Securely Manage Secrets with HashiCorp Vault

Image for post
Image for post

By Hitesh Jethva, Alibaba Cloud Community Blog author.

Vault is a free and open-source tool from HashiCorp that can be used for securely storing and accessing secrets. Vault stores and tightly controls access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API. Vault provides an interface to any secret and recording a detailed audit log. You can keep your database credentials, API keys for external services, credentials in the vault. Vault supports multiple storage backends including consul, local disk and cloud storage. Vault enables developers and security professionals to deploy applications in zero-trust environments across public and private data centers.

In this tutorial, we will learn how to manage secretes with HashiCorp Vault on an Alibaba Cloud Elastic Compute Service (ECS) instance with Ubuntu 16.04 installed.

Prerequisites

Before you can begin this tutorial, you need to have the following:

  • A newly created Alibaba Cloud ECS instance with Ubuntu 16.04 installed.
  • A root password is set up to your instance.

For reference, check out create a new ECS instance and connect to your instance. Next, once you are logged into your Ubuntu 16.04 instance, you’ll need to run the apt-get update -y command to update your base system with the latest available packages.

Install Vault

As the first part of this tutorial, you will need to download the latest version of Vault source from their official website. You can download it along with checksum with the following command:

Next, check the integrity of the downloaded file with the following command:

If everything is fine. You should see the following output:

Next, extract the downloaded file and copy the extracted binary file to the /usr/local/bin directory so it can accessible from your shell.

Next, you will need to set a Linux capability flag on the binary. You can do this with the following command:

Configure Vault

First, you will need to create a system user for the Vault daemon to run as. You can create system user with the following command:

Next, give proper ownership to the /opt/vault directory with the following command:

Next, you will need to create a Vault configuration file for storing encrypted secrets in /opt/vault file and listening connections via HTTP.

To do so, create a /etc/vault.hcl file:

Add the following lines:

Save and close the file. Then, give proper permissions with the following command:

Next, you will need to add your domain name entry in /etc/hosts file to direct requests to Vault to localhost.

You can do this with the nano /etc/hosts command. Then, add the following line:

Save and close the file, when you are finished.

Create the Vault System Startup File

Next, you will need to create a system service file for Vault. So you can easily manage the Vault service. You can do this by creating the following file:

Add the following lines:

Save and close the file. Then, start Vault service and enable it to start on boot time with the following command:

You can check the status of Vault service with the systemctl status vault command. Your output will look like:

You can also verify the Vault version with the vault –version command. The output will look like this:

Initialize Vault

When you start Vault first time, it will be uninitialized that means it isn’t ready to get and store data. As the first step, set an environment variable to tell the vault command how to connect to the Vault server with the following command:

Next, check the vault is in an uninitialized state by running the vault status command. The resulting output will be:

Next, initialize the Vault using the vault init -key-shares=3 -key-threshold=2 command. The output will look like this:

It is recommended to save each unseal token and the initial root token in a secure place.

Now, vault is initiated but sealed. So you will need to unseal Vault using the newly created unseal tokens. You will need at least two unseal keys in order to make the service become available and ready to use.

You can unseal it by running the following command:

Enter your first unseal token and press Enter:

The above output indicates that the unsealing is in progress, but still requires one more unsealing key before Vault is ready for use. Now, run the unseal command again:

Enter your second unseal token and press Enter:

Vault is now unsealed and ready to use. You can check the status of Vault with the vault status command. Your output will look like this:

Test Vault

Vault is now installed and configured, so now it’s time to test how Vault will write, store and read secrets. First, you will need to store the previously generated root token in the environment variable. You can do this with the following command:

Next, write a value to a Vault with the following command:

The output will look like this:

Next, you will need to create a policy file with the nano policy.hcl command. And also add the following lines:

Save and close the file. Then, write this policy to Vault with the following command:

The output is as follows:

Now, create a token with the rights specified in the policy with the following command:

You should see the following output:

Next, save the token value from the above output to an environment variable with the following command:

You can now access the data stored in the path secret/message with the following command:

The output will look like this:

Now, try to listing secrets in Vault with the following command:

You can see that unprivileged token cannot perform other operations:

Original Source

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store