HashiCorp
HashiCorp has following products:
- For Security – Vault product
- For Networking – Consul
VAULT
Vault comes with various pluggable components called secrets engines and authentication methods allowing you to integrate with external systems.
Terms –
Vault- Server used to store the credentials and constants.
Starting the server
- Install the Vault –
- Start the vault server (runs on port 8200)
- use command : vault server -dev
To Check whether vault server is running or not :
vault status
Detailed link :
https://learn.hashicorp.com/tutorials/vault/getting-started-dev-server
Note: The dev server(local server) stores all its data in-memory (but still encrypted), listens on localhost without TLS, and automatically unseals and shows you the unseal key and root access key.
Insecure operation: Do not run a Vault dev server in production. This approach is only used here to simplify the unsealing process for this demonstration.
Configuration t0 connect client with the vault-(dev)server
Note : To interact with vault you need to configuration a few properties
export VAULT_ADDR=’http://127.0.0.1:8200′
Description-
1.Vault CLI determines which Vault servers to send requests using the VAULT_ADDR environment variable
2.Without setting above env var vault status will not work
Note: to avoid repetitive vault login you can set the token initially generated at vault setup
Example :
$ export VAULT_TOKEN=”s.XmpNPoi9sRhYtdKHaQhkHP6x”
Source Url- (HashiCorp)
https://learn.hashicorp.com/tutorials/vault/getting-started-dev-server
CLI Commands to interact with Secret engine in vault
Syntax-
vault kv <subcommand> [options] [args]
command to interact with K/V secrets engine.
Example:
1.vault kv get secret/hello
2.vault kv put secret/hello foo=world
3.vault kv delete secret/hello
4.vault kv put secret/hello foo=world excited=yes [to store multeple piess of data, note- it will now store as v2]
Default Functionality-
1.KV Secret engine is enabled at secret/ path. Key/Value secrets engine is a generic key-value store used to store arbitrary secrets within the configured physical storage for Vault.
2.there are two version of KV SecretEngine, differnece is that v2 allows versioning of data
Secret engine
Above used Key/Value v2 secrets engine used to store data. Some secrets engines like key/value secrets engine simply store and read data. Other secrets engines connect to other services and generate dynamic credentials on demand.
You can think of them as a plugin. Enable the secrets engine that meets your security needs.
Enabling secret engine
By Default, In KV secret-engine all the request starts with /secrets Note: the initials of path helps vault to determine that to which type of secret-engine the incoming request is to be routed
Command to enable secret engine:
vault secrets enable -path=kv kv
The path where the secrets engine is enabled defaults to the name of the secrets engine. Thus, the following command is equivalent to executing the above command.
vault secrets enable kv
Both of above commands will enable the secret-engine at /kv
How to check list of secret engine enabled and its type(kv or others)
vault secrets list
Techglot 