Installing HashiCorp Vault on Centos 8

HashiСorp Vault Is an open source tool designed to securely store secrets and sensitive data in dynamic cloud environments. It provides strong data encryption, identity-based access with customizable policies

Let’s consider the option of installing the HashiCorp Vault software with a file-based storage type (secrets).

Training

Add hostname and ip to / etc / hosts file

                      
                        $ sudo nano /etc/hosts
[…]
192.168.11.200    vault.googlesyndication.com
                      
                    

We update the OS, install the necessary software

                      
                        $ sudo dnf -y update
$ sudo dnf -y install unzip nano
                      
                    

Installing Vault

Go to the / tmp directory

                      
                        
                          $ cd /tmp
                        
                      
                    

Download the final version of vault, unpack it

                      
                        $ curl -L https://releases.hashicorp.com/vault/1.6.0/vault_1.6.0_linux_amd64.zip -o /tmp/vault_1.6.0_linux_amd64.zip
$ unzip vault_1.6.0_linux_amd64.zip
                      
                    

Change owner and transfer file

                      
                        $ sudo chown root:root vault
$ sudo mv vault /usr/local/bin/
                      
                    

Checking the version

                      
                        $ vault --version
Vault v1.6.0 (7ce0bd9691998e0443bc77e98b1e2a4ab1e965d4)
                      
                    

Turn on autocomplete commands

                      
                        $ vault -autocomplete-install
$ complete -C /usr/local/bin/vault vault
                      
                    

Vault setup

Create system catalogs for Vault

                      
                        $ sudo mkdir -p /etc/vault.d /var/lib/vault/data
                      
                    

/ var / lib / vault / data – if the storage type is file. Later, we will consider connecting the storage type to PostgreSQL DBMS

Create vault system user

                      
                        $ sudo useradd --system --home /etc/vault.d --shell /bin/false vault
$ sudo chown -R vault:vault /etc/vault.d /var/lib/vault/
$ sudo chmod 755 /etc/vault.d /var/lib/vault
                      
                    

Create Systemd Unit

                      
                        $ sudo nano /etc/systemd/system/vault.service
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3

[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity

[Install]
WantedBy=multi-user.target
                      
                    

Create a config file for Vault

                      
                        $ sudo nano /etc/vault.d/vault.hcl
disable_cache = true
disable_mlock = true
ui = true

listener "tcp" {
    tls_disable      = 1
#   address          = "0.0.0.0:8200"
    address          = "vault.googlesyndication.com:8200"
}

# отключаем ssl
# listener "tcp" {
#    tls_disable = 0
#    address     = "vault.googlesyndication.com:8200"
#    tls_cert_file = "/etc/ssl/cert/
                        
                          vault.googlesyndication.com
                        
                        .crt"
#    tls_key_file = "/etc/ssl/private/
                        
                          vault.googlesyndication.com
                        
                        .key"
# }

storage "file" {
   path  = "/var/lib/vault/data"
}

# api_addr         = "https://0.0.0.0:8200"
api_addr         = "https://vault.googlesyndication.com:8200"
max_lease_ttl         = "10h"
default_lease_ttl    = "10h"
cluster_name         = "vault"
raw_storage_endpoint     = true
disable_sealwrap     = true
disable_printable_check = true
                      
                    

SeLinux configuration

Add Vault Port to Exceptions

                      
                        $ cd /tmp
$ sudo grep vault /var/log/audit/audit.log | grep denied | audit2allow -m vaultlocalconf > vaultlocalconf.te
$ sudo grep vault /var/log/audit/audit.log | grep denied | audit2allow -M vaultlocalconf

    
                        
                          ******************** IMPORTANT ***********************
                        
                        
                           To make this policy package active,
                        
                        
                             execute: semodule -i vaultlocalconf.pp
                        
                        

$ sudo semodule -i vaultlocalconf.pp
                      
                    

Add the service to startup and start it

                      
                        $ sudo systemctl daemon-reload
$ sudo systemctl enable --now vault
                      
                    

Checking the status

                      
                        $ systemctl status vault
                      
                    

Firewall configuration

Open port 8200 / tcp

                      
                        $ sudo firewall-cmd --zone=public --add-port=8200/tcp --permanent
$ sudo firewall-cmd --reload
                      
                    

Vault Server Initialization

Add variables so that in the future you don’t need to enter it every time in -address = http: //vault.googlesyndication.com: 8200

                      
                        $ export PATH=$PATH:/usr/local/bin
$ echo "export PATH=$PATH:/usr/local/bin" >> ~/.bashrc
$ export VAULT_ADDR=https://vault.googlesyndication.com:8200
$ echo "export VAULT_ADDR=https://vault.googlesyndication.com:8200" >> ~/.bashrc
                      
                    

We initialize the service with saving the keys to the /etc/vault.d/init.file file (not safe)

                      
                        $ vault operator init -n 5 -t 3 | sudo tee /etc/vault.d/init.file
Unseal Key 1: +DTPnUxqmspBKng0wVHeHc59pXnZJGKxMsSuX+CrQ91E
Unseal Key 2: h8ogFxApCpwRqfK4Fz0frtFM64t2ldFAZLJhvapJBqnl
Unseal Key 3: MTbJX9HVN0A1dOd7hH+L1wcEus9M2C0gK9nrqsoXCtYz
Unseal Key 4: H4B2mlx+1uRg70uySY/KGQ86hsjlrCiSVD4gyoO6tj5V
Unseal Key 5: 3QKfJ/c4v65eEej5K9OvQseo3sETRhN2DZVRXkg5d8Wh
Initial Root Token: s.2xxinhG13tTgpHrxb8EyAgL5
 […]
                      
                    

where -n (-key-share) – The number of shared keys to split the generated master key into. This is the number of “printout keys” to be generated. -T (-key-threshold) – The number of shared keys needed to recover the master key. It must be less than or equal to -key-share

Checking the status

                      
                        $ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true <--- vault запечатан, надо расечатывать (вводить 3 разных Unseal Key)
Total Shares       5 <--- всего ключей
Threshold          3 <--- ключей, для распечатывания
Unseal Progress    0/3
Unseal Nonce       n/a
Version            1.6.0
Storage Type       file <--- тип хранилища файловое
HA Enabled         false
                      
                    

We print the storage, otherwise it will not work to log in

                      
                        $ vault operator unseal
Unseal Key (will be hidden):
$ vault operator unseal
Unseal Key (will be hidden):
$ vault operator unseal
Unseal Key (will be hidden):
                      
                    

We look at the status

                      
                        $ vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false <--- Распечатано
Total Shares    5
Threshold       3
Version         1.6.0
Storage Type    file
Cluster Name    vault
Cluster ID      d5ec1a04-2988-d1fa-eb16-2bbf6f47d3f2
HA Enabled      false
                      
                    

Log in

                      
                        $ vault login
Token (will be hidden): s.2xxinhG13tTgpHrxb8EyAgL5
                      
                    

You can also print the storage and log in through the web interface

https://vault.googlesyndication.com:8200

If you need to delete the base (file)

                      
                        $ sudo systemctl stop vault
$ sudo rm -rf  /var/lib/vault/data/*
$ sudo systemctl start vault
                      
                    

Related Posts