Managing secrets, passwords, ssh keys, access keys etc and sharing with teams or end users securely has become very difficult in today’s complex infrastructure environments. This is where Vault makes your life easy by managing all this sensitive information in a microservice. In this article we are going to do basic Vault setup on a Linux machine and then see its use in subsequent articles.
Setup
- Download Vault Binary package and unzip it inside a directory on your Linux machine. Here we are going to use a Ubuntu 14.1 instance for setup.
wget https://releases.hashicorp.com/vault/0.9.5/vault_0.9.5_linux_amd64.zip unzip vault_0.9.5_linux_amd64.zip
We only need the vault binary file extracted after unzipping. Remove the zip file.
rm -rf vault_0.9.5_linux_amd64.zip
- Download Consul (another open source tool from Hashicorp) which will used as storage backend for Vault.
wget https://releases.hashicorp.com/consul/1.0.6/consul_1.0.6_linux_amd64.zip unzip consul_1.0.6_linux_amd64.zip
We only need the consul binary file extracted after unzipping. Remove the zip file.
rm -rf consul_1.0.6_linux_amd64.zip
- Start the Consul agent by running the below command. Leave the terminal open and open a new terminal for further setup.
./consul agent -dev
- Create a config.hcl file with the following configurations and save it.
storage "consul" {
address = "127.0.0.1:8500"
path = "vault"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
These configurations will be used by Vault to map storage to Consul and Listen on port 8200. For more details on configurations please visit link.
- Set the VAULT_ADDR environment variable which will be used by Vault for any commands executed in the terminal- (please set this environment variable in every new terminal window you open to execute Vault commands)
export VAULT_ADDR='http://127.0.0.1:8200'
- Start the Vault server using the config.hcl file created above-
./vault server -config=config.hcl
Leave this terminal window open and start a new terminal window to execute further commands. Remember to set the VAULT_ADDR in the new session as well.
- Now initialize the Vault by running init command. When we initialize Vault, it returns 5 unseal keys and 1 root token. Copy these unseal keys and root token to a secure file as these cannot be requested later.
./vault operator init
Vault is always started in sealed state so we need to unseal it before we login and use it. To understand the concept of Sealed/UnSealed state please visit link.
- Vault can be UnSealed by using any 3 unique keys out of the 5 generated during Vault initialization. Execute the unseal command 3 times and enter a unique unseal key each time. After 3 attempts, Vault will show the Sealed value as ‘false’ which means Vault is now unsealed and ready for login.
./vault operator unseal
- Login to Vault by using the root token generated at the time of initialization.
./vault login <root token>
Root token has admin privileges on Vault and has no expiry. This root token can be used to create new tokens with sub set of privileges based on requirement.
Check Vault status-
./vault status
This confirms that Vault has been setup successfully and is now ready for use. You can now enable different secret engines on Vault and use them to manage keys and sensitive date.
That is all from scope of this article. We will be showing the use different secret engines in subsequent articles.
Please let us know if you run into any issue by posting in comments or via contact us section.
Thanks for checking out !
