In this post we going to install and configure a single vault server for production, this is the part 1
The objective of this series is to gradually harden the vault server until we have a secure production cluster with the recommendations of Hashicorp
Recommendations from Hashicorp
- End-to-End TLS
- Single Tenancy
- Firewall Traffic
- Disable SSH / Remote Desktop
- Disable Swap
- Don’t run as root
- Turn Off Core Dumps
- Immutable Upgrades
- Avoid Root Tokens
- Enable Auditing
- Upgrade Frequently
- Configure SELinux / AppArmor
- Restrict Storage Access
- Disable Shell Command History
- Tweak ulimits
- Memory Lock in docker containers
- No Clear Text Credentials
After we finish the installation, we going to review this list one by one, for now, if you want to know more you can read it on the Vault Production Hardening page
Besides this in the later post’s I will also cover:
- High Availability (HA)
- Persistent and durable Back-end
In this post, we will cover
- Apply the memory lock to the Docker container
- Mount a host directory for initial back-end and auditing (for enable in a future post)
- Download Binary from Hashicorp web page
- Install Vault
- Linux commands basic knowledge
- A Debian computer (I’m using Ubuntu 20.04)
- Basic Docker knowledge, you can see my other Docker’s post here
1. Create a volume in docker we going to use this volume later for auditing
docker volume create vault_data
2. Run a container with the latest Ubuntu and we going to publish the port 8200 and 8201 in the host for vault, if you want to know more about the working ports of Vault you can check it here
docker container run -it -d -p 8200:8200 -p 8201:8201 \ --mount source=vault_data,destination=/mnt/vault \ --cap-add=IPC_LOCK --name ubuntu_vault ubuntu /bin/bash
In the last command we
- Specify the memory lock with the capability IPC_LOCK and the command –cap-add you need to have overlayfs2 as storage driver Docker container run reference
- Mount the vault_data volume for the initial vault backend (data) and enable in a later post, auditing.
3. Connect to the container to install and run vault from there.
docker container exec -it ubuntu_vault /bin/bash
4. Install some tools we going to need later.
apt update && apt install wget -y unzip nano
Is possible that you need to use the command sudo in front of your commands if you are not using a container, for example:
sudo apt update && sudo apt install wget -y
5. We need to know what architecture you are working on, you can use uname -m to check it.
uname -m aarch64
In my case, as I’m running the image in a Raspberry pi 4, my architecture is aarch64 (arm64).
6. Go to the Hashicorp Vault download page here and we need to select the right binary and architecture to download.
And instead of hitting the Download button do a right-click and select “Copy Link Location”.
Now in you have everything to install in the container, we need to download the binary in the container.
7. Run the command wget and paste the Link.
8. Unzip the binary and delete the zip file
9. Test the vault binary
./vault version Vault v1.5.4 (1a730771ec70149293efe91e1d283b10d255c6d1)
10. Check your environment path, to be able to execute everywhere.
You can use the command "echo $PATH" to know that are the environment variables.
root@60af5e1b7139:/# echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
11. Move the vault binary to a PATH environment folder, personally,y I prefer /usr/local/bin/ because is always empty.
mv vault /usr/local/bin
12. Lets check the installation again, now with the environment path, this time you can execute the binary from any working directory.
vault version Vault v1.5.4 (1a730771ec70149293efe91e1d283b10d255c6d1)
Well done, in the next post we going configure and start the vault server.
To clean up.
- Stop the container
docker container ubuntu_vault stop
- Additionally if you dont going to use the container anymore you can remove the container and delete the image.