File Fabric integration with external Vault Key Server by HashiCorp (Part 2)

Welcome to Part 2 of our File Fabric integration with Vault by HashiCorp blog.  In part 1, we discussed the benefits of integrating your Storage Made Easy appliance with your Vault instance as well as a walk through of setting up the integration between vault and File Fabric.  In this follow-up blog we will look at some use cases and also demonstrate how to setup your Vault instance ready for integration with your Enterprise File Fabric.

As I touched on in my previous blog post, Vault is an enterprise grade centralised secret management platform.  Companies have different reasons that motivate them to use such a platform.  For example, some companies may choose to use it just for general secret storage.  Other companies may choose to use Vault to utilise the Secrets access audit logs.  This feature can be valuable for audit and compliance purposes.

Another reason why a company may decide to use a solution such as Vault is to make use of it’s ability to encrypt and decrypt data stored in different locations.  This feature means that application have the ability to encrypt its data without changing its primary storage location.

There is also a dynamic secrets feature built with Vault which is very useful when running scripts.  This feature gives the user the ability to generate access keys which remain valid for the duration of the script which are then revoked. This feature enables automation whilst addressing common concerns raised by Corporate Security teams.

Whatever reasons you have for using Vault, it is a great solution and we here at Storage Made Easy are thrilled about the integration between our two products.

Let’s now look at the steps we need to take to install and configure your Vault instance in preparation for the integration between your two instances.

We will be installing our Vault instance on a CentOS7 server using the minimal edition, as such, you will need to install wget and unzip if not already installed on your server as prerequisite.  To do this run the following command.

# yum install -y wget unzip openssl openssl-devel

Now that we have  installed the pre-requisetes, we are ready to proceed.

Let’s change to our vaultadm directory before we begin the first step. vaultadm is the user we have created on our server with administrative privileges.  You can can either use an existing user with administrative privileges or create a user with the same privileges and run commands from the user’s home directory.  We will be running the system processes in relation to vault from our vaultadm home directory

# cd /home/vaultadm

The first step is to download Vault from the Hashicorp website.  To achieve this, run the following command.

# wget https://releases.hashicorp.com/vault/0.8.0/vault_0.8.0_linux_amd64.zip

This will download a zip file which contains the Vault application. We now need to unzip the file.  We can achieve this by running the following command

# unzip vault_0.8.0_linux_amd64.zip

The binaries contained within this file is all that is required at this stage to run vault; however we now need to add it to our ~/ .profile file by entering the following command:

# export PATH=$PATH:/home/vaultadm/vault

Let’s now add a symlink to the binaries.  We will first need to move to the /usr/bin directory before adding the symlink

# cd /usr/bin/
# sudo ln –s /home/vaultadm/vault vault

We should now verify that our installation was success by running the vault command

# vault

You should see the following output if you have installed vault correctly.

The next step is to generate a self-signed certificate and key.

# openssl req -newkey rsa:1024 -nodes -out vault.csr -keyout vault.key

We now need to sign the certificate using the following command

# openssl ca -batch -config vault-ca.conf -notext -in vault.csr -out vault.crt

For more information about using certificates with Vault, check this blog https://dunne.io/vault-and-self-signed-ssl-certificates

We are now ready to start configuring our Vault server.  Create a configuration file, we’ll call our file vault.hcl.  Copy the following contents to the newly created file, changing the path of the key file and cert file to the location of your key and cert files respectively.

storage "consul" {

address = "127.0.0.1:8500"

path = "vault"

}



listener "tcp" {

address = "127.0.0.1:8200"

tls_disable = 0
tls_cert_file = /path/to/cert/file
tls_key_file = /path/to/key/file

}

This hcl file is only configuring the most basic things for your vault instance.  There are other parameters that can also be configured; however, that goes beyond the scope of this tutorial.  If you would like to know more about the other parameters, check out this tutorial by Hashicorp https://www.vaultproject.io/docs/configuration/index.html

we now need to download and install consul by running the following command.

# wget https://releases.hashicorp.com/consul/0.9.2/consul_0.9.2_linux_amd64.zip
# unzip consul_0.9.2_linux_amd64.zip

We will also need to add the consul binaries to our ~/ .profile file much like we did for the Vault binaries.

# export PATH=$PATH:/home/vaultadm/consul
# cd /usr/bin/ 
# sudo ln –s /home/vaultadm/consul consul

We can now start the consul agent by running the following command.

# consul agent -server -bootstrap-expect 1 -data-dir /tmp/consul -bind 127.0.0.1

Now that we have the consul agent running, we can now start the vault server.  To do this, we’ll need to open a new ssh session to the server and enter the following.

# vault server -config=vault.hcl

N.B when using the -config flag you will need to change the value to the name of your config file

After we have started the server, we should see output in the terminal like the below.

This confirms that our vault server has now started.  We are now ready to initialise the server by running the following command.

# vault init

You will see a series of encryption keys generated much like the following example provided by Hashicorp.

# vault init
Key 1: 427cd2c310be3b84fe69372e683a790e01
Key 2: 0e2b8f3555b42a232f7ace6fe0e68eaf02
Key 3: 37837e5559b322d0585a6e411614695403
Key 4: 8dd72fd7d1af254de5f82d1270fd87ab04
Key 5: b47fdeb7dda82dbe92d88d3c860f605005
Initial Root Token: eaf5cc32-b48f-7785-5c94-90b5ce300e9b

Vault initialized with 5 keys and a key threshold of 3!
...

This brings us to the final step of deploying a Vault server. We will now need to show the vault server how to decrypt data by using the unseal command.  You will need to unseal 3 out of the 5 keys generated.

# vault unseal

Enter the key when you see the following message appear

Key (will be hidden):

You now have a vault server that is ready for your production environment.

For more information about different configuration options for your Vault server, see  Hashicorp’s configuration guides https://www.vaultproject.io/docs/configuration/index.html

This concludes our tutorial for deploying a Vault server into your estate and I hope you have enjoyed this and found it useful.

 

 

Print Friendly, PDF & Email
Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *