Vault Installation

Full official documentation is on https://learn.hashicorp.com/vault/operations/ops-deployment-guide

1. Install Vault

Run the following commands on a freshly installed Debian Stretch

sudo apt-get update && sudo apt-get install -y unzip libcap2-bin curl
VAULT_VERSION="1.4.2"
curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS
curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig
unzip vault_${VAULT_VERSION}_linux_amd64.zip
sudo chown root:root vault
sudo mv vault /usr/local/bin/

2. Make sure the setup is working

vault --version

you should see the following output:

Vault v1.0.3 ('85909e3373aa743c34a6a0ab59131f61fd9e8e43')

3. Enable Autocomplete

vault -autocomplete-install
complete -C /usr/local/bin/vault vault
sudo setcap cap_ipc_lock=+ep /usr/local/bin/vault
sudo useradd --system --home /etc/vault.d --shell /bin/false vault

Configure Systemd

cat >> /etc/systemd/system/vault.service << EOF
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl

[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitIntervalSec=60
StartLimitBurst=3

[Install]
WantedBy=multi-user.target
EOF

Configure Vault

First, copy the TLS keys to the vault folder. The companynamecertificate.pem is the full chain SSL certificate generated from GoGetSSL. The companynameprivatekey.pem is your private key for the same SSL.

sudo mkdir /var/lib/vault/
sudo chown -R vault.vault /var/lib/vault/
cp ~/companynamecertificate.pem /var/lib/vault/
cp ~/companynameprivatekey.pem /var/lib/vault/

Prepare the configuration file:

sudo mkdir --parents /etc/vault.d
sudo touch /etc/vault.d/vault.hcl
sudo chown --recursive vault:vault /etc/vault.d
sudo chmod 640 /etc/vault.d/vault.hcl
cat >> /etc/vault.d/vault.hcl << EOF
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/var/lib/vault/companytonecertificate.pem" # This is the full certificate chain
  tls_key_file  = "/var/lib/vault/companytoneprivatekey.pem" # This is the private key
}

storage "file" {
  path = "/var/lib/vault/data"
}

ui = true
EOF

Start Vault

sudo systemctl enable vault
sudo systemctl start vault
sudo systemctl status vault

Initial Setup

Go to https://vault.domainname.com:8200 and complete the setup.

you should end up with something like this

{
  "keys": [
    "fcde595fd982f7a9372b823be9070db51ef13462404c2aca68a611dc527d34a32e",
    "6a1cf86ddec1e80226e9775f3de06316166470a51a7733aee00eeb15c18c405ae6",
    "537913d16f4c064766281ae4c5cc089372d01732a84234afc8e2a666a7a85a8947",
    "2b4a55b580ce2fce6ec684e947d956a01525fd74e96505507500488813979c0daa",
    "a7b36017f3388d5d37ee387d801fc6ac5b7217538de4832839dc19d01a160e5e04"
  ],
  "keys_base64": [
    "/N5ZX9mC96k3K4I7+QcN1R7xNGJATCrKaKYR3FJ9NKMu",
    "ahz4bd7B6AIm6YdfTeBjFhZkbKUadzOu4A7rFcGMQFrm",
    "U3kT0W9MBkdmKBrj1cwIk3LZFzKoQjSv3OKmZqeoWolH",
    "K0pVtYDOL85uxoTpZ9lW2CUl/XTpZQVQdQBIiBOXnA2q",
    "p7NgF/M4jV037jh9cB/GrFtyF1ON5IM5OdwZ0BoWDl4E"
  ],
  "root_token": "s.vHFHreYxV3HkN1JlJ8a09gabc"
}

Usage

In order to access Vault from a Linux client, set your variable to point the server location using the following command:

export VAULT_ADDR="https://vault.domainname.com:8200"
export VAULT_TOKEN="s.vHFHreYxV3HkN1JlJ8a09gabc"

You will then be able to run

vault list secrets

and should get something like:

No value found at secrets/

also try this for fun:

sudo apt-get install -y jq
curl --silent --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/sys/mounts | jq

Troubleshooting

If you face issues, run the following command manually to know what errors you need to fix

/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl