A Vault Tutorial. Part 5

Published: Feb 9, 2019 by Isaac Johnson

So far our basic containerized Vault has worked for dev, but it’s not re-deployable in its current fashion.  We would never use in-memory storage for keys (wanting instead to persist them).

We can use HCL to define a storage backend and launch Vault locally to verify the HCL.

To illustrate, I created a sample Azure storage account, blob container and provided a key.

$ cat idj-azure-vault.hcl 
storage "azure" {
  accountName = "idjvaulttest"
  accountKey = "d51Zm0CSnNamDvTrUL7AAxu+yWIc4+MrdDD1WulbWg85CoJYFWDA2euajy+57jiF3jz87CqxfoLWzAnzL5fUcw=="
  container = "idjvaultcontainer"
}

listener "tcp" {
 address = "127.0.0.1:8200"
 tls_disable = 1
}

$ vault server -config=idj-azure-vault.hcl 
WARNING! mlock is not supported on this system! An mlockall(2)-like syscall to
prevent memory from being swapped to disk is not supported on this system. For
better security, only run Vault on systems where this call is supported. If
you are running Vault in a Docker container, provide the IPC_LOCK cap to the
container.
==> Vault server configuration:

                     Cgo: disabled
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: (not set)
                   Mlock: supported: false, enabled: false
                 Storage: azure
                 Version: Vault v1.0.1
             Version Sha: 08df121c8b9adcc2b8fd55fc8506c3f9714c7e61

==> Vault server started! Log data will stream in below:

2019-01-01T12:58:21.205-0600 [WARN] no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set

Operator Init

The first time we launch Vault against a new backend we need to “init” the cluster.

Here you can see i changed from the default port (9990) and init’ed the local instance (running against Azure Blob storage);

$ cat idj-azure-vault.hcl 
storage "azure" {
  accountName = "idjvaulttest"
  accountKey = "d51Zm0CSnNamDvTrUL7AAxu+yWIc4+MrdDD1WulbWg85CoJYFWDA2euajy+57jiF3jz87CqxfoLWzAnzL5fUcw=="
  container = "idjvaultcontainer"
}

listener "tcp" {
 address = "127.0.0.1:9990"
 tls_disable = 1
}
$ vault server -config=idj-azure-vault.hcl
WARNING! mlock is not supported on this system! An mlockall(2)-like syscall to
prevent memory from being swapped to disk is not supported on this system. For
better security, only run Vault on systems where this call is supported. If
you are running Vault in a Docker container, provide the IPC_LOCK cap to the
container.
==> Vault server configuration:

                     Cgo: disabled
              Listener 1: tcp (addr: "127.0.0.1:9990", cluster address: "127.0.0.1:9991", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: (not set)
                   Mlock: supported: false, enabled: false
                 Storage: azure
                 Version: Vault v1.0.1
             Version Sha: 08df121c8b9adcc2b8fd55fc8506c3f9714c7e61

==> Vault server started! Log data will stream in below:
..2019-01-01T13:12:08.434-0600 [INFO] core: cluster listeners successfully shut down
2019-01-01T13:12:08.434-0600 [INFO] rollback: stopping rollback manager
2019-01-01T13:12:08.434-0600 [INFO] core: pre-seal teardown complete

Now we can connect with operator init to get our unseal keys.  By default Vault is configured to split keys into 5 shares requiring a minimum of 3.  

$ export VAULT_ADDR="http://127.0.0.1:9990"
AHD-MBP13-048:~ isaac.johnson$ vault operator init
Unseal Key 1: 7Zk7e298NV1ZRT9rouryXf1O41/erScyoaUOANibj/p0
Unseal Key 2: aqephGg4K6DFp4gFrK+XuR+g1RCOOcuurxLL42AiXXFK
Unseal Key 3: nKkeSIDVChwZDiFrYv+WmHiTT7ujM+rL3+uzGWkT3ZRU
Unseal Key 4: NiNOyWEGqaR2ssveIFDMA7bWrLoYBzSnDHKUOzjT2RyW
Unseal Key 5: uX8zJXydLHFKntbqEcSSpYVHzkMKYhVxfN/w6c60wl29

Initial Root Token: s.GajsySoAWg7fWANaA1jYB1ws

Vault initialized with 5 key shares and a key threshold of 3. Please securely...

Unsealing

Everytime a Vault server starts, it does so in a sealed state.  We need to unseal it with at least 3 of these keys.  

We can use the operator unseal commands to unseal the Vault.  When we’ve reached the threshold, we can see “Sealed” changes to false

$ vault operator unseal
Unseal Key (will be hidden): 
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce 160f8b32-c70e-80a5-aa85-abbd09ae9a3b
Version 1.0.1
HA Enabled false
$ vault operator unseal
Unseal Key (will be hidden): 
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 2/3
Unseal Nonce 160f8b32-c70e-80a5-aa85-abbd09ae9a3b
Version 1.0.1
HA Enabled false
$ vault operator unseal
Unseal Key (will be hidden): 
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.0.1
Cluster Name vault-cluster-f2fb0f8a
Cluster ID 2b8cfa34-80ef-5b56-90cf-c1b9060215f5
HA Enabled false

$ vault login s.GajsySoAWg7fWANaA1jYB1ws
Success! You are now authenticated. The token information displayed below… 

…
==> Vault server started! Log data will stream in below:

2019-01-01T13:17:09.189-0600 [WARN] no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2019-01-01T13:19:01.121-0600 [INFO] core: vault is unsealed
2019-01-01T13:19:01.326-0600 [INFO] core: post-unseal setup starting
2019-01-01T13:19:01.436-0600 [INFO] core: loaded wrapping token key
...
tutorial vault

Isaac Johnson

Isaac Johnson

Cloud Solutions Architect

Isaac is a CSA and DevOps engineer who focuses on cloud migrations and devops processes. He also is a dad to three wonderful daughters (hence the references to Princess King sprinkled throughout the blog).

Theme built by C.S. Rhymes