|
Size: 1492
Comment:
|
Size: 1680
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 55: | Line 55: |
e.g. #vault init -key-shares=3 -key-threshold=2 |
|
| Line 59: | Line 61: |
| * Setup systemd https://www.digitalocean.com/community/tutorials/how-to-securely-manage-secrets-with-hashicorp-vault-on-ubuntu-16-04 |
Vault by HasiCorp
Ensure vault can lock memory mlock
$ sudo setcap CAP_IPC_LOCK= <bin>/9s/vault
Config
storage "file" { path = "/home/xxx/vault-data" address = "127.0.0.1:8500" path = "vault" } #storage "etcd" { # address = "http://localhost:2379" # etcd_api = "v3" # } listener "tcp" { address = "127.0.0.1:8200" #tls_disable = 1 ##Cert + intermediate in concat tls_cert_file = "/home/xxx/ssl/concat_dev.pem" tls_key_file = "/home/xx/ssl/dev.key" } #telemetry { # statsite_address = "127.0.0.1:8125" # disable_hostname = true # }Got error with client no initialized
$ vault status Error checking seal status: Error making API request. URL: GET https://localdomain.com:8200/v1/sys/seal-status Code: 400. Errors: * server is not yet initialized
initialize with client
$ vault operator init Unseal Key 1: eTa0LIlJ1fw3WIFzF4TLLrQQh5zZIQDVML5hvLh8b/0n Unseal Key 2: cQPwYWRJx9U6CsydgP2z7lVEkOgvSy6dYBsdSF2Cmvld Unseal Key 3: zYo0SyAwce+pgtiC4gXUR8mBwOxxAFgtKrpSMMdxSyZT Unseal Key 4: o/u+3FjpDRUV+Bz2bbJX43lo67idFy9Ly2q+aG5r659x Unseal Key 5: NzHAl/80p7C0WkvuAOl2G591LOqBvOxV4+Q8Kg2/0njS Initial Root Token: 41f05975-248a-784d-cb10-96ca0d7c36a7 e.g. #vault init -key-shares=3 -key-threshold=2
now unseal doing the following 3 times with 3 of the keys
vault unseal
Setup systemd https://www.digitalocean.com/community/tutorials/how-to-securely-manage-secrets-with-hashicorp-vault-on-ubuntu-16-04
...