What is Hashicorp Vault

Hashicorp Vault is a tool for securely managing secrets, encryption keys, and access to sensitive data in modern computing environments. Vault also offers an API, allowing applications to fetch secrets at runtime instead of storing them in static files like .env. This improves security by keeping sensitive data out of your codebase.

Core Concepts

Understanding Hashicorp Vault involves exploring its fundamental components that enable secure secret management and encryption in modern infrastructure.

Vault Server

The Vault Server is the central component that manages secrets, handles authentication, enforces policies, and provides APIs for clients. It is responsible for securely storing and controlling access to sensitive data.

Secrets Engines

Secrets Engines are plugins that handle different types of secrets, such as key-value pairs, database credentials, cloud access keys, or encryption keys. Each engine can generate, store, and manage secrets dynamically or statically, depending on the use case.

Authentication Methods

Vault supports multiple authentication methods, including tokens, userpass (username / password), LDAP, GitHub, and cloud provider IAM. These methods allow users and applications to prove their identity before accessing secrets.

Policies

Policies define fine-grained access control in Vault. They specify what actions users or applications can perform and which secrets or paths they can access, ensuring that only authorized entities interact with sensitive data.

Audit Devices

Audit Devices record all requests and responses to Vault, providing a detailed log for monitoring, compliance, and troubleshooting. This helps organizations track access and changes to secrets.

Use Cases

Hashicorp Vault is commonly used for:

Secret Management : Securely storing and accessing sensitive data like API keys and passwords.
Audit and Compliance : Logging all secret access for monitoring and compliance.
Multi-Environment Security : Managing secrets across development, staging, and production.

Installing Vault

To start using Hashicorp Vault, you need to install it on your system. Below are installation commands for popular platforms.

wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(grep -oP '(?<=UBUNTU_CODENAME=).*' /etc/os-release || lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vault

Uninstalling Vault

If you no longer need Hashicorp Vault or want to reinstall it cleanly, here is how to uninstall it depending on how it was installed.

sudo apt remove --purge vault
sudo rm /etc/apt/sources.list.d/hashicorp.list
sudo rm /usr/share/keyrings/hashicorp-archive-keyring.gpg
sudo apt update

Basic Configuration

Now that we have the Vault binary installed, we can proceed to configure the server. There are multiple ways to store data, but using the raft storage backend is a common approach for local storage.

Next, update the server configuration file located at /etc/vault.d/vault.hcl by adding the following settings :

storage "raft" {
    path    = "/vault/data"
    node_id = "node1"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

api_addr = "http://127.0.0.1:8200"
cluster_addr = "http://127.0.0.1:8201"
ui = true
disable_mlock = true

Storage Raft: Specifies the raft storage backend for local storage.
Listener: Configures the TCP listener for Vault, allowing connections on port 8200 with TLS disabled.
API Address: Defines the address for Vault's API.
Cluster Address: Specifies the address for Vault's cluster communication.
UI: Enables the Vault web user interface.
Disable mlock: Disables the mlock syscall, which is required for systems without proper memory locking support.

Next, create the directory where Vault will store its data :

sudo -u vault mkdir -p /vault/data

Finally, restart the Vault service and enable it to start automatically on boot :

sudo systemctl restart vault.service
sudo systemctl enable vault.service

Set the Vault server address for your CLI session :

export VAULT_ADDR='http://127.0.0.1:8200'

Next, you can initialize the storage using the CLI. Run the following command to start the initialization process :

vault operator init

Secure Keys

Save the 5 keys and root token securely.

You should now have a functioning Vault server !

Securing Vault with HTTPS and Managing Logs

To secure your Vault server, it is recommended to enable HTTPS. While you can use a reverse proxy like Nginx, Vault natively supports HTTPS by configuring its listener with TLS certificates. Update your Vault configuration to specify the paths to your SSL certificate and key:

storage "raft" {
    path    = "./vault/data"
    node_id = "node1"
}

listener "tcp" {
	address     = "0.0.0.0:8200"
	tls_disable = 0
	tls_cert_file = '/etc/letsencrypt/live/{name_website}/fullchain.pem' 
	tls_key_file  = '/etc/letsencrypt/live/{name_website}/privkey.pem' 
}

api_addr = "http://127.0.0.1:8200"
cluster_addr = "http://127.0.0.1:8201"
ui = true
disable_mlock = true

This ensures all communication with Vault is encrypted, protecting sensitive data in transit.

Enable logging in Vault to track access and maintain compliance. Store logs securely and review them regularly.

Example configuration for enabling Vault logging :

storage "raft" {
    path    = "/vault/data"
    node_id = "node1"
}

listener "tcp" {
	address     = "0.0.0.0:8200"
	tls_disable = 0
	tls_cert_file = '/etc/letsencrypt/live/{name_website}/fullchain.pem'
	tls_key_file  = '/etc/letsencrypt/live/{name_website}/privkey.pem'
}

api_addr = "http://127.0.0.1:8200"
cluster_addr = "http://127.0.0.1:8201"
ui = true
disable_mlock = true
log_level = "info"
log_file = "/var/log/vault.log"

Introduction to Vault