Using HashiCorp's Vault to keep your secrets

TL;DR: code example to build your own HashiCorp’s Vault server with TLS activated to keep your organization’s credentials in a safe place

Security in Information Technology is a broad term and I’m no expert on it. Security is also everybody’s responsibility when working for an organization that have software operating their products and services. Understanding how our role plays to keep a secure environment is critical for our success.

One of the key concepts that is most simple to approach and is used on software development is to not store credentials on code. But where do we store them? They have to be somewhere. And then it brings HashiCorp’s Vault project. Vault is an open source project similar the self-managed tools like Google’s Cloud Key Management, Amazon Key Management Service, and Azure Key Vault. If you want less lock-in than those tools can bring, probably HashiCorp’s Vault is your best option (more info on Vault here).

Let’s code!

All the code for this demo is available here: https://github.com/guisesterheim/vault_ansible.

This code installs Vault on a given instance based on Ubuntu Server 18. It has all code examples to be run on Microsoft Azure but will work with no issues in any other cloud provider that provides Ubuntu Server 18 as a base image.

First, fix Vault’s credentials

Once you’ve cloned the repo, do the following:

1. Search globally for “MY_VAULT_URL_HERE” and replace them according to your environment.
2. Take a close look at the command ansible-playbook on files sample_packer_config.json and sample_Vagrantfile and replace the database connection data with your environment’s. This playbook is ready to run with a backend of PostgreSQL. So create your own PostgreSQL to replace all these credentials.
3. If you want to activate TLS (HTTPS) for this server, take a look at the three files used on sample_packer_config.json and sample_Vagrantfile as well. You’re gonna have to provide them for Ansible to grab it and use during the installation.

Second, run Vault installation

I’m not gonna dive deep on the installation driven by Ansible here because I’ve already done it here. So follow the step 1 “How to run it” and for your own internal tests you should be fine with Vagrant section of step 1.

Third, let’s start the Vault server:

After creating a local instance with Vagrant, you have to go over the following instructions (SSHing into the machine is done with “sudo vagrant ssh”):

1. sudo service vault stop
2. sudo lsof -i -P -n | grep LISTEN << this will help to see if vault was stuck in the port 8200. If so, run sudo kill <PID>
3. sudo echo export VAULT_ADDR=https://localhost:8200 >> ~/.bashrc
4. sudo service vault restart
5. Leave the VM and log back in so the ~/.bashrc file can be loaded into the terminal
6. Your ultimate test is running vault status and an output similar to this one must be shown:

1. Then use vault operator init to init the server (this step might not be needed (will throw an error) if you are redeploying a server behind a database that was already in use)
2. Grab the generated unseal keys and the root token
3. Now use the command vault operator unseal for three times and paste three different unseal keys that you got from step 7
4. You’re done! Now you should be able to access https://localhost:8200. Go back to your machine and have fun