Getting started with Hashicorp Vault
If you want to integrate the DevSecOps perspective in your environment, secrets management is one of the important security tasks. In this article series, I’m going to introduce you to the basics of using the Hashicorp Vault.
It’s a powerful tool for securing accessing secrets. And also the other big benefit is for governance that includes policies, audit logs, etc.
Let’s dig into it a little bit with a few simple questions.
What really is Hashicorp Vault?
Hashicorp vault describes in their official sites like,
Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing.
It’s a general definition of vault. So let's talk about vault features and some key points,
- It is a secret lifecycle manager. There are advanced options like versioning, encryption, etc.
- That secrets can be static or dynamic.
- It’s written in the go language.
- You can use the same binary both for client and server.
- You can use it in multiple operating systems (Windows, Linux,macOS, etc.)
Now let's take a look at vault concept.
The key features of Hashicorp Vault.
- Authentication — There are a lot of authentication options like Userpass, LDAP, or external providers.
- Policy — With the policy concept you can govern what you can do in vault system.
- Secrets — There is an advanced secrets engine that you can manage dynamic or static secrets.
- Audit — You can audit everything on vault system with the Audit concept.
- Data Encryption — It can encrypt and decrypt data without storing it.
- Leasing and Renewal — When a secret is created in vault, automatically a lease is associated with it and at the end of the lease that secret automatically is revoked or it can be renewed.
Who can access vault?
Users, applications, or machines can access vault through an API that sits in front of vault using a token. All access methods interact with an API and all of that interactions involve a token that is granted by vault.
Communicating with Vault
For testing purposes, you can run vault in development mode. It can run as a service on a server or on your local desktop. There are a few steps to have vault up and running in dev mode;
- First, you need to download vault binary to the appropriate os.
- Second, you need to start vault in development mode.
- And last you need to access vault. (Through CLI, UI, and the API)
Dev Mode Installation
Depending on your operating system you can install vault in a few ways. For Windows, you can use the chocolatey package manager.
choco install vault
For macOS Homebrew good option to install it.
brew tap hashicorp/tap
brew install hashicorp/tap/vault
For Linux, you can use a package manager related to your Linux distro.
Development Mode Features
You can configure Hashicorp Vault in your local machine in dev mode. After the installation vault will be running in memory and it will be fully functional.
The list of Developer mode key features,
- It runs on localhost without SSL
- It uses in-memory storage for the storage backend. (In production persistent storage backend would be used)
- When you shut down your server in development mode, everything is gone.
- In development mode, it starts unsealed and initialized state.
- Dev mode UI already enabled.
- Key/value secret engine is also enabled.
Spin up Vault in Dev Mode
You can start vault server in dev mode with the command below. It is so easy.
vault server -dev
After the start-up process, it prompts you to store vault server address in an environment variable.
To store vault server address in environment variable you need to run the appropriate command.
For Linux and macOS
export VAULT_ADDR=http://127.0.0.1:8200
For Windows PowerShell
$env:VAULT_ADDR=”ttp://127.0.0.1:8200"
Set root token to the environment variable
root_token=ROOT_TOKEN_VALUE
Note: Root token and root policy can do anything on the root server. So it’s a very effective token that controls everything on vault. So you should be extra careful using it.
Vault login options
You have 3 primary ways to interact with vault.
- CLI — Command-line interface for vault.
- UI — Graphical interface for vault.
- API — The last option is directly interacting with API
CLI
It has a basic vault command structure.
vault <command> <subcommand> [options] [arguments]
Options and arguments are optional depending on what type of command you are running.
To display command help you can use these commands.
vault <command> -help
vault path-help PATH
Environment Variables
When the vault binary runs, it looks for a few environment variables that start with VAULT_ prefix.
VAULT_ADDR- Address of the vault server
VAULT_TOKEN- Token value for requests
VAULT_SKIP_VERIFY — No verify TLS cert
VAULT_FORMAT-Specify output format
Vault UI
Graphical user interface for the vault server. It uses API to interact with vault. It’s not enabled by default. It runs on the same port with API. It provides a basic console for management.
You can connect to UI in dev mode using the URL below.
Note: Please don’t forget to configure the necessary environment variables.
Vault API:
The Vault API provides an HTTP endpoint for each access method.
You can control everything in vault with this API.
The Vault CLI also uses this API to interact with Vault.
Key features of Vault API:
- It’s a restful API.
- It’s used by UI and the CLI.
- There is no other option to interact with vault.
- You can use curl with X-Vault-Token header to interact with it. (Because we need tokens to interact with API.)
Conclusion
The vault uses a single binary for both client and server. You can use it in dev mode for local testing. To spin up a vault server in a local machine is super easy with a few commands. All vault communication goes through an API that sits in front of Vault server. You can interact with it using CLU, UI, or API calls. Before accessing the Vault server you need to configure environment variables like VAULT_ADDR, VAULT_TOKEN on CLI to interact with it.
Resources:
