Search for a command to run...
Step-by-step guide for installing and configuring HashiCorp Vault, a secrets management tool that provides secure, centralized storage and access control for tokens, passwords, certificates, and encryption keys.
HashiCorp Vault is a secrets management tool that provides a secure, centralized way to store and distribute secrets, encryption keys, and other sensitive data across your infrastructure.
# Add HashiCorp GPG key
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
# Add HashiCorp repository
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
# Update and install Vault
sudo apt update
sudo apt install vaultsudo mkdir -p /etc/vault.d
sudo chown -R vault:vault /etc/vault.dCreate /etc/vault.d/vault.hcl:
storage "file" {
path = "/opt/vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = "true" # Only for development
}
api_addr = "http://127.0.0.1:8200"
ui = truestorage "raft" {
path = "/opt/vault/data"
node_id = "node1"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/etc/vault.d/cert.pem"
tls_key_file = "/etc/vault.d/key.pem"
tls_client_ca_file = "/etc/vault.d/ca.pem"
}
api_addr = "https://vault.example.com:8200"
ui = true# Start Vault in development mode
vault server -dev
# Export Vault address
export VAULT_ADDR='http://127.0.0.1:8200'
# Save the root token displayed at startup# Start Vault server
sudo systemctl start vault
# Enable Vault to start at boot
sudo systemctl enable vault
# Check status
sudo systemctl status vault# Initialize Vault
vault operator init
# Save the unseal keys and root token securely# Unseal Vault (requires 3 keys by default)
vault operator unseal <key1>
vault operator unseal <key2>
vault operator unseal <key3># Login with root token
vault login <root_token># Enable KV secrets engine
vault secrets enable -path=secret kv-v2
# Enable AWS secrets engine
vault secrets enable aws# Write a secret
vault kv put secret/myapp/config username=myuser password=mypassword
# Read a secret
vault kv get secret/myapp/config# Enable file audit device
vault audit enable file file_path=/var/log/vault/audit.logCreate app-policy.hcl:
path "secret/data/myapp/*" {
capabilities = ["read", "list"]
}Apply policy:
vault policy write app-policy app-policy.hcl# Enable AppRole auth
vault auth enable approle
# Create role
vault write auth/approle/role/my-role \
secret_id_ttl=10m \
token_num_uses=10 \
token_ttl=20m \
token_max_ttl=30m \
secret_id_num_uses=40Seal Status
# Check seal status
vault status
# View server logs
sudo journalctl -u vaultPermission Issues
# Fix data directory permissions
sudo chown -R vault:vault /opt/vault
sudo chmod 750 /opt/vaultTLS Issues
Production Setup
Security
High Availability
Complete guide for installing and setting up Ansible, an agentless automation tool that enables infrastructure as code, configuration management, and application deployment using simple YAML syntax.
Complete guide for installing and configuring HashiCorp Consul, a service networking platform that provides service discovery, configuration, and segmentation functionality.