Installing HashiCorp Vault on Centos 8

HashiСorp Vault Is an open source tool designed to securely store secrets and sensitive data in dynamic cloud environments. It provides strong data encryption, identity-based access with customizable policies

Let’s consider the option of installing the HashiCorp Vault software with a file-based storage type (secrets).

Training

Add hostname and ip to / etc / hosts file

$ sudo nano /etc/hosts
[…]
192.168.11.200    vault.example.com

We update the OS, install the necessary software

$ sudo dnf -y update
$ sudo dnf -y install unzip nano

Installing Vault

Go to the / tmp directory

$ cd /tmp

Download the final version of vault, unpack it

$ curl -L https://releases.hashicorp.com/vault/1.6.0/vault_1.6.0_linux_amd64.zip -o /tmp/vault_1.6.0_linux_amd64.zip
$ unzip vault_1.6.0_linux_amd64.zip

Change owner and transfer file

$ sudo chown root:root vault
$ sudo mv vault /usr/local/bin/

Checking the version

$ vault --version
Vault v1.6.0 (7ce0bd9691998e0443bc77e98b1e2a4ab1e965d4)

Turn on autocomplete commands

$ vault -autocomplete-install
$ complete -C /usr/local/bin/vault vault

Vault setup

Create system catalogs for Vault

$ sudo mkdir -p /etc/vault.d /var/lib/vault/data

/ var / lib / vault / data – if the storage type is file. Later, we will consider connecting the storage type to PostgreSQL DBMS

Create vault system user

$ sudo useradd --system --home /etc/vault.d --shell /bin/false vault
$ sudo chown -R vault:vault /etc/vault.d /var/lib/vault/
$ sudo chmod 755 /etc/vault.d /var/lib/vault

Create Systemd Unit

$ sudo nano /etc/systemd/system/vault.service
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3

[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity

[Install]
WantedBy=multi-user.target

Create a config file for Vault

$ sudo nano /etc/vault.d/vault.hcl
disable_cache = true
disable_mlock = true
ui = true

listener "tcp" {
    tls_disable      = 1
#   address          = "0.0.0.0:8200"
    address          = "vault.example.com:8200"
}

# отключаем ssl
# listener "tcp" {
#    tls_disable = 0
#    address     = "vault.example.com:8200"
#    tls_cert_file = "/etc/ssl/cert/vault.example.com.crt"
#    tls_key_file = "/etc/ssl/private/vault.example.com.key"
# }

storage "file" {
   path  = "/var/lib/vault/data"
}

# api_addr         = "http://0.0.0.0:8200"
api_addr         = "http://vault.example.com:8200"
max_lease_ttl         = "10h"
default_lease_ttl    = "10h"
cluster_name         = "vault"
raw_storage_endpoint     = true
disable_sealwrap     = true
disable_printable_check = true

SeLinux configuration

Add Vault Port to Exceptions

$ cd /tmp
$ sudo grep vault /var/log/audit/audit.log | grep denied | audit2allow -m vaultlocalconf > vaultlocalconf.te
$ sudo grep vault /var/log/audit/audit.log | grep denied | audit2allow -M vaultlocalconf

    ******************** IMPORTANT ***********************
    To make this policy package active,

    execute: semodule -i vaultlocalconf.pp

$ sudo semodule -i vaultlocalconf.pp

Add the service to startup and start it

$ sudo systemctl daemon-reload
$ sudo systemctl enable --now vault

Checking the status

$ systemctl status vault

Firewall configuration

Open port 8200 / tcp

$ sudo firewall-cmd --zone=public --add-port=8200/tcp --permanent
$ sudo firewall-cmd --reload

Vault Server Initialization

Add variables so that in the future you don’t need to enter it every time in -address = http: //vault.example.com: 8200

$ export PATH=$PATH:/usr/local/bin
$ echo "export PATH=$PATH:/usr/local/bin" >> ~/.bashrc
$ export VAULT_ADDR=http://vault.example.com:8200
$ echo "export VAULT_ADDR=http://vault.example.com:8200" >> ~/.bashrc

We initialize the service with saving the keys to the /etc/vault.d/init.file file (not safe)

$ vault operator init -n 5 -t 3 | sudo tee /etc/vault.d/init.file
Unseal Key 1: +DTPnUxqmspBKng0wVHeHc59pXnZJGKxMsSuX+CrQ91E
Unseal Key 2: h8ogFxApCpwRqfK4Fz0frtFM64t2ldFAZLJhvapJBqnl
Unseal Key 3: MTbJX9HVN0A1dOd7hH+L1wcEus9M2C0gK9nrqsoXCtYz
Unseal Key 4: H4B2mlx+1uRg70uySY/KGQ86hsjlrCiSVD4gyoO6tj5V
Unseal Key 5: 3QKfJ/c4v65eEej5K9OvQseo3sETRhN2DZVRXkg5d8Wh
Initial Root Token: s.2xxinhG13tTgpHrxb8EyAgL5
 […]

where -n (-key-share) – The number of shared keys to split the generated master key into. This is the number of “printout keys” to be generated. -T (-key-threshold) – The number of shared keys needed to recover the master key. It must be less than or equal to -key-share

Checking the status

$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true <--- vault запечатан, надо расечатывать (вводить 3 разных Unseal Key)
Total Shares       5 <--- всего ключей
Threshold          3 <--- ключей, для распечатывания
Unseal Progress    0/3
Unseal Nonce       n/a
Version            1.6.0
Storage Type       file <--- тип хранилища файловое
HA Enabled         false

We print the storage, otherwise it will not work to log in

$ vault operator unseal
Unseal Key (will be hidden):
$ vault operator unseal
Unseal Key (will be hidden):
$ vault operator unseal
Unseal Key (will be hidden):

We look at the status

$ vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false <--- Распечатано
Total Shares    5
Threshold       3
Version         1.6.0
Storage Type    file
Cluster Name    vault
Cluster ID      d5ec1a04-2988-d1fa-eb16-2bbf6f47d3f2
HA Enabled      false

Log in

$ vault login
Token (will be hidden): s.2xxinhG13tTgpHrxb8EyAgL5

You can also print the storage and log in through the web interface

http://vault.example.com:8200

If you need to delete the base (file)

$ sudo systemctl stop vault
$ sudo rm -rf  /var/lib/vault/data/*
$ sudo systemctl start vault

Sidebar