Vault. It’s the “new” thing (it’s actually not that new).

Secrets management. I’m sure you already know what it is if you’re here. What I did to get using it:

First, I had to find a host that would run it well enough. I knew I wanted to make my life simple and run it in a docker image. I have a relatively small home network setup, a few subnets, that will need access. I tried to run it on an old RaspberryPi model B+ (one of the original 32bit ones) that I had laying around. Docker on the RPi sucks.

Next, I thought about just running it on an old MacMini 2010 (Dual-Core 4GB Ram). Yeah – no dice there either as Docker CE won’t run on that Mac without virtualization extensions in the CPU. Which I thought was weird, since I use it to run several VirtualBox hosts.

Fine – I’ll run it on one of the generic servers I have.

For my (at least initial) use cases, I’m not going to get fancy with a highly available backend. One of these days, I may actually look into it with an S3 backend too.

 

But not today.

 

Next, on the host where we are running the vault container, create a directory to store the vault files. This will be local configuration of vault, the secrets file that will be stored on disk, and other stuff.

mkdir -p /srv/vault

Then I created a local.json file I stole from the interwebs and tweaked it a little bit. Eventually, I’ll get around to configuring TLS. But not today. I (mostly) trust my home network.

 

Then we run the docker, binding it local filesystem into the docker instnace

 

Once the docker has been instantiated, go ahead and connected to it and get a shell:

 

Let’s make sure the /vault/data directory is owned by the correct users:

 

And then we go ahead an initialize the vault database:

 

Please store your keys appropriately. If you trust your family, give one to your partner/spouse. Give one to each kid. Etc. 🙂

 

Go ahead and unseal the vault using 3 of the 5 tokens created from the initialize above.

For me, I want to store my AWS ACCESS_KEY/SECRET_KEY in vault:

 

Let’s see if we can re-read them from the vault:

Final thoughts — Since we just about done there are some final things you should check on (not a complete list):

  • Check the file permissions on the host OS
  • How do we make sure vault is always running
  • Do we keep the vault unsealed for our automated systems accessing it
  • Create authentication tokens
    • Don’t have everything ‘login’ to vault as root. Grant restrictive permissions to what needs access to what.
  • You’ll probably want to enable port 8200 available to more than just the loopback address
    • Probably will want to enable TLS before doing so
  • You can unseal the vault via curl:
    • curl -H “Content-Type: application/json” -X PUT http://${VAULT_IP}:8200/v1/sys/unseal -d ‘{“key”: “${VAULT_UNSEAL_KEY}”}’