hashicorp-vault

tags: #vault #secrets #hashicorp

HashiCorp Vault Installation and Configuration Guide

[[#Prerequisites]]
[[#Installation]]
[[#Configuration]]
[[#SSL/TLS Setup]]
[[#Initialization and Unsealing]]
[[#Secret Engines]]
[[#Troubleshooting]]

Prerequisites

Ubuntu 24.04 LTS
Root or sudo privileges
Open port 8200

Reference

[[HashiCorp Vault Secret]]

Initial Vault Setup

Installation

# For Ubuntu 24.04 LTS

# Switch to root
sudo su

# Add HashiCorp GPG key
wget -O - https://apt.releases.hashicorp.com/gpg | \
    gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg

# Add HashiCorp repository
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] \
    https://apt.releases.hashicorp.com $(lsb_release -cs) main" | \
    tee /etc/apt/sources.list.d/hashicorp.list

# Update and install Vault
apt update && apt install vault

Configuration

# Create necessary directories
mkdir -p /opt/vault/{data,tls}

# Set correct permissions
chown -R vault:vault /opt/vault
chmod 750 /opt/vault/data

# Create basic configuration
cat << EOF > /etc/vault.d/vault.hcl
ui = true
storage "file" {
  path = "/opt/vault/data"
}
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/vault.crt"
  tls_key_file = "/opt/vault/tls/vault.key"
}
api_addr = "https://127.0.0.1:8200"
EOF

# Set correct permissions for config
chown vault:vault /etc/vault.d/vault.hcl
chmod 640 /etc/vault.d/vault.hcl

SSL/TLS Setup

# Generate self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /opt/vault/tls/vault.key \
  -out /opt/vault/tls/vault.crt \
  -subj "/CN=localhost"

# Set permissions
chown vault:vault /opt/vault/tls/vault.{key,crt}
chmod 600 /opt/vault/tls/vault.key
chmod 644 /opt/vault/tls/vault.crt

First time Initialize Vault

# Start Vault service
sudo systemctl start vault
sudo systemctl enable vault

# Set environment variable
export VAULT_ADDR='https://127.0.0.1:8200'
export VAULT_SKIP_VERIFY=true  # For self-signed certificates

# Initialize Vault
vault operator init

# ❗❗❗ Save the output! It contains:
# - 5 Unseal Keys (need 3 for unsealing)
# - Initial Root Token

Start Vault

Start Vault Services

# Check service status
systemctl status vault

# Start Vault service
sudo systemctl start vault
sudo systemctl enable vault

# Set environment variable
export VAULT_ADDR='https://127.0.0.1:8200'
export VAULT_SKIP_VERIFY=true  # For self-signed certificates

# step1
# reapeat 3 times, each time provide key[i]
vault operator unseal 

# login using root-token
vault login <root-token>

Secret Engines

KV Version 2 (Key-Value)

# Enable KV version 2
vault secrets enable -version=2 kv

# Store a secret
vault kv put kv/my-secret username=myuser password=mypass

# Retrieve a secret
vault kv get kv/my-secret

# change the value of the username from "myuser" to "John Kirby"
vault kv patch kv/my-secret username="John Kirby"

# update both fields at once
vault kv put kv/my-secret username="John Kirby" password="Jhon-Password"

Database Secrets Engine

# Enable database secrets engine
vault secrets enable database

# Configure MySQL connection
vault write database/config/mysql \
    plugin_name=mysql-database-plugin \
    connection_url="{{username}}:{{password}}@tcp(localhost:3306)/" \
    allowed_roles="my-role" \
    username="root" \
    password="root-password"

PKI Secrets Engine

# Enable PKI secrets engine
vault secrets enable pki

# Configure PKI settings
vault write pki/root/generate/internal \
    common_name=example.com \
    ttl=8760h

Troubleshooting

Common Issues and Solutions

Service Won't Start

# Check service status
systemctl status vault

# Check logs
journalctl -xeu vault.service

# Verify permissions
ls -la /opt/vault/
ls -la /opt/vault/tls/

TLS Certificate Issues

# Verify certificate
openssl x509 -in /opt/vault/tls/vault.crt -text -noout

# Test TLS connection
curl -k https://127.0.0.1:8200/v1/sys/health

Sealed Vault

# Check seal status
vault status

# Unseal vault (needs 3 keys)
vault operator unseal

Health Check

# Check Vault status
vault status

# Check server health
curl -k https://127.0.0.1:8200/v1/sys/health

Best Practices

Security
- Rotate root tokens regularly
- Use appropriate policies
- Enable audit logging
- Use TLS certificates from trusted CA in production
Backup
- Regular backup of Vault data
- Secure storage of unseal keys
- Document recovery procedures
Monitoring
- Set up monitoring for seal status
- Monitor certificate expiration
- Track usage metrics

Common Commands

# Login
vault login

# List mounted secret engines
vault secrets list

# Create policy
vault policy write my-policy policy.hcl

# Create token
vault token create -policy=my-policy

HashiCorp Vault Installation and Configuration Guide

Table of Contents​

Prerequisites​

Reference​

Initial Vault Setup​

Installation​

Configuration​

SSL/TLS Setup​

First time Initialize Vault​

Start Vault​

Start Vault Services​

Unseal & Login Vault​

Secret Engines​

KV Version 2 (Key-Value)​

Database Secrets Engine​

PKI Secrets Engine​

Troubleshooting​

Common Issues and Solutions​

Health Check​

Best Practices​

Common Commands​

Table of Contents

Prerequisites

Reference

Initial Vault Setup

Installation

Configuration

SSL/TLS Setup

First time Initialize Vault

Start Vault

Start Vault Services

Unseal & Login Vault

Secret Engines

KV Version 2 (Key-Value)

Database Secrets Engine

PKI Secrets Engine

Troubleshooting

Common Issues and Solutions

Health Check

Best Practices

Common Commands