Ashish Singh Baghel's Blog

HashiCorp Vault

June 10, 2020

HashiCorp Vault

Installing Vault

  • Chocolatey on Windows

    choco install vault
  • Manual Installation

    After downloading Vault, unzip the package. Vault runs as a single binary named vault. Any other files in the package can be safely removed and Vault will still function.

  • The final step is to make sure that the vault binary is available on the PATH

Verify the installation

PS C:\Users\Ashish> vault
Usage: vault <command> [args]

Common commands:
    read        Read data and retrieves secrets
    write       Write data, configuration, and secrets
    delete      Delete secrets and configuration
    list        List data or secrets
    login       Authenticate locally
    agent       Start a Vault agent
    server      Start a Vault server
    status      Print seal and HA status
    unwrap      Unwrap a wrapped secret

Other commands:
    audit          Interact with audit devices
    auth           Interact with auth methods
    debug          Runs the debug command
    kv             Interact with Vault's Key-Value storage
    lease          Interact with leases
    namespace      Interact with namespaces
    operator       Perform operator-specific tasks
    path-help      Retrieve API help for paths
    plugin         Interact with Vault plugins and catalog
    policy         Interact with policies
    print          Prints runtime configurations
    secrets        Interact with secrets engines
    ssh            Initiate an SSH session
    token          Interact with tokens
PS C:\Users\Ashish>

Advanced shell configuration

Command Completion

vault -autocomplete-install

Starting the DevServer

Vault operates as a client/server application. The Vault server is the only piece of the Vault architecture that interacts with the data storage and backends. All operations done via the Vault CLI interact with the server over a TLS connection.

Starting the Dev Server

First, start a Vault dev server. The dev server is a built-in, pre-configured server that is not very secure but useful for playing with Vault locally.

vault server -dev

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: XSOpPJLLZsA9kkdZBtcYmuStaFSFK46zDO8AiGs6DvA=
Root Token: s.whfS6Rfp7sw2DWw1skHpVAaM

Development mode should NOT be used in production installations!

Notice that Unseal Key and Root Token values are displayed.

The dev server stores all its data in-memory (but still encrypted), listens on localhost without TLS, and automatically unseals and shows you the unseal key and root access key.

PowerShell :

$Env:VAULT_ADDR = ""
# VAULT_ADDR will configure the Vault client to talk to our dev server

$Env:VAULT_DEV_ROOT_TOKEN_ID  = "s.whfS6Rfp7sw2DWw1skHpVAaM"
# Setting this environment variable is a way to provide the token to Vault.

Verify the Server is Running

vault status

Your First Secret

Writing a Secret

vault kv command

vault kv put secret/hello foo=world

This writes the pair foo=world to the path secret/hello.

vault kv put secret/hello foo=world excited=yes

The vault kv command interacts with K/V secrets engines.

Warning: The examples in this guide use the <key>=<value> input to send secrets to Vault. However, sending data as a part of the CLI command often end up in the shell history unencrypted. To avoid this, refer to the documentation or Static Secrets: Key/Value Secrets Engine guide to learn different approaches.

Getting a Secret

secrets can be retrieved with vault kv get

vault kv get secret/hello

Vault gets the data from storage and decrypts it. The output format is purposefully whitespace separated to make it easy to pipe into a tool like awk.

This contains some extra information. To print only the value of a given field, use the -field=<key_name> flag.

vault kv get -field=excited secret/hello

Optional JSON output is very useful for scripts. For example, you can use the jq tool to extract the value of the excited secret.

vault kv get -format=json secret/hello

# jq Works in bash
# vault kv get -format=json secret/hello | jq -r

Deleting a Secret

delete a secret using the vault kv delete command.

vault kv delete secret/hello

We used powerful CRUD features of Vault to store arbitrary secrets. On its own, this is already a useful but basic feature.

Secret Engines

Enable a Secrets Engine

To get started, we will enable the kv secrets engine. Each path is completely isolated and cannot talk to other paths.

vault secrets enable -path=kv kv

The path where the secrets engine is enabled defaults to the name of the secrets engine.

Thus, the following command is equivalent to executing the above command.

vault secrets enable kv

To verify our success and get more information about the secrets engine, use the vault secrets list command:

vault secrets list
vault kv put kv/hello target=world

To read the secrets stored in the kv/hello path, use the kv get command.

vault kv get kv/hello

List existing keys at the kv path.

vault kv list kv/

Disable a Secrets Engine

vault secrets disable kv/

Note that this command takes a PATH to the secrets engine as an argument, not the TYPE of the secrets engine.

Any requests to route data to the original path would result in an error, but another secrets engine could now be enabled at that path.

Next Steps

Due to the importance of securing secrets, it’s recommend reading the following as next steps.

  • Documentation - The documentation is an in-depth reference guide to all the features of Vault.

© 2021 Ashish Singh Baghel, Built with Gatsby