Hashicorp Vault

Hashicorp's solution to managing Secrets and Protecting Sensitive Data

What is Vault?

Vault is a solution developed by Hashicorp that enables the storage and lifecycle of secrets (i.e., user/pass, API keys, certificates, encryption keys, etc.)

Installation

brew install vault

Vault Cheat Sheet

Vault Configuration Commands

# View vault configuration (stored on whichever server Vault is installed on). This file path can be different!
cat /etc/vault.d/vault.hcl

# Validate/troubleshoot configuration file. Point it to your configuration file path
vault operator diagnose -config=/etc/vault.d/vault.hcl

# Initialize Vault for the first time (modify as needed)
vault operator init \ 
-key-shares=3 \
-key-threshold=2

Vault Operations

# Get help
vault --help # (-h)
vault <command> --help # (-h)

# Get vault version
vault version

# View vault status (seal/unseal status)
vault status 

# Unseal vault (other options e.g., AWS KMS exist too)
vault operator unseal # hit enter
Unseal Key (will be hidden): # paste key shard value

# Login to Vault
vault login hvs.7j0Pi7dUJNE5GV3Z77HyCCBS

# Restart Vault
sudo systemctl restart vault

Vault Dev Mode

# Start Vault in Dev mode (testing only, not for production)
vault server -dev
	# interact with vault in another terminal tab / window
	# hit CMD+C to end the vault session

# Or start vault in the background and interact in the same terminal tab
vault server -dev &

# kill vault by finding the pid
ps -ef | grep 'vault server -dev'
kill -9 <PID>

Vault Secrets

# Create a secrets engine at the path of "home/"
vault secrets enable -path=home/ kv # kv-v2

# Save a secret to the file "vault-token" at the initial path "home/". Syntax is Key=Value
vault kv put home/tyler/vault-token "Initial Root Token:"=hvs.35fzQIN0BstyJxCj46W0ajiy

# Retrieve a secret
vault kv get home/tyler/vault-token

Vault Auth Methods

# Enable the aws auth method
vault auth enable aws

# Provide a custom path and description for the aws auth method
vault auth enable -path=tylers-aws-path -description=aws-creds aws
	# vault auth list (to see these details)

# Disable auth method
vault auth disable aws

# List auth methods
vault auth list

# Modify the token/ auth method's TTL so that the token expires after 1 hour
vault auth tune -max-lease-ttl=3600 token/
	#Success! Tuned the auth method at: token/

Vault Policies

# List policies
vault policy list

# Read a policy
vault policy read <policy name>

# Write (upload) a policy
vault policy write <policy name> <path to policy file>

# Test a policy by generating a token to login with it
vault token create -policy=<policy name>

Vault Tokens

# List all tokens in vault
vault list auth/token/accessors

# Create a new root token
vault token create

# View properties of a token
vault token lookup -accessor <accessor> # run: vault list auth/token/accessors to get <accessor>

# Revoke a token
vault token revoke <root token> # found in .vault-token
vault token revoke -accessor <accessor> # run: vault list auth/token/accessors to get <accessor>

Useful Resources

Vault product documentation | Vault | HashiCorp DeveloperVault product documentation | Vault | HashiCorp Developer

PreviousHashicorp Terraform NextIAC Scanning

Last updated 2 years ago

hashtagWhat is Vault?

hashtagInstallation

hashtagVault Cheat Sheet

hashtagVault Configuration Commands

hashtagVault Operations

hashtagVault Dev Mode

hashtagVault Secrets

hashtagVault Auth Methods

hashtagVault Policies

hashtagVault Tokens

hashtagUseful Resources

What is Vault?

Installation

Vault Cheat Sheet

Vault Configuration Commands

Vault Operations

Vault Dev Mode

Vault Secrets

Vault Auth Methods

Vault Policies

Vault Tokens

Useful Resources