HashiСorp Vault Is an open source tool designed to securely store secrets and sensitive data in dynamic cloud environments. It provides strong data encryption, identity-based access with customizable policies
Let’s consider the option of installing the HashiCorp Vault software with a file-based storage type (secrets).
Training
Add hostname and ip to / etc / hosts file
$ sudo nano /etc/hosts
[…]
192.168.11.200 vault.googlesyndication.com
We update the OS, install the necessary software
$ sudo dnf -y update
$ sudo dnf -y install unzip nano
Installing Vault
Go to the / tmp directory
$ cd /tmp
Download the final version of vault, unpack it
$ curl -L https://releases.hashicorp.com/vault/1.6.0/vault_1.6.0_linux_amd64.zip -o /tmp/vault_1.6.0_linux_amd64.zip
$ unzip vault_1.6.0_linux_amd64.zip
Change owner and transfer file
$ sudo chown root:root vault
$ sudo mv vault /usr/local/bin/
Checking the version
$ vault --version
Vault v1.6.0 (7ce0bd9691998e0443bc77e98b1e2a4ab1e965d4)
Turn on autocomplete commands
$ vault -autocomplete-install
$ complete -C /usr/local/bin/vault vault
Vault setup
Create system catalogs for Vault
$ sudo mkdir -p /etc/vault.d /var/lib/vault/data
/ var / lib / vault / data – if the storage type is file. Later, we will consider connecting the storage type to PostgreSQL DBMS
Create vault system user
$ sudo useradd --system --home /etc/vault.d --shell /bin/false vault
$ sudo chown -R vault:vault /etc/vault.d /var/lib/vault/
$ sudo chmod 755 /etc/vault.d /var/lib/vault
Create Systemd Unit
$ sudo nano /etc/systemd/system/vault.service
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target
Create a config file for Vault
$ sudo nano /etc/vault.d/vault.hcl
disable_cache = true
disable_mlock = true
ui = true
listener "tcp" {
tls_disable = 1
# address = "0.0.0.0:8200"
address = "vault.googlesyndication.com:8200"
}
# отключаем ssl
# listener "tcp" {
# tls_disable = 0
# address = "vault.googlesyndication.com:8200"
# tls_cert_file = "/etc/ssl/cert/
vault.googlesyndication.com
.crt"
# tls_key_file = "/etc/ssl/private/
vault.googlesyndication.com
.key"
# }
storage "file" {
path = "/var/lib/vault/data"
}
# api_addr = "https://0.0.0.0:8200"
api_addr = "https://vault.googlesyndication.com:8200"
max_lease_ttl = "10h"
default_lease_ttl = "10h"
cluster_name = "vault"
raw_storage_endpoint = true
disable_sealwrap = true
disable_printable_check = true
SeLinux configuration
Add Vault Port to Exceptions
$ cd /tmp
$ sudo grep vault /var/log/audit/audit.log | grep denied | audit2allow -m vaultlocalconf > vaultlocalconf.te
$ sudo grep vault /var/log/audit/audit.log | grep denied | audit2allow -M vaultlocalconf
******************** IMPORTANT ***********************
To make this policy package active,
execute: semodule -i vaultlocalconf.pp
$ sudo semodule -i vaultlocalconf.pp
Add the service to startup and start it
$ sudo systemctl daemon-reload
$ sudo systemctl enable --now vault
Checking the status
$ systemctl status vault
Firewall configuration
Open port 8200 / tcp
$ sudo firewall-cmd --zone=public --add-port=8200/tcp --permanent
$ sudo firewall-cmd --reload
Vault Server Initialization
Add variables so that in the future you don’t need to enter it every time in -address = http: //vault.googlesyndication.com: 8200
$ export PATH=$PATH:/usr/local/bin
$ echo "export PATH=$PATH:/usr/local/bin" >> ~/.bashrc
$ export VAULT_ADDR=https://vault.googlesyndication.com:8200
$ echo "export VAULT_ADDR=https://vault.googlesyndication.com:8200" >> ~/.bashrc
We initialize the service with saving the keys to the /etc/vault.d/init.file file (not safe)
$ vault operator init -n 5 -t 3 | sudo tee /etc/vault.d/init.file
Unseal Key 1: +DTPnUxqmspBKng0wVHeHc59pXnZJGKxMsSuX+CrQ91E
Unseal Key 2: h8ogFxApCpwRqfK4Fz0frtFM64t2ldFAZLJhvapJBqnl
Unseal Key 3: MTbJX9HVN0A1dOd7hH+L1wcEus9M2C0gK9nrqsoXCtYz
Unseal Key 4: H4B2mlx+1uRg70uySY/KGQ86hsjlrCiSVD4gyoO6tj5V
Unseal Key 5: 3QKfJ/c4v65eEej5K9OvQseo3sETRhN2DZVRXkg5d8Wh
Initial Root Token: s.2xxinhG13tTgpHrxb8EyAgL5
[…]
where -n (-key-share) – The number of shared keys to split the generated master key into. This is the number of “printout keys” to be generated. -T (-key-threshold) – The number of shared keys needed to recover the master key. It must be less than or equal to -key-share
Checking the status
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true <--- vault запечатан, надо расечатывать (вводить 3 разных Unseal Key)
Total Shares 5 <--- всего ключей
Threshold 3 <--- ключей, для распечатывания
Unseal Progress 0/3
Unseal Nonce n/a
Version 1.6.0
Storage Type file <--- тип хранилища файловое
HA Enabled false
We print the storage, otherwise it will not work to log in
$ vault operator unseal
Unseal Key (will be hidden):
$ vault operator unseal
Unseal Key (will be hidden):
$ vault operator unseal
Unseal Key (will be hidden):
We look at the status
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false <--- Распечатано
Total Shares 5
Threshold 3
Version 1.6.0
Storage Type file
Cluster Name vault
Cluster ID d5ec1a04-2988-d1fa-eb16-2bbf6f47d3f2
HA Enabled false
Log in
$ vault login
Token (will be hidden): s.2xxinhG13tTgpHrxb8EyAgL5
You can also print the storage and log in through the web interface
https://vault.googlesyndication.com:8200
If you need to delete the base (file)
$ sudo systemctl stop vault
$ sudo rm -rf /var/lib/vault/data/*
$ sudo systemctl start vault
