Links: HSM

Vault by HasiCorp

Vault Links

• Try to integrate Vault with openssl engine,

  • https://www.openssl.org/docs/man1.1.1/man1/engine.html

  • https://github.com/hashicorp/vault/issues/3845

  • https://www.openssl.org/docs/man1.1.1/man1/engine.html

  • https://github.com/hashicorp/vault/issues/3845

Download

• https://www.vaultproject.io/downloads

• 2022

  curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
  sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
  sudo apt-get install vault

Login

1. export VAULT_ADDR=https://<url>:8200

2. vault login -method=ldap username=<>

3. vault list auth/ldap/users

Vault Hardening

• Ensure vault can lock memory mlock

  $ sudo setcap CAP_IPC_LOCK=  <bin>/9s/vault

• Config

  storage "file" {
    path = "/home/xxx/vault-data"
    address = "127.0.0.1:8500"
     path    = "vault"
  }
  
  #storage "etcd" {
  #  address  = "http://localhost:2379"
  #    etcd_api = "v3"
  #    }
  
  listener "tcp" {
        address     = "127.0.0.1:8200"
          #tls_disable = 1
          ##Cert + intermediate in concat
          tls_cert_file = "/home/xxx/ssl/concat_dev.pem"
          tls_key_file = "/home/xx/ssl/dev.key"
          }
  
  #telemetry {
  #          statsite_address = "127.0.0.1:8125"
  #           disable_hostname = true
  #            }

• Got error with client no initialized

  $ vault status
  Error checking seal status: Error making API request.
  
  URL: GET https://localdomain.com:8200/v1/sys/seal-status
  Code: 400. Errors:
  
  * server is not yet initialized

• initialize with client

  $ vault operator init
  Unseal Key 1: eTa0LIlJ1fw3WIFzF4TLLrQQh5zZIQDVML5hvLh8b/0n
  Unseal Key 2: cQPwYWRJx9U6CsydgP2z7lVEkOgvSy6dYBsdSF2Cmvld
  Unseal Key 3: zYo0SyAwce+pgtiC4gXUR8mBwOxxAFgtKrpSMMdxSyZT
  Unseal Key 4: o/u+3FjpDRUV+Bz2bbJX43lo67idFy9Ly2q+aG5r659x
  Unseal Key 5: NzHAl/80p7C0WkvuAOl2G591LOqBvOxV4+Q8Kg2/0njS
  
  Initial Root Token: 41f05975-248a-784d-cb10-96ca0d7c36a7
  
  e.g. #vault init -key-shares=3 -key-threshold=2

  • now unseal doing the following 3 times with 3 of the keys

    vault unseal

• Setup systemd https://www.digitalocean.com/community/tutorials/how-to-securely-manage-secrets-with-hashicorp-vault-on-ubuntu-16-04

• save first value in default kv /secret

  $ export rt=41f05975-248a-784d-cb10-96ca0d7c36a7
  $ VAULT_TOKEN=$rt vault write secret/mykey1 value=mysecret1
  Success! Data written to: secret/mykey1

• Generate a root otp

  $ vault operator generate-root -generate-otp
  kmXqMZ/A9BqSEf8pe/PtLQ==

• enable transit encryption etc

  $ VAULT_TOKEN=$rt vault secrets enable transit
  Success! Enabled the transit secrets engine at: transit/
  
  $ VAULT_TOKEN=$rt vault write  transit/keys/my-key3 type=ecdsa-p256 
  Success! Data written to: transit/keys/my-key3

• enable the pki / ca engine

  $ VAULT_TOKEN=$rt vault secrets enable pki
  Success! Enabled the pki secrets engine at: pki/

• Login and add user

  # export VAULT_ADDR= or set on commandline.
  $ vault login -address=https://127.0.0.1:8200 -method=ldap username=<UserID>
  
  #Get token from output e.g. "token 35fef9ad-ebca-5601-df44-9e2cc7f9a52e"
  $ VAULT_TOKEN=35fef9ad-ebca-5601-df44-9e2cc7f9a52e vault list auth/ldap/users
  
  vault list auth/ldap/users/
  vault write auth/ldap/users/<user> groups=developer
  vault read auth/ldap/users/<user>

...