How to Install Hashicorp Vault on ubuntu 20.04

Hashicorp Vault is a free and open source tool. It helps to manage & securely storing password & accessing secrets.We can easily create, update, read and delete secrets, authenticate & unseal.It provides web interface to interact with Vault.

Pre-requisite

Install Hashicorp Vault on ubuntu

Update the System.

apt-get update

Download the vault zip file.

wget https://releases.hashicorp.com/vault/0.11.4/vault_0.11.4_linux_amd64.zip

Extract the downloaded file.

apt-get install unzip
unzip vault_0.11.4_linux_amd64.zip

Move the extracted file to /usr/bin/.

mv vault /usr/bin

Create a directory /etc/vault for configuration.

mkdir /etc/vault

Create a new file.

vim /etc/vault/config.hcl

Add the following lines:

storage "consul" {
  address = "127.0.0.1:8500" or 0.0.0.0:8500
  path    = "vault/"
}
 
listener "tcp" {
 address     = "server-ip:8200" or 0.0.0.0:8200
 tls_disable = 1
}
 
ui = true

Create a vault service file.

vim /etc/systemd/system/vault.service

Add the following lines:

[Unit]
Description=Vault
Documentation=https://www.vault.io/
 
[Service]
ExecStart=/usr/bin/vault server -config=/etc/vault/config.hcl
ExecReload=/bin/kill -HUP $MAINPID
LimitNOFILE=65536
 
[Install]
WantedBy=multi-user.target

Reload,Start & Enable the Vault Service:

systemctl daemon-reload
systemctl start vault
systemctl enable vault

Enable Vault service for CLI.

export VAULT_ADDR=http://server-ip:8200

Initialize the vault service.

vault operator init

Here is the command output:

Unseal Key 1: Dhmn4caf16eRA1v8Hi9xNA6axGITpREcM/Q4c6UCulfH
Unseal Key 2: mQ9nD8KIU9HW9hiLY/ASxO6Kpkn13kBPxHFLW5U+HzrJ
Unseal Key 3: VjoY8HTLpDjK9IgQ9wJf1NvonerDxngTP8JpXCzckjkz
Unseal Key 4: SCKLcgP2gQgVjOi+FrjNO+lzKnFWZA3LBGfe2y6qHSr2
Unseal Key 5: NlOvc4aqYNsEyERfEuflDyS9L+GseFA/OK1YG/nkThy+

Initial Root Token: s.4F3cE2EbHZaWAuW90BPmowur

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

Access Hashicorp web-interface

http://server-ip:8200

Here is the output:

  • Copy the Unseal key from Ternimal.
  • Paste the key for unseal the vault.
  • Click on Unseal.

 

Fig 1

 

  • When Initialize the vault service,we get Taken number.
  • Copy the Initial Root Taken number from terminal.
  • Paste the Token number.
  • Click on Sign in.

 

Fig 2

 

  • Now Hashicorp vault is Ready.
  • We needs to add secrets so click on cubbyhole.

 

Fig. 3

 

  • Click on Create Secret.

 

Fig. 4

 

  • Provide the Secret Path.
  • Secret data like key & Value.
  • Click on Save.

 

Fig. 5

 

  • New Secret data is successfully added.

 

Fig. 6

 

  • Now Add a new secret engine.
  • Click on Enable New Engine.

 

Fig. 3

 

  • Select Secret Engine.Choose Consul.
  • Click on Next.

 

Fig. 7

 

  • Click on Enable the Engine.

 

Fig. 8

 

  • Now New Secret Engine is Ready.

 

Fig. 5

 

Leave a Reply