In this post we going to install and configure a vault server for production, this is the part 2.

In this post we will cover

  • Checking the installation
  • Creating the configuration files for Vault
  • Test the installation
  • Test the web UI

Requirements:

  • Linux commands basic knowledge.
  • A Debian computer (I’m using Ubuntu 20.04)
  • Basic Docker knowledge, you can see my other Docker’s post here.

Hands On:

  1. Connect to the docker container with the exec command, and move to the working directory
docker container exec -it ubuntu_vault /bin/bash
cd /mnt/vault

2. Create the folders for the configuration files and data in the /mnt/vault path and enter the directory

mkdir data config-files
cd config-files

3. Create a file named vault.hcl, edit the file and add the configuration for vault.

touch vault.hcl
nano vault.hcl
storage "file" {
  path = "/mnt/vault/data"
}
listener "tcp" {
  tls_disable = 1
  address     = "0.0.0.0:8200"
}
ui = true
Tip, you can paste normally with control-V and then use Control-O to save, and Control-X to quit. If you need to know more command in nano you can visit the Ubuntu Documentation
  • The storage part is the backend where Vault will storage all his data, we are putting the data in /mnt/vault/data.
  • The tcp listener tells vault to respond from any network on port 8200.
  • ui part enables the Vault UI (Web).

4. Start the server in production mode and pass the configuration folder

vault server -config=/mnt/vault/config-files/

You will get something like this

==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Go Version: go1.14.7
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: true
           Recovery Mode: false
                 Storage: file
                 Version: Vault v1.5.4
             Version Sha: 1a730771ec70149293efe91e1d283b10d255c6d1

==> Vault server started! Log data will stream in below:

2020-09-29T20:59:05.391Z [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=

You will see here that the vault server is running and memory lock (MLock) is supported and enabled.

5. export the VAULT_ADDR this let the vault binary where is vault responding address and port.

export VAULT_ADDR='http://127.0.0.1:8200'

6. Initialized the vault server with vault operator init.

vault operator init

Unseal Key 1: +Qkda2AKtmWZYVJx/NnGt8a/rMdkaE82qvQn510J5knc
Unseal Key 2: ViPzHqmtdCMR6ckPwwf/JK9ULlKXTg8epVF3bvZz7c5L
Unseal Key 3: Eu0HSzz20pzBFKR8c6kUBVQNbq7j7LDJ+WIE/lNg1nmV
Unseal Key 4: s73B19sP9kS/RFOTkPKWCepgclZNL5hSvro3I9FsJ5J0
Unseal Key 5: PupDoVSUXsphQ2cwrn4O6CWDg92p2axVtpJXnWAZ36tA

Initial Root Token: s.pJdMkJuZ6em1Kvwk92ehN8C2

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

You will get the unseal keys and the root token, this is the only time this information will be on screen so make sure to save it temporarily until we finish the lab, Hashicorp do not recommend to store the unseal keys in the same place.

When you init the server vault will start in sealed mode, you need to unseal it to vault can access the backend storage, you can read more at Hashicorp Seal/Unseal

7. Unseal the vault server.

Once you init the server, you need a different terminal to unseal.

Repeat this command three times and put a different unseal key each time.

vault operator unseal

It only need three unseal keys to unlock  and generate the master key to access the vault data.

Remember that every time the vault server is started it will start Seal, if you want to know more of how to AutoUnseal you can read more at Hashicorp AutoUnseal

At the third time you put the Unseal Key’s you will get

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.5.4
Cluster Name    vault-cluster-e32c8c61
Cluster ID      7f484d64-65c8-204b-c1db-239dee0eac26
HA Enabled      false

8. Test the Vault server.

If you try to do any operations that will require admin access like listing the auth methods, you will get an error.
vault auth list

Error listing enabled authentications: Error making API request.

URL: GET http://127.0.0.1:8200/v1/sys/auth
Code: 400. Errors:

* missing client token

That is because you haven't use the root token, in dev mode vault automatically use the root token for every petition, in production if you want to work with the root token, you need to export the VAULT_TOKEN variable with it.

export VAULT_TOKEN=s.pJdMkJuZ6em1Kvwk92ehN8C2

After this you have can use commands with root access.

vault auth list
Path      Type     Accessor               Description
----      ----     --------               -----------
token/    token    auth_token_ceb73f6e    token based credentials
Hashicorp recommend to not use the root token, instead is recommended to add tokens with administrative access and revoke the root token.

9. Check the UI, you can use your root token to temporarily access.

you only need to connect to the computer IP in your browser in my case is http://192.168.1.50:8200/ui  8200 that is the port Vault will respond.

10. login with your root token.

Well done, you finish the Part 2!

To clean up.

  • You can press control - C the terminal where is running vault to stop the server
  • Stop the container docker container ubuntu_vault stop
  • Additionally if you dont going to use the container any more you can remove the container and delete the image.
docker container rm ubuntu_vault
docker container image rm ubuntu
`

References: