Overview
Secrets management is a crucial component to any environment, including for web applications and server configuration management. In this tutorial, you will learn how to install Hashicorp Vault on Ubuntu and use it to store your sensitive information.
Hashicorp Vault is used for securely storing tokens, passwords, certificates, and encryption keys. It tightly controls access to secrets and encryptions keys by authenticating against trusted sources of identity, including Active Directory, LDAP, Kubernetes, CloudFoundry, and cloud platforms.
Access to secrets and encrypted data is powered by a Vault API.
Installing Hashicorp Vault
To install Hashicorp vault you download a binary from the Vault website. The download is a single binary, which is functions as both a client and server.
Installing Vault as a client is as simple as placing it the /usr/bin directory. However, the server installation isn’t nearly as intuitive.
Prepare for the server installation by creating a directory structure to hold the binary, logs, and vault data.
sudo mkidr -p /opt/vault/{logs,bin,data}
Next, download the binary from the official Hashicorp Vault website. At the the time of this writing, version 1.1.3 was the latest release. More releases can be found on the download page.
sudo wget https://releases.hashicorp.com/vault/0.10.3/vault_1.1.3_linux_amd64.zip
Unzip the Vault binary file and place it in the installation directory.
unzip vault_1.1.3_linux_amd64.zip -d /opt/vault/bin
Configuring Hashicorp Vault
To run Vault as a service it needs a configuration. Create a directory for Vault under /etc, where we will store the Vault configuration file.
sudo mkdir /etc/vault
Vault’s configuration is written in JSON. Create a new JSON file named config.json under the newly created /etc/vault directory.
sudo touch /etc/vault/config.json
And the following configuration to it.
{
"listener": [{
"tcp": {
"address" : "0.0.0.0:8200",
"tls_disable" : 1
}
}],
"api_addr": "http://10.128.0.2:8200",
"storage": {
"file": {
"path" : "/opt/vault/data"
}
},
"max_lease_ttl": "10h",
"default_lease_ttl": "10h",
"ui":true
}
Create a Service User for Vault
You should always run a Vault server as an unprivileged user. The user should also not be your day-to-day user account. Create a new user account for Vault and grant it ownership of the installation directory.
To create the service user, run the following command. The -r flag sets the user as a system user. This will prevent the user from being accessed via SSH, for example.
sudo useradd -r vault
Now grant the user account ownership of the installation directory created earlier.
sudo chown -rV vault:vault /opt/vault
Running Vault as a Service
Create a new Systemd service file for Hashicorp Vault
sudo touch /etc/systemd/system/vault.service
Add the following contents to it
[Unit]
Description=vault service
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault/config.json
[Service]
User=vault
Group=vault
EnvironmentFile=-/etc/sysconfig/vault
Environment=GOMAXPROCS=2
Restart=on-failure
ExecStart=/opt/vault/vault server -config=/etc/vault/config.json
StandardOutput=/opt/vault/logs/output.log
StandardError=/opt/vault/logs/error.log
LimitMEMLOCK=infinity
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM
[Install]
WantedBy=multi-user.target
To configure Vault to start automatically at boot, enable the service using the systemctl enable command.
sudo systemctl enable vault.service
Start Vault as a service using the systemctl start command.
sudo systemctl start vault.service
Preparing to Administer Vault
Add the Vault bin directory to your PATH environment variable.
export PATH=$PATH:/opt/vault/bin echo "export PATH=$PATH:/opt/vault/bin" >> ~/.bashrc
Set environment variables for Vault
export VAULT_ADDRESS=http://10.128.0.2:8200 echo "export VAULT_ADDR=http://10.128.0.2:8200" >> ~/.bashrc
Initialize and Unseal your Vault
Initialize your Vault
sudo vault operator init
The output will look like the following. You should store this information in a secure location, as it will be required to unseal the vault, as well as to administer the server.
Unseal Key 1: aUEvSKm/O9CQhQspwNFcHYuabF1uD1m7FpMmo7f5AVau Unseal Key 2: EjLBTmuaeZgEl8kGWJIuJhhWYNVCLEEqKEA7I6i4FjpF Unseal Key 3: tVSkHbcUqhLzOlKbwWWJkoLDPemZNoDWXrXbPIU3Zfad Unseal Key 4: IT8+r4aZ2gq/7YujNGDbP2Of3UQ5Kw5jKbWrr4m1atYx Unseal Key 5: e75ORgXvs8GMu1PxMgpu2hvqxj7St7LllI8eTjfEo8bX Initial Root Token: s.5iSwFPh0XQa96MSrBHquCFlH Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests. Vault does not store the generated master key. Without at least 3 key to reconstruct the master key, Vault will remain permanently sealed! It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See "vault operator rekey" for more information.
To unseal the vault choose any three of the unseal keys, and then run the vault unseal key command against them.
vault operator unseal aUEvSKm/O9CQhQspwNFcHYuabF1uD1m7FpMmo7f5AVau vault operator unseal EjLBTmuaeZgEl8kGWJIuJhhWYNVCLEEqKEA7I6i4FjpF vault operator unseal tVSkHbcUqhLzOlKbwWWJkoLDPemZNoDWXrXbPIU3Zfad
This operation will have to be done every time the server is stopped, or the system is rebooted.
Enabling Secrets
A new installation of Vault will not have secrets or api access enabled. You will have to enable both of these features in order to use them.
To enable API access you will use the vault auth enable command, as seen in the following example.
vault auth enable approle
When acting as a secrets vault, you must enable the secrets feature. Use the following command to use version 2 of the vault, as well as setting the path to the secrets.
vault secrets enable -version=2 -path=secret kv
