#format wiki
#language en
Links: [[HSM]]
= Vault by HasiCorp =

== Vault Links ==
 * Try to integrate Vault with openssl engine, 
   * https://www.openssl.org/docs/man1.1.1/man1/engine.html
   * https://github.com/hashicorp/vault/issues/3845
   * https://www.openssl.org/docs/man1.1.1/man1/engine.html
   * https://github.com/hashicorp/vault/issues/3845

=== Download ===
 * https://www.vaultproject.io/downloads
 * 2022 {{{
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get install vault
}}}

=== Login ===
 1. export VAULT_ADDR=https://<url>:8200
 1. vault login -method=ldap username=<>
 1. vault list auth/ldap/users

== Vault Hardening ==
 * Ensure vault can lock memory  mlock {{{
$ sudo setcap CAP_IPC_LOCK=  <bin>/9s/vault
    }}}

 * Config {{{
storage "file" {
  path = "/home/xxx/vault-data"
  address = "127.0.0.1:8500"
   path    = "vault"
}

#storage "etcd" {
#  address  = "http://localhost:2379"
#    etcd_api = "v3"
#    }

listener "tcp" {
      address     = "127.0.0.1:8200"
        #tls_disable = 1
        ##Cert + intermediate in concat
        tls_cert_file = "/home/xxx/ssl/concat_dev.pem"
        tls_key_file = "/home/xx/ssl/dev.key"
        }

#telemetry {
#          statsite_address = "127.0.0.1:8125"
#           disable_hostname = true
#            }

   }}}

 * Got error with client no initialized {{{
$ vault status
Error checking seal status: Error making API request.

URL: GET https://localdomain.com:8200/v1/sys/seal-status
Code: 400. Errors:

* server is not yet initialized
    }}}

 * initialize with client {{{
$ vault operator init
Unseal Key 1: eTa0LIlJ1fw3WIFzF4TLLrQQh5zZIQDVML5hvLh8b/0n
Unseal Key 2: cQPwYWRJx9U6CsydgP2z7lVEkOgvSy6dYBsdSF2Cmvld
Unseal Key 3: zYo0SyAwce+pgtiC4gXUR8mBwOxxAFgtKrpSMMdxSyZT
Unseal Key 4: o/u+3FjpDRUV+Bz2bbJX43lo67idFy9Ly2q+aG5r659x
Unseal Key 5: NzHAl/80p7C0WkvuAOl2G591LOqBvOxV4+Q8Kg2/0njS

Initial Root Token: 41f05975-248a-784d-cb10-96ca0d7c36a7

e.g. #vault init -key-shares=3 -key-threshold=2
    }}}
  * now unseal doing the following 3 times with 3 of the keys {{{
vault unseal
    }}}
 * Setup systemd https://www.digitalocean.com/community/tutorials/how-to-securely-manage-secrets-with-hashicorp-vault-on-ubuntu-16-04

 * save first value in default kv /secret {{{
$ export rt=41f05975-248a-784d-cb10-96ca0d7c36a7
$ VAULT_TOKEN=$rt vault write secret/mykey1 value=mysecret1
Success! Data written to: secret/mykey1

   }}}

 * Generate a root otp {{{
$ vault operator generate-root -generate-otp
kmXqMZ/A9BqSEf8pe/PtLQ==
   }}}

 * enable transit encryption etc {{{
$ VAULT_TOKEN=$rt vault secrets enable transit
Success! Enabled the transit secrets engine at: transit/

$ VAULT_TOKEN=$rt vault write  transit/keys/my-key3 type=ecdsa-p256 
Success! Data written to: transit/keys/my-key3

   }}}

 * enable the pki / ca engine {{{
$ VAULT_TOKEN=$rt vault secrets enable pki
Success! Enabled the pki secrets engine at: pki/
   }}}

 * Login and add user {{{
# export VAULT_ADDR= or set on commandline.
$ vault login -address=https://127.0.0.1:8200 -method=ldap username=<UserID>

#Get token from output e.g. "token 35fef9ad-ebca-5601-df44-9e2cc7f9a52e"
$ VAULT_TOKEN=35fef9ad-ebca-5601-df44-9e2cc7f9a52e vault list auth/ldap/users

vault list auth/ldap/users/
vault write auth/ldap/users/<user> groups=developer
vault read auth/ldap/users/<user>

}}}
...