Hashicorp's solution to managing Secrets and Protecting Sensitive Data
What is Vault?
Vault is a solution developed by Hashicorp that enables the storage and lifecycle of secrets (i.e., user/pass, API keys, certificates, encryption keys, etc.)
Installation
brew install vault
Vault Cheat Sheet
Vault Configuration Commands
# View vault configuration (stored on whichever server Vault is installed on). This file path can be different!
cat /etc/vault.d/vault.hcl
# Validate/troubleshoot configuration file. Point it to your configuration file path
vault operator diagnose -config=/etc/vault.d/vault.hcl
# Initialize Vault for the first time (modify as needed)
vault operator init \
-key-shares=3 \
-key-threshold=2
Vault Operations
# Get help
vault --help # (-h)
vault <command> --help # (-h)
# Get vault version
vault version
# View vault status (seal/unseal status)
vault status
# Unseal vault (other options e.g., AWS KMS exist too)
vault operator unseal # hit enter
Unseal Key (will be hidden): # paste key shard value
# Login to Vault
vault login hvs.7j0Pi7dUJNE5GV3Z77HyCCBS
# Restart Vault
sudo systemctl restart vault
Vault Dev Mode
# Start Vault in Dev mode (testing only, not for production)
vault server -dev
# interact with vault in another terminal tab / window
# hit CMD+C to end the vault session
# Or start vault in the background and interact in the same terminal tab
vault server -dev &
# kill vault by finding the pid
ps -ef | grep 'vault server -dev'
kill -9 <PID>
Vault Secrets
# Create a secrets engine at the path of "home/"
vault secrets enable -path=home/ kv # kv-v2
# Save a secret to the file "vault-token" at the initial path "home/". Syntax is Key=Value
vault kv put home/tyler/vault-token "Initial Root Token:"=hvs.35fzQIN0BstyJxCj46W0ajiy
# Retrieve a secret
vault kv get home/tyler/vault-token
Vault Auth Methods
# Enable the aws auth method
vault auth enable aws
# Provide a custom path and description for the aws auth method
vault auth enable -path=tylers-aws-path -description=aws-creds aws
# vault auth list (to see these details)
# Disable auth method
vault auth disable aws
# List auth methods
vault auth list
# Modify the token/ auth method's TTL so that the token expires after 1 hour
vault auth tune -max-lease-ttl=3600 token/
#Success! Tuned the auth method at: token/
Vault Policies
# List policies
vault policy list
# Read a policy
vault policy read <policy name>
# Write (upload) a policy
vault policy write <policy name> <path to policy file>
# Test a policy by generating a token to login with it
vault token create -policy=<policy name>
Vault Tokens
# List all tokens in vault
vault list auth/token/accessors
# Create a new root token
vault token create
# View properties of a token
vault token lookup -accessor <accessor> # run: vault list auth/token/accessors to get <accessor>
# Revoke a token
vault token revoke <root token> # found in .vault-token
vault token revoke -accessor <accessor> # run: vault list auth/token/accessors to get <accessor>
