The master key and key splits
b. A root token
Execute below command in terminal.
vault operator init -key-shares=5 -key-threshold=2
As per the above command, to unseal vault, minimum two shared keys should be provided.
$vault operator init -key-shares=5 -key-threshold=2
Unseal Key 1: SjtWQ+s+30GmiXfGqz/CWTmVs5or3yCVF8wcYMhJJj/E
Unseal Key 2: zH2n8A4H+3MyG5hD0WQsAHyv4wSJyju2nl2cbx7L2DSw
Unseal Key 3: dHEuNdy6jX6x+OrLMKNO50AilCdHgZCw1o5En9EzoYSx
Unseal Key 4: TuK5YEUmYjpxzHSLsUMPoqnErOCSUBd0ZcCKFtNYv1xm
Unseal Key 5: ex2DgsSYZhtGQiVvmAYReYerdgejpBSG6J8GrjxKPcO4
Initial Root Token: s.E3BRk50CvwMf7nWA0of9qsQB
Vault initialized with 5 key shares and a key threshold of 2. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 2 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 2 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
As you see the output, Vault is initialized with 5 key shared and key threshold of 2. When the Vault is re-sealed, restarted, or stopped, you must supply at least 2 of these keys to unseal it before it can start servicing requests.
Unsealing the Vault
In Unsealing process, we supply keys to Vault so Vault can decrypt the encrypted data and start serving clients.
Execute below command twice with different shared keys generated in initialization process.
vault
operator unseal {Unseal key}. We need to execute unseal command with two different unseal keys.
$vault operator unseal ex2DgsSYZhtGQiVvmAYReYerdgejpBSG6J8GrjxKPcO4
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 2
Unseal Progress 1/2
Unseal Nonce 04a05ef6-1d8c-971b-dbad-684ab3efdf78
Version 1.4.2
HA Enabled false
$vault operator unseal zH2n8A4H+3MyG5hD0WQsAHyv4wSJyju2nl2cbx7L2DSw
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 2
Version 1.4.2
Cluster Name vault-cluster-5d1876f0
Cluster ID 86774adb-7768-ac51-d7e2-a7ec1cfde4c4
HA Enabled false
Store secrets into vault
Once Vault unsealed, you can store the secrets into vault. Secrets written to vault are encrypted and stored to backed configured storage.
To perform any CRUD with Vault, we need to provide vault token that is generated as part of initialization process.
export VAULT_TOKEN=s.E3BRk50CvwMf7nWA0of9qsQB
Enable kv secret engine at path secret/kv.
$vault secrets enable -path=secret/ kv
Success! Enabled the kv secrets engine at: secret/
Now you can add secrets to the path secret/..
$vault kv put secret/my-app username=krishna123 password=password123
Success! Data written to: secret/my-app
Read the secrets
$vault kv get secret/my-app
====== Data ======
Key Value
--- -----
password password123
username krishna123
Delete Secrets
$vault kv delete secret/my-app
Success! Data deleted (if it existed) at: secret/my-app
$
$vault kv get secret/my-app
No value found at secret/my-app
No comments:
Post a Comment