I’m not going to introduce the basic concept of vault. and only focused on how to initialized it more secure. this is a step by step to help you to build a simple testing.
Requirements:
- docker
- gpg
Here is the steps:
0x01 Starting a Vault Server
- start the vault server
1 | docker run --rm --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h", "listener": {"tcp":{ "address": "0.0.0.0:8201","tls_disable":"true"}}, "ui":"true"}' -e "VAULT_API_ADDR=http://0.0.0.0:8201" -p 8201:8201 vault server |
notice:
- If you didn’t enable the
UIoption, you will see the error404 page not found - you can change the listening port, also you have to change the setting to export port from docker to host
- access the website
https://127.0.0.1:8201, and you will see the initialization page. input the numbers ofkey shareandkey threshold
0x02 Prepared GPG Public Key
- generate the pgp key with
gpg --full-generate-key
- you need make sure each Key Custodian has created their own
PGPkey, and share the public key to you. for example, if you setting 3 key shares in the first step. you have to got 3 PGP keys. also another one for root token.
0x03 Seal it
When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn’t know how to decrypt any of it.
Unsealing is the process of obtaining the plaintext master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.
- export
PGPPublic key and encode it withbase64
1 | gpg --list-keys |
notice
gpg --export -a 'kso-01' > vault-admin.publicwas not
As you can see, i create 3 pgp keys for testing.
- enable text mode and put the 4 PGP public keys to the dashboard. which you got from the last step
- Download the keys and tokens which was encrypted by PGP Keys
Also you can click the button to show the cipher text. but you can’t get the real key without PGP private key.
Due to you need share those keys to each Key Custodian , so the better way is to download it.
0x004 Unseal it.
- Suppose all key custodian was get them keys. now you need to decrypt it and get the plaintext
1 | echo xxxxxxxxxxxxx29a51e0dxxxxxxxxxxxxxxxxxxxxb48e7e5a83915a662989xxxxxxxxxxxxxxxxxxxx4077153525b0547841d52aab4dfab26f2e265f417f5e11c3a00 | xxd -r -p | gpg -d |
and put those key into dashboard
0x004 Login into Vault
- decrypt the token and login into
1 | echo xxxxxxxxxx+xxxxxxxxxxxxxxxxxxxx++xxxxxxx | base64 -d | gpg -d |
Notice
- Note that the decryption operations on both sides are different. you need to use
xxd -r -p | gpg -dto decrypt key shares and usebase64 -d | gpg -dto decrypt root token.
- seal again
0x005 Conclusion
this is a simple tutorial to help you to build a vault server with docker, and make sure it was shared to each person safety. There are many details when you deploy it into production.
For example:
- use different backend
- configure with certificate for TLS
and so on.
Also there was many features with enterprise version.
For example:
- integrated vault with HSM.
- HA model & DR model.
You can find more details here: https://www.hashicorp.com/products/vault/pricing