Skip to content

2019-09-23 Devops

Deploying Vault

Deploying Vault#

Download Vault from the HashiCorp Vault downloads page.

Ensure SHA256 matches:

grep linux_amd64 vault_1.2.2_SHA256SUMS
7725b35d9ca8be3668abe63481f0731ca4730509419b4eb29fa0b0baa4798458  vault_1.2.2_linux_amd64.zip

shasum -a 256 vault_1.2.2_linux_amd64.zip
7725b35d9ca8be3668abe63481f0731ca4730509419b4eb29fa0b0baa4798458  vault_1.2.2_linux_amd64.zip

Install unzip:

sudo apt-get install unzip

Unzip the file:

unzip vault_*.zip

Copy Vault to an accessible location:

sudo cp vault /usr/local/bin/

Let the binary perform memory locking without unnecessarily elevating its privileges:

sudo setcap cap_ipc_lock=+ep  /usr/local/bin/vault

Create a Vault system user:

sudo useradd -r -d /var/lib/vault -s /bin/nologin vault

The home directory is /var/lib/vault The shell is set to /bin/nologin, restricting the user to non-interactive access.

Set the owner of /var/lib/vault:

sudo install -o vault -g vault -m 750 -d /var/lib/vault

Create vault.hcl at /etc/vault.hcl with the following:

ui = true

backend "file" {
        path = "/var/lib/vault"
}

listener "tcp" {
        tls_disable = 0
        tls_cert_file = "/etc/letsencrypt/live/example.com/fullchain.pem"
        tls_key_file = "/etc/letsencrypt/live/example.com/privkey.pem"
}

Only allow the Vault user to access Vault’s configuration file:

sudo chown vault:vault /etc/vault.hcl
sudo chmod 640 /etc/vault.hcl

Create the Vault systemd daemon#

In /etc/systemd/system/vault.service:

[Unit]
Description=a tool for managing secrets
Documentation=https://vaultproject.io/docs/
After=network.target
ConditionFileNotEmpty=/etc/vault.hcl

[Service]
User=vault
Group=vault
ExecStart=/usr/local/bin/vault server -config=/etc/vault.hcl
ExecReload=/usr/local/bin/kill --signal HUP $MAINPID
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
SecureBits=keep-caps
NoNewPrivileges=yes
KillSignal=SIGINT

[Install]
WantedBy=multi-user.target

Additional info in the sources for working with proper permissions on the certificates and routing requests to localhost from the expected domain.

Initialising Vault#

If you are not using HTTPS and a domain name, set:

export VAULT_ADDR=http://127.0.0.1:8200

Start vault and check status:

sudo systemctl start vault
sudo systemctl status vault

Check Vault status:

vault status

This will tell you the server is not yet initialised:

Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            n/a
HA Enabled         false

Initialise Vault:

vault operator init -key-shares=3 -key-threshold=2

You will now have a sealed vault:

stephen@vault:/etc$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       3
Threshold          2
Unseal Progress    0/2
Unseal Nonce       n/a
Version            1.2.2
HA Enabled         false

Unseal it the required number of times:

vault operator unseal

Enable a secrets engine:

VAULT_TOKEN=$root_token vault secrets enable -path=mimecast kv

Write a secret:

VAULT_TOKEN=$root_token vault write mimecast/fixes.co.za username=mcmaley password=b0LDered!

Create a policy#

sudo vim policy.hcl

path "mimecast/fixes.co.za" {
    capabilities = ["read"]
}

Enable the policy:

VAULT_TOKEN=$root_token vault policy write fixes.co.za-readonly policy.hcl

Create a token for that policy:

VAULT_TOKEN=$root_token vault token create -policy="fixes.co.za-readonly"

View the tokens:

app_token=xxx
VAULT_TOKEN=$app_token vault read mimecast/fixes.co.za

The application token cannot list the path:

stephen@vault:~/policies$ VAULT_TOKEN=$app_token vault list mimecast/
Error listing mimecast/: Error making API request.

URL: GET http://127.0.0.1:8200/v1/mimecast?list=true
Code: 403. Errors:

* 1 error occurred:
    * permission denied

Make Vault accessible via IP#

If you are testing Vault and want it accessible via IP, you can add this to config.hcl:

listener "tcp" {
    address = "10.200.0.69:8200"
    tls_disable = 1
}

api_addr = "https://10.200.0.69:8200"

LDAP Configuration#

The mapping of groups and users in LDAP to Vault policies is managed by using the users/ and groups/ paths.

VAULT_TOKEN=$root_token vault auth enable ldap

Get the following config:

url = ldap://ldap.myorg.com
starttls = False
insecure_tls = true

binddn =
bindpass =
userdn =
userattr = uid

groupdn =
groupfilter =
groupattr =

For more information on the fields, check the Vault LDAP configuration documentation.

It is easier to do this via the web UI, because you otherwise end up doing something like this:

vault write auth/ldap/config \
    url="ldaps://ldap.example.com" \
    userattr="uid" \
    userdn="ou=Users,dc=example,dc=com" \
    discoverdn=true \
    groupdn="ou=Groups,dc=example,dc=com" \
    certificate=@ldap_ca_cert.pem \
    insecure_tls=false \
    starttls=true

Also check Vault group policy mapping. This also seems easier to configure in the UI.

Auditing#

Enable Syslog auditing:

VAULT_TOKEN=$root_token vault audit enable syslog

You can specify special parameters:

vault audit enable syslog tag="vault" facility="AUTH"

Source#