Installation and Configuration of Vault

Vault

HashiCorp Vault is an identity-based secrets and encryption management system. A secret is anything that you want to tightly control access to, such as API encryption keys, passwords, and certificates. Vault provides encryption services that are gated by authentication and authorization methods. Using Vault’s UI, CLI, or HTTP API, access to secrets and other sensitive data can be securely stored and managed, tightly controlled (restricted), and auditable.

Seal - Unseal

Sealing and unsealing are important concepts in Vault. When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn’t know how to decrypt any of it. Unsealing is the process of obtaining the plaintext root key necessary to read the decryption key to decrypt the data, allowing access to the Vault1.

Once a Vault node is unsealed, it remains unsealed until one of these things happens: It is resealed via the API (see below). The server is restarted.

How to install

If you encounter an error, use the command below

sudo apt install gnupg
gpg --keyserver keyserver.ubuntu.com --recv-keys AA16FCBCA621E701
gpg --export --armor AA16FCBCA621E701 | sudo apt-key add -
sudo apt update
wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
apt update
apt install vault

Create an HCL file for Vault configuration

systemctl status vault.service

Check the configuration directory in the status details

CGroup: /system.slice/vault.service
             └─5547 /usr/bin/vault server -config=/etc/vault.d/vault.hcl

Edit the vault.hcl file as follows

ui = true

storage "file" {
  path = "/opt/vault/data"
}

# HTTP listener
listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = 1
}

To use TLS and forward port 80 to 443, install and configure NGINX as follows

server {
    listen 80;
    server_name Zakops.com;

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name Zakops.com;

    ssl_certificate /opt/vault/tls/tls.crt;
    ssl_certificate_key /opt/vault/tls/tls.key;

    access_log  /var/log/nginx/domains/vault/access.log;
    error_log  /var/log/nginx/domains/vault/error.log;

    location / {
        proxy_pass http://127.0.0.1:8200;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Ho to use Web UI: https://YourDomain.com

• key shares : 7
• Key threshold : 5
• Encrypt Output with PGP: Use this option to encrypt the keys generated by Vault using your PGP key
• Encrypt Root Token with PGP: Use this option to encrypt only the root token generated by Vault using your PGP key
• Click "Initialize" and download the xxx.json file

Configuration

Create new method

1. Access
2. Authentication Methods
3. Enable new method
4. Fill in the username and password section
5. Change Path
6. Select the 'List Method' when unauthenticated
7. Enable method

Create new user

1. Access
2. Authentication Methods
3. Select your method
4. Create user
5. Fill in the username and password
6. Save

Create new policy

1. Policies
2. Create ACL policy
3. Fill in the name and policy Example : User access to change their password and revoke their own token

path "auth/token/create" {
    capabilities = ["create", "update"]
}

path "auth/userpass/users/{{identity.entity.aliases.auth_userpass_86b9cc68.name}}/password" {
  capabilities = ["update"]
}

whats this auth_userpass_86b9cc68 ??

vault auth list

Check the Accessor field

Assign a policy to the user

1. Access
2. Entities
3. Select the entity, then check under the Aliases tab to ensure the correct user has been selected
4. Edit the entity
5. Change the name to the username
6. Search for the policy in the Policies box, then select it

Create a group, then add members and assign policies

1. Access
2. Groups
3. Create a Group
4. Set Name to devops
5. Set Type to internal
6. Select Policies
7. Select Member Entity IDs
8. Create

Create a KV engine and set up a password manager

Create a KV Engine

1. Secrets Engines
2. Enable new engine
3. Select KV
4. Edit the Path (e.g., servers) and set the Maximum number of versions to 3
5. Enable engine

Add a key-value

1. Secrets Engines
2. Select your created engine
3. Create Secret
4. Edit the Path for this secret (e.g., zakops)
5. Fill in the Secret data
6. save

Edit key-values

1. Secrets Engines
2. servers
3. zakops
4. Secret
5. Create new Version
6. Add or edit key-values
7. save

Run the SSH Engine

1. Secrets Engines
2. Enable new engine
3. SSH
4. Change the Default Lease TTL and Max Lease TTL
5. Enable engine

Use the SSH Engine to connect to hosts via SSH

At this stage, by checking the 'Generate signing key' option, a public key will be generated for you, which you need to place on all the hosts you want to SSH into. Alternatively, if you uncheck the 'Generate signing key' option, you can manually enter your own public and private keys. In this case, make sure to place your public key on all the servers.

1. Secrets Engines
2. ssh
3. configuration
4. configure
5. Add the private key and public key
6. Unselect Generate signing key
7. save
8. Using the command below, copy your public key into the specified file. If the file does not exist, create it manually and paste public key

vim /etc/ssh/trusted-user-ca-keys.pub

9. Now, modify the sshd_config file as follows

PubkeyAuthentication yes
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pub

10. Finally, restart the SSH service

systemctl restart sshd

Creating a role

1. Create role
2. Set the Key type to ca
3. Check Allow user certificates
4. Check Allow host certificates
5. Set Allowed users to zak
6. Change TTL and Max TTL to 1 day
7. Set Allowed extensions to permit-pty, permit-port-forwarding
8. Configure Default Extensions as Follows

{
  "permit-pty": ""
}

9. Change the "Not before duration" to 1 day
10. Select 'Default' for the Signing Algorithm (supports RSA and ED)
11. save

Get CA for users to ssh connect hosts

1. Secrets Engines
2. ssh
3. zak
4. Select the [...] option on the right side
5. Sign Keys
6. Add your Public Key
7. Set Valid principals to zak (as specified in the previous step under Allowed users )
8. Set Certificate Type to user
9. Configure Extensions as Follows

{
  "permit-pty": ""
}

10. Change the TTL to 1 day
11. Copy the signed key and heed the warning

Connect to a host using the Vault CA on your PC

1. Paste the signed key into a file. For example: vault.pub
2. Use your private key. For example: id_ed25519
3. Connect to the host using the following command

ssh -i id_ed25519 -o CertificateFile=vault.pub zak@yourhost -p port

Enable MFA for users

1. Policies
2. Create ACL Policy
3. Add a name
4. Add the following policy

path "identity/mfa/method/totp/*" {
  capabilities = ["update"]
}

5. Create policy
6. Assign this policy to users or groups