{"id":198,"date":"2017-09-08T11:29:48","date_gmt":"2017-09-08T11:29:48","guid":{"rendered":"https:\/\/ruimoreira.co.uk\/?p=198"},"modified":"2017-09-17T19:53:50","modified_gmt":"2017-09-17T19:53:50","slug":"hashicorp-vault-keeping-things-secret-part-1-install-and-configure-vaul","status":"publish","type":"post","link":"https:\/\/ruimoreira.co.uk\/?p=198","title":{"rendered":"Hashicorp Vault , keeping things secret &#8211; Part 1 install and configure Vault"},"content":{"rendered":"<p>Hello folks<\/p>\n<p>Today I am going to talk about a great tool from Hashicorp, it&#8217;s called Vault (https:\/\/www.vaultproject.io) . This piece of software is in my opinion an essential part it our Devops toolkit. It allows you to safely save, and dynamically generate secrets for your infrastructure. The main use case for me has been to allow me to set passwords in Terraform templates, without exposing the password itself in clear text, \u00a0but for now what I am talking about here is how to install it and get it up and running in your Linux Server, and I will also provide a Dockerfile you can use to spin up a container and play around with vault.<\/p>\n<p>So let&#8217;s get our hands dirty<\/p>\n<p>1 &#8211; Download your binary from\u00a0https:\/\/www.vaultproject.io\/downloads.html , you will see links for MacOS, Linux, BSD etc, choose your own . For example<\/p>\n<p>#wget\u00a0https:\/\/releases.hashicorp.com\/vault\/0.8.1\/vault_0.8.1_linux_amd64.zip<\/p>\n<p>2 &#8211; Uncompress the archive and copy the file into a directory in $PATH<\/p>\n<p>#unzip vault_0.8.1_linux_amd64.zip ; cp vault \/usr\/local\/bin<\/p>\n<p>3 &#8211; Test that tou can execute vault.<\/p>\n<p>#vault -v<\/p>\n<p>this should return something like<\/p>\n<p>#vault -v<br \/>\nVault v0.8.1 (&#8216;8d76a41854608c547a233f2e6292ae5355154695&#8217;)<\/p>\n<p>Of course your values could be different as newer versions are released. You should also do the same thing on your workstation as the same binary is used for the client too. So download it to your computer expand the zip file and copy it to a location of your choice (as long as that location is in $PATH).<\/p>\n<p>So , now we have vault in place and we can start the server, this can be done by using the command<\/p>\n<p>#vault server -config &lt;PATH_TO_CONFIG_FILE&gt;<\/p>\n<p>output will look something like<\/p>\n<p><code><br \/>\n==&gt; Vault server configuration:<\/code><\/p>\n<p>Cgo: disabled<br \/>\nListener 1: tcp (addr: &#8220;0.0.0.0:8200&#8221;, cluster address: &#8220;0.0.0.0:8201&#8221;, tls: &#8220;disabled&#8221;)<br \/>\nLog Level: info<br \/>\nMlock: supported: true, enabled: true<br \/>\nStorage: file<br \/>\nVersion: Vault v0.8.1<br \/>\nVersion Sha: 8d76a41854608c547a233f2e6292ae5355154695<\/p>\n<p>==&gt; Vault server started! Log data will stream in below:<\/p>\n<p>Please make sure your firewall allows port 8200\/8201 TCP to this server.<\/p>\n<p>If you want to use Vault inside a docker container you can checkout this git repo , as it contains a Dockerfile and an example configuration file for Vault.<\/p>\n<p>https:\/\/github.com\/ruimoreira\/blogexamples<\/p>\n<p>Ok so now we have vault running. Lets initialize it , I would advise you execute this on your workstation,<\/p>\n<pre class=\"highlight plaintext\"><code>export VAULT_ADDR='http:\/\/&lt;VAULT_SERVER_IP_ADDRESS&gt;:8200'<\/code><\/pre>\n<p>Let&#8217;s check that we can actually reach it<\/p>\n<p># vault status<br \/>\nError checking seal status: Error making API request.<\/p>\n<p>URL: GET http:\/\/127.0.0.1:8200\/v1\/sys\/seal-status<br \/>\nCode: 400. Errors:<\/p>\n<p>* server is not yet initialized<\/p>\n<p>so this tells us that we can indeed reach the server, however it&#8217;s not initialized.<\/p>\n<p>So let&#8217;s do just that.<\/p>\n<p>#vault init<\/p>\n<p><code><br \/>\n#vault init<br \/>\nUnseal Key 1: IIeMHIGq+xmIDqXN7Q43Lt7nmi5sLvNad5NgUjOVPoiA<br \/>\nUnseal Key 2: phNTpSyjBqobHYeLVOfiaUHQ6iidw2\/BowKnTb3HzaC4<br \/>\nUnseal Key 3: jJcuYrSiQRHv0TvD1\/AVrHBpd2f6mjtjriGLa66A2O5b<br \/>\nUnseal Key 4: so5WqFp1nmXFeuLE4tUZiglCTEBP2gkc9\/teNZNvVOmz<br \/>\nUnseal Key 5: hCNg3wwVfYY\/x0A6TLVmvyKyutilr5qvhkiH4mUDHWXR<br \/>\nInitial Root Token: 880fde6a-f672-fe8e-50d0-2e51f566654a<br \/>\n<\/code><\/p>\n<p>As we can see vault has provided the Unseal Keys, and the Root token to authenticate with.<\/p>\n<p>At this point you need to unseal the vault, and you need to provide 3 keys using vault unseal.<\/p>\n<p>Hope you find this useful and hope to see you again soon.<\/p>\n<p>&nbsp;<\/p>\n<p>Rui Moreira<\/p>\n<p><strong>PS<\/strong>: If you are using a docker container to play around with Vault, the I would like to remind you to use the <code>-p<\/code> option to expose the port of the container you are running vault on.<\/p>\n<p>More information <a href=\"https:\/\/docs.docker.com\/engine\/userguide\/networking\/default_network\/binding\/\">here<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hello folks Today I am going to talk about a great tool from Hashicorp, it&#8217;s called Vault (https:\/\/www.vaultproject.io) . This piece of software is in my opinion an essential part it our Devops toolkit. It allows you to safely save, and dynamically generate secrets for your infrastructure. The main use case for me has been &hellip; <a href=\"https:\/\/ruimoreira.co.uk\/?p=198\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Hashicorp Vault , keeping things secret &#8211; Part 1 install and configure Vault<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":202,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[55,91,6,60,22],"tags":[],"wppr_data":{"cwp_meta_box_check":"No"},"_links":{"self":[{"href":"https:\/\/ruimoreira.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/198"}],"collection":[{"href":"https:\/\/ruimoreira.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ruimoreira.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ruimoreira.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ruimoreira.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=198"}],"version-history":[{"count":16,"href":"https:\/\/ruimoreira.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/198\/revisions"}],"predecessor-version":[{"id":217,"href":"https:\/\/ruimoreira.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/198\/revisions\/217"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ruimoreira.co.uk\/index.php?rest_route=\/wp\/v2\/media\/202"}],"wp:attachment":[{"href":"https:\/\/ruimoreira.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=198"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ruimoreira.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=198"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ruimoreira.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=198"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}