Differences between revisions 10 and 11
Revision 10 as of 2018-05-12 08:09:33
Size: 2416
Editor: PieterSmit
Comment:
Revision 11 as of 2018-05-26 20:09:27
Size: 2430
Editor: PieterSmit
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
Links: [[HSM]]

Links: HSM

Vault by HasiCorp

  • Ensure vault can lock memory mlock 

    $ sudo setcap CAP_IPC_LOCK=  <bin>/9s/vault

  • Config 

    storage "file" {
  path = "/home/xxx/vault-data"
  address = "127.0.0.1:8500"
   path    = "vault"
}

#storage "etcd" {
#  address  = "http://localhost:2379"
#    etcd_api = "v3"
#    }

listener "tcp" {
      address     = "127.0.0.1:8200"
        #tls_disable = 1
        ##Cert + intermediate in concat
        tls_cert_file = "/home/xxx/ssl/concat_dev.pem"
        tls_key_file = "/home/xx/ssl/dev.key"
        }

#telemetry {
#          statsite_address = "127.0.0.1:8125"
#           disable_hostname = true
#            }

  • Got error with client no initialized 

    $ vault status
Error checking seal status: Error making API request.

URL: GET https://localdomain.com:8200/v1/sys/seal-status
Code: 400. Errors:

* server is not yet initialized

  • initialize with client 

    $ vault operator init
Unseal Key 1: eTa0LIlJ1fw3WIFzF4TLLrQQh5zZIQDVML5hvLh8b/0n
Unseal Key 2: cQPwYWRJx9U6CsydgP2z7lVEkOgvSy6dYBsdSF2Cmvld
Unseal Key 3: zYo0SyAwce+pgtiC4gXUR8mBwOxxAFgtKrpSMMdxSyZT
Unseal Key 4: o/u+3FjpDRUV+Bz2bbJX43lo67idFy9Ly2q+aG5r659x
Unseal Key 5: NzHAl/80p7C0WkvuAOl2G591LOqBvOxV4+Q8Kg2/0njS

Initial Root Token: 41f05975-248a-784d-cb10-96ca0d7c36a7

e.g. #vault init -key-shares=3 -key-threshold=2

    • now unseal doing the following 3 times with 3 of the keys 

      vault unseal

  • Setup systemd https://www.digitalocean.com/community/tutorials/how-to-securely-manage-secrets-with-hashicorp-vault-on-ubuntu-16-04

  • save first value in default kv /secret 

    $ export rt=41f05975-248a-784d-cb10-96ca0d7c36a7
$ VAULT_TOKEN=$rt vault write secret/mykey1 value=mysecret1
Success! Data written to: secret/mykey1

  • Generate a root otp 

    $ vault operator generate-root -generate-otp
kmXqMZ/A9BqSEf8pe/PtLQ==

  • enable transit encryption etc 

    $ VAULT_TOKEN=$rt vault secrets enable transit
Success! Enabled the transit secrets engine at: transit/

$ VAULT_TOKEN=$rt vault write  transit/keys/my-key3 type=ecdsa-p256 
Success! Data written to: transit/keys/my-key3

  • enable the pki / ca engine 

    $ VAULT_TOKEN=$rt vault secrets enable pki
Success! Enabled the pki secrets engine at: pki/

...

Linux/Vault (last edited 2022-03-15 21:36:14 by PieterSmit)