Hashicorp Vault is a popular tool for managing secrets and encryption in cloud environments. It allows us to store, access, and distribute sensitive data securely across different applications and platforms. In this blog post, I will show us how to install Hashicorp Vault on Debian 11 (Bullseye), the latest stable release of the Debian operating system.
Step 1: Install dependencies
The first step is to install some dependencies that are required for Hashicorp Vault to run.
These include unzip, curl, and gnupg. To install them, run the following command:
apt update
apt install unzip curl gnupg software-properties-common -y
Step 2: Add Hashicorp repository
The next step is to add the official Hashicorp repository to our system. This will allow us to install the latest version of Vault from the Hashicorp package source.
To do this, let’s run the following commands:
curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add -
apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
Step 3: Install Hashicorp Vault
Now that we have added the Hashicorp repository, we can install Vault with the following command:
apt update
apt install vault -y
This will install Vault and its dependencies on our system.
We can verify the installation by running:
vault --version
We should see something like this:
Vault v1.13.1 (4472e4a3fbcc984b7e3dc48f5a8283f3efe6f282), built 2023-03-23T12:51:35Z
Step 4: Configure Hashicorp Vault
The next step is to configure Vault for our use case. There are many options and settings that we can customize, but for this tutorial, we will use a simple file-based storage backend.
First, create a configuration file for Vault in /etc/vault.d/vault.hcl
with the following content:
storage "file" {
path = "/var/lib/vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
api_addr = "http://<your_server_ip>:8200"
ui = true
Replace <your_server_ip>
with our actual server IP address.
This configuration tells Vault to store its data in /var/lib/vault/data
directory, listen on port 8200 on all interfaces, disable TLS encryption (not recommended for production), set the API address, and enable the web UI.
Next, create the data directory and set the ownership and permissions:
mkdir -p /var/lib/vault/data
chown -R vault:vault /var/lib/vault
chmod -R 770 /var/lib/vault
Then, edit the systemd
service file for Vault in /etc/systemd/system/vault.service
and add the following lines to it:
[Unit]
Description="HashiCorp Vault - A tool for managing secrets" Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target ConditionFileNotEmpty=/etc/vault.d/vault.hcl StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity
Environment=VAULT_ADDR=http://<your_server_ip>:8200
[Install]
WantedBy=multi-user.target
Again, replace <your_server_ip>
with our actual server IP address.
This sets the VAULT_ADDR
environment variable for the Vault service, which is used by the vault
command-line tool to communicate with the Vault server.
Finally, reload the systemd
daemon and start the Vault service:
systemctl daemon-reload
systemctl start vault
systemctl enable vault
We can check the status of the service with:
systemctl status vault
We should see something like this:
● vault.service - HashiCorp Vault
Loaded: loaded (/etc/systemd/system/vault.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-12-31 07:15:23 UTC; 2min 13s ago
Docs: https://www.vaultproject.io/docs/
Main PID: 1234 (vault)
Tasks: 10 (limit: 2286)
Memory: 18.7M
CPU: 191ms
CGroup: /system.slice/vault.service
└─1234 /usr/bin/vault server -config=/etc/vault.d/vault.hcl
Step 5: Initialize and unseal Hashicorp Vault
The last step is to initialize and unseal Vault. Initialization is a one-time process that generates an encryption key and a set of unseal keys for our Vault instance.
export VAULT_ADDR=http://127.0.0.1:8200
Then we can initialize the vault:
vault operator init
We have to see the followings:
Unseal Key 1: s4rEK0ZHSJn59Tq02mHDAgYQcvUvL7loXgu6l2qBCRob
Unseal Key 2: f8SZ96W5WMjKSnlHoyK5FncRiQlreHpuL70UnRXCxrKS
Unseal Key 3: 6UaxsnCTXS6BQ7nSAjFHZS3E13G9cZNjSvRQC7Pgk5Ot
Unseal Key 4: eNpr3yhBdDpbHHj2Femjg+bkA9Yj0D3f4nz1wZsoPinp
Unseal Key 5: Ny3f1qUGA6N6LfXucjZOFOw+UEpHMzrOawwA9CvOjXkK
Initial Root Token: hvs.PdnYCp1v7aL42PvUxyohFwlD
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
Let’s store these unseal keys and the initial root token somewhere safe and never share it with people who should not have admin access to our vault!
We can unseal our secret service with the unseal command:
# vault operator unseal
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.13.1
Build Date 2023-03-23T12:51:35Z
Storage Type file
Cluster Name vault-cluster-4a4f1dab
Cluster ID e6218797-ff47-36a3-0121-3a8657db5a37
HA Enabled false
After providing three segments of the unseal key the vault is unsealed now, and it is ready for operation.