Links

Hashicorp Vault

Hashicorp's solution to managing Secrets and Protecting Sensitive Data

What is Vault?

  • Vault is a solution developed by Hashicorp that enables the storage and lifecycle of secrets (i.e., user/pass, API keys, certificates, encryption keys, etc.)

Installation

brew install vault

Vault Cheat Sheet

  • A handy list of common Vault commands

Vault Configuration Commands

# View vault configuration (stored on whichever server Vault is installed on). This file path can be different!
cat /etc/vault.d/vault.hcl
​
# Validate/troubleshoot configuration file. Point it to your configuration file path
vault operator diagnose -config=/etc/vault.d/vault.hcl
​
# Initialize Vault for the first time (modify as needed)
vault operator init \
-key-shares=3 \
-key-threshold=2

Vault Operations

# Get help
vault --help # (-h)
vault <command> --help # (-h)
​
# Get vault version
vault version
​
# View vault status (seal/unseal status)
vault status
​
# Unseal vault (other options e.g., AWS KMS exist too)
vault operator unseal # hit enter
Unseal Key (will be hidden): # paste key shard value
​
# Login to Vault
vault login hvs.7j0Pi7dUJNE5GV3Z77HyCCBS
​
# Restart Vault
sudo systemctl restart vault

Vault Dev Mode

# Start Vault in Dev mode (testing only, not for production)
vault server -dev
# interact with vault in another terminal tab / window
# hit CMD+C to end the vault session
​
# Or start vault in the background and interact in the same terminal tab
vault server -dev &
​
# kill vault by finding the pid
ps -ef | grep 'vault server -dev'
kill -9 <PID>

Vault Secrets

# Create a secrets engine at the path of "home/"
vault secrets enable -path=home/ kv # kv-v2
​
# Save a secret to the file "vault-token" at the initial path "home/". Syntax is Key=Value
vault kv put home/tyler/vault-token "Initial Root Token:"=hvs.35fzQIN0BstyJxCj46W0ajiy
​
# Retrieve a secret
vault kv get home/tyler/vault-token

Vault Auth Methods

# Enable the aws auth method
vault auth enable aws
​
# Provide a custom path and description for the aws auth method
vault auth enable -path=tylers-aws-path -description=aws-creds aws
# vault auth list (to see these details)
​
# Disable auth method
vault auth disable aws
​
# List auth methods
vault auth list
​
# Modify the token/ auth method's TTL so that the token expires after 1 hour
vault auth tune -max-lease-ttl=3600 token/
#Success! Tuned the auth method at: token/

Vault Policies

# List policies
vault policy list
​
# Read a policy
vault policy read <policy name>
​
# Write (upload) a policy
vault policy write <policy name> <path to policy file>
​
# Test a policy by generating a token to login with it
vault token create -policy=<policy name>

Vault Tokens

# List all tokens in vault
vault list auth/token/accessors
​
# Create a new root token
vault token create
​
# View properties of a token
vault token lookup -accessor <accessor> # run: vault list auth/token/accessors to get <accessor>
​
# Revoke a token
vault token revoke <root token> # found in .vault-token
vault token revoke -accessor <accessor> # run: vault list auth/token/accessors to get <accessor>

Useful Resources