HashiCorp Vault is a tool for securely accessing secrets. It handles the management of secrets and sensitive data for shared access in modern computing.
Some key points about Vault:
It secures, stores and tightly controls access to secrets like passwords, keys, tokens, certificates, and API keys.
Vault handles leasing, key revocation, key rolling and auditing of secrets.
It provides a unified API to manage every secret while providing tight access control and audit logs.
Vault encrypts data at rest and in transit using strong encryption algorithms.
It was built with high availability and multi-datacenter replication in mind.
Vault supports multiple authentication, storage and audit backends.
Vault allows dynamic secrets generation where secrets are automatically revoked after the lease expires.
A secret in Vault refers to any sensitive data that needs to be securely accessed and managed.
Vault's main purpose is to securely manage these secrets by:
Storing secrets in an encrypted format
Validating and authorizing clients before providing access to secrets
Associating secrets with access control policies to restrict access
Auditing all requests to secrets
Allowing secrets to be revoked and rolled over
In summary, HashiCorp Vault provides a centralized, secure solution to manage secrets at scale. It eliminates the need to hardcode or share credentials in application code. Instead, applications request secrets dynamically from Vault during runtime.
Now we will jump to the Demo part
Firstly we need to create an EC2 Instances on which we will install HashiCorp Vault.
Log in to your AWS account.
Now, Navigate to the EC2 instance and then click "Launch Instance".
Name: vault-demo
Number of Instances: 1
Application and OS image: Ubuntu
Instance type: t2.micro
Key pair: create a new one or use the existing one
Keep the rest of the things as default and click on "Launch Instance"
Now, we will ssh to our Jenkins Instance using the command:-
ssh -i {path of pem file} ubuntu@{Public IPv4 address}
Now, we will install HashiCorp Vault on our ec2 instance:
Install gpg
sudo apt update && sudo apt install gpg
Download the signing key to a new keyring
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
Verify the key's fingerprint
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
Add the Hashicorp Repo
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update
Install Vault
sudo apt install vault
To start Vault, you can use the following command:
vault server -dev -dev-listen-address="0.0.0.0:8200"
After using the above command your vault server will start running, go to your browser :
http://{Public ip address of instance}:8200
Vault will be running on your browser
Now, the token will be available on your terminal as soon as you started the server,you will see something like Root Token
After successful sign in you will be entered inside Vault Dashboard:
On your left side you will see a lot of options,but today we will understand about secret engines, Access and Policies.
Secrets Engines can be considered as different types of secrets that you can create in Hashicorp Vault. For eg. you want to store a kubernetes secret, we can use kubernetes secret engine and to configure it we need to provide the cluster details or if we need to store a simple key-value pair like username and password for that we will use "KV".
Now,to create a new KV Navigate to secrets engine and then click enable a secrets Engine, then click on KV
Now, path is basically where we were store our secrets and then click enable Engine.
Now, click on create secret and you will be redirected to a new dashboard in which you have to give the secrets which you want to store.
After filling up all the details click "save"
Congrats!! you stored your first secret using Hashicorp Vault and to access this secret we need to create some policies which we will see in the upcoming blog.
That's a wrap.................