Playing with Vault

Like many other products HashiCorp [1] has brought to the world (remember Vagrant [2]?), Vault [3] is great and useful. It helps you to manage secrets and protect sensitive data (I know some company even use it to store their application's configurations) and it's open source [4]!!!

Obviously, the easiest way to check it out these days is using Docker container. I tried these following steps and it works (vault v1.1.3).

1. Create a working directory for vault to store data

$ mkdir vault

2. Inside vault dir, create another directory to store its configuration

$ cd vault
$ mkdir config

3. Create the configuration file inside the config dir and name it vault.json

$ cd config
$ nano vault.json

{
  "backend": {
    "file": {
      "path": "/vault/file"
    }
  },
  "listener": {
    "tcp":{
      "address": "0.0.0.0:8200",
      "tls_disable": 1
    }
  },
  "ui": true
}

Note that in this configuration, I disable the TLS ("tls_disable": 1) for the purpose of easy demonstration.

4. Run the docker command to start the vault server container

$ docker exec -it $(docker run -d -v /path/to/vault:/vault --cap-add=IPC_LOCK vault server) /bin/sh

After that you will go into the container's shell. The following steps will be executed inside the container.

5. Run this command inside the container in order to use vault CLI

export VAULT_ADDR='http://127.0.0.1:8200'

6. Still inside the container, initialize vault server by running this

vault operator init

Write down the root token and the unseal keys. You will need them later.

7. Unseal at least 3 keys shown in the previous step, for example

vault operator unseal HvoOsoDsQnsLlnAOEkYdyD3kG87YJf5f7W6pq5FcVCOf
vault operator unseal ...
vault operator unseal ...

8. Login using the root token you've written down in the previous steps

vault login <the root token>

9. Create a secret path to store your secret, for example 'secret'

vault secrets enable -path=secret kv

10. Write your first secret key/value

vault write secret/mysql username=dbadmin password=mypasswd

11. Now you can read it

vault read secret/mysql

12. Your secret (actually the whole thing) can be sealed quickly in order to prevent intrusion. After the key's sealed, nothing you can do unless you unsealed it.

vault operator seal

Now you cannot write or read in vault.

13. In order to read/write to vault again, you have to unseal the 3 keys that you unseal in step 7.

Ok, have fun :)


References:

[1] https://www.hashicorp.com/#connect
[2] https://www.vagrantup.com/
[3] https://www.vaultproject.io/
[4] https://github.com/hashicorp/vault