Links: HSM
Vault by HasiCorp
Vault Links
- Try to integrate Vault with openssl engine,
Download
2022
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" sudo apt-get install vault
Login
export VAULT_ADDR=https://<url>:8200
vault login -method=ldap username=<>
- vault list auth/ldap/users
Vault Hardening
Ensure vault can lock memory mlock
$ sudo setcap CAP_IPC_LOCK= <bin>/9s/vault
Config
storage "file" { path = "/home/xxx/vault-data" address = "127.0.0.1:8500" path = "vault" } #storage "etcd" { # address = "http://localhost:2379" # etcd_api = "v3" # } listener "tcp" { address = "127.0.0.1:8200" #tls_disable = 1 ##Cert + intermediate in concat tls_cert_file = "/home/xxx/ssl/concat_dev.pem" tls_key_file = "/home/xx/ssl/dev.key" } #telemetry { # statsite_address = "127.0.0.1:8125" # disable_hostname = true # }Got error with client no initialized
$ vault status Error checking seal status: Error making API request. URL: GET https://localdomain.com:8200/v1/sys/seal-status Code: 400. Errors: * server is not yet initialized
initialize with client
$ vault operator init Unseal Key 1: eTa0LIlJ1fw3WIFzF4TLLrQQh5zZIQDVML5hvLh8b/0n Unseal Key 2: cQPwYWRJx9U6CsydgP2z7lVEkOgvSy6dYBsdSF2Cmvld Unseal Key 3: zYo0SyAwce+pgtiC4gXUR8mBwOxxAFgtKrpSMMdxSyZT Unseal Key 4: o/u+3FjpDRUV+Bz2bbJX43lo67idFy9Ly2q+aG5r659x Unseal Key 5: NzHAl/80p7C0WkvuAOl2G591LOqBvOxV4+Q8Kg2/0njS Initial Root Token: 41f05975-248a-784d-cb10-96ca0d7c36a7 e.g. #vault init -key-shares=3 -key-threshold=2
now unseal doing the following 3 times with 3 of the keys
vault unseal
Setup systemd https://www.digitalocean.com/community/tutorials/how-to-securely-manage-secrets-with-hashicorp-vault-on-ubuntu-16-04
save first value in default kv /secret
$ export rt=41f05975-248a-784d-cb10-96ca0d7c36a7 $ VAULT_TOKEN=$rt vault write secret/mykey1 value=mysecret1 Success! Data written to: secret/mykey1
Generate a root otp
$ vault operator generate-root -generate-otp kmXqMZ/A9BqSEf8pe/PtLQ==
enable transit encryption etc
$ VAULT_TOKEN=$rt vault secrets enable transit Success! Enabled the transit secrets engine at: transit/ $ VAULT_TOKEN=$rt vault write transit/keys/my-key3 type=ecdsa-p256 Success! Data written to: transit/keys/my-key3
enable the pki / ca engine
$ VAULT_TOKEN=$rt vault secrets enable pki Success! Enabled the pki secrets engine at: pki/
Login and add user
# export VAULT_ADDR= or set on commandline. $ vault login -address=https://127.0.0.1:8200 -method=ldap username=<UserID> #Get token from output e.g. "token 35fef9ad-ebca-5601-df44-9e2cc7f9a52e" $ VAULT_TOKEN=35fef9ad-ebca-5601-df44-9e2cc7f9a52e vault list auth/ldap/users vault list auth/ldap/users/ vault write auth/ldap/users/<user> groups=developer vault read auth/ldap/users/<user>
...