Vault HashiCorp. PostgreSQL storage type

Vault Is a command line utility that is responsible for managing secrets – logins, passwords, keys, certificates. “Management” includes both storing and issuing secrets to specific applications with a note in their journal, to whom and when it happened.

In previous articles, we covered installing HashiCorp Vault and installing PostgreSQL 13 on Centos 8.

PostgreSQL settings

We create a base and a user. To do this, switch to the postgres user

$ sudo su - postgres

Create a database user

$ createuser vltusr

Switching to PostgreSQL shell

$ psql

Set a password for the database user

=# ALTER USER vltusr WITH ENCRYPTED password 'mypasswddd';
ALTER ROLE

Create a base and set the owner of the base

=# CREATE DATABASE vaultdb WITH ENCODING='UTF8' OWNER=vltusr;
CREATE DATABASE

Switching to vaultdb base

=# c vaultdb
You are now connected to database "vaultdb" as user "postgres".

Create a table

=# CREATE TABLE vault_kv_store (
   parent_path TEXT COLLATE "C" NOT NULL,
   path        TEXT COLLATE "C",
   key         TEXT COLLATE "C",
   value       BYTEA,
   CONSTRAINT pkey PRIMARY KEY (path, key)
);

Create an index

=# CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);

We leave

=# q
$ exit

Testing the connection

$ sudo su - postgres
$ psql -U vltusr -h localhost -p 5432 vaultdb
Password for user vltusr: mypasswddd
=# q
$ exit

Vault setup

Stop Vault

$ sudo systemctl stop vault

Editing the Vault config

$ sudo nano /etc/vault.d/vault.hcl
[…]
#storage "file" {
#  path  = "/var/lib/vault/data"
#}
storage "postgresql" {
  connection_url = "postgres://vltusr:mypasswddd@localhost:5432/vaultdb?sslmode=disable"
  table          = "vault_kv_store"
  max_parallel   = "128"
}
[…]

We put SELinux into premissive mode, otherwise the Vault service will not start

$ sudo setenforce 0
$ sudo nano /etc/selinux/config
[…]
SELINUX=permissive

Launching Vault

$ sudo systemctl start vault

Checking the status

$ systemctl status vault
$ journalctl -u vault

Further, all the manipulations are as in the article on installing HashiCorp Vault in Centos 8:

• Adding Variables
• Service initialization, where tokens will be issued there
• Vault Printing
• Authorization (vault login)

PostgreSQL backup

Create a file with parameters for connecting to the database in order to create a PostgreSQL dump in the future without entering a password

$ sudo nano /root/.pgpass
# hostname:port:database:username:password
localhost:5432:vaultdb:vltusr:mypasswddd

We expose the rights

$ sudo chmod 600 /root/.pgpass

Create a dump

$ sudo pg_dump -d "vaultdb" -h localhost -Fc -U vltusr -w -f "/mnt/$(date +%Y%m%d_%H%M%S)_vaultdb.dump"