Hashicorp Vault

Hashicorp's solution to managing Secrets and Protecting Sensitive Data

What is Vault?

  • Vault is a solution developed by Hashicorp that enables the storage and lifecycle of secrets (i.e., user/pass, API keys, certificates, encryption keys, etc.)


brew install vault

Vault Cheat Sheet

Vault Configuration Commands

# View vault configuration (stored on whichever server Vault is installed on). This file path can be different!
cat /etc/vault.d/vault.hcl

# Validate/troubleshoot configuration file. Point it to your configuration file path
vault operator diagnose -config=/etc/vault.d/vault.hcl

# Initialize Vault for the first time (modify as needed)
vault operator init \ 
-key-shares=3 \

Vault Operations

# Get help
vault --help # (-h)
vault <command> --help # (-h)

# Get vault version
vault version

# View vault status (seal/unseal status)
vault status 

# Unseal vault (other options e.g., AWS KMS exist too)
vault operator unseal # hit enter
Unseal Key (will be hidden): # paste key shard value

# Login to Vault
vault login hvs.7j0Pi7dUJNE5GV3Z77HyCCBS

# Restart Vault
sudo systemctl restart vault

Vault Dev Mode

# Start Vault in Dev mode (testing only, not for production)
vault server -dev
	# interact with vault in another terminal tab / window
	# hit CMD+C to end the vault session

# Or start vault in the background and interact in the same terminal tab
vault server -dev &

# kill vault by finding the pid
ps -ef | grep 'vault server -dev'
kill -9 <PID>

Vault Secrets

# Create a secrets engine at the path of "home/"
vault secrets enable -path=home/ kv # kv-v2

# Save a secret to the file "vault-token" at the initial path "home/". Syntax is Key=Value
vault kv put home/tyler/vault-token "Initial Root Token:"=hvs.35fzQIN0BstyJxCj46W0ajiy

# Retrieve a secret
vault kv get home/tyler/vault-token

Vault Auth Methods

# Enable the aws auth method
vault auth enable aws

# Provide a custom path and description for the aws auth method
vault auth enable -path=tylers-aws-path -description=aws-creds aws
	# vault auth list (to see these details)

# Disable auth method
vault auth disable aws

# List auth methods
vault auth list

# Modify the token/ auth method's TTL so that the token expires after 1 hour
vault auth tune -max-lease-ttl=3600 token/
	#Success! Tuned the auth method at: token/

Vault Policies

# List policies
vault policy list

# Read a policy
vault policy read <policy name>

# Write (upload) a policy
vault policy write <policy name> <path to policy file>

# Test a policy by generating a token to login with it
vault token create -policy=<policy name>

Vault Tokens

# List all tokens in vault
vault list auth/token/accessors

# Create a new root token
vault token create

# View properties of a token
vault token lookup -accessor <accessor> # run: vault list auth/token/accessors to get <accessor>

# Revoke a token
vault token revoke <root token> # found in .vault-token
vault token revoke -accessor <accessor> # run: vault list auth/token/accessors to get <accessor>

Useful Resources

Last updated