Installing Vault

• Vault is platform agnostic….meaning it can be run on many different

underlying platforms
Kubernetes

Cloud-based Machines (AWS Instances, Azure Virtual Machines)

VMware Virtual Machines

Physical Servers

A Laptop
 Installing Vault

• Vault is also available for many operating systems…

ü macOS
ü Windows
ü Linux
ü FreeBSD
ü NetBSD
ü OpenBSD
ü Solaris
Installing Vault
Order of OperaQons

1 Install Vault

2 Create Configuration File

3 Initialize Vault

4 Unseal Vault
 Installing Vault
• So where do I download Vault?
• vaultproject.io
• releases.hashicorp.com/vault
• You can also download/install Vault using your preferred package manager as well (apt, yum, even
homebrew (community supported) )
Terminal
$ sudo apt update && sudo apt install gpg

$ wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg >/dev/null

$ gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg –fingerprint

$ echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" |

sudo tee /etc/apt/sources.list.d/hashicorp.list

$ sudo apt update && sudo apt install vault

• Use the Vault Helm Chart to install/configure Vault on Kubernetes

Terminal
$ helm install vault hashicorp/vault
Installing Vault

Download Vault from HashiCorp

Unpackage Vault to a Directory

Set Path to Executable

Running Vault Dev Server

Quickly run Vault without configuration Non-Persistent – Runs in memory

Automatically initialized and unsealed Insecure – doesn’t use TLS

Enables the UI – available at localhost Sets the listener to 127.0.0.1:8200

Provides an Unseal Key Mounts a K/V v2 Secret Engine

AutomaBcally logs in as root Provides a root token

Where Would I Use Dev Server?

Proof of Concepts

New Development Integrations

Testing New Features of Vault

Dev Server Mode Experimenting with Features

Installing Vault

Download Vault from HashiCorp

Unpackage Vault to a Directory

Set Path to Executable

$ vault server -dev

 Running Vault Server in Production

• Deploy one or more persistent nodes via configuration file

• Use a storage backend that meets the requirements
• Multiple Vault nodes will be configured as a cluster
• Deploy close to your applications
• Most likely, you’ll automate the provisioning of Vault
 Running Vault Server in Production

• To start Vault, run the vault server –config=<file> command

• In a production environment, you'll have a service manager executing
and managing the Vault service (systemctl, Windows Service Manager,
etc.)

• For Linux, you also need a systemd file to manage the service for Vault
(and Consul if you're running Consul)
 Running Vault Server in Production

• Systemd for a Vault service:

• https://github.com/btkrausen/hashicorp/blob/master/vault/config_files/vault.service

• Systemd file for a Consul Server:

• https://github.com/btkrausen/hashicorp/blob/master/consul/consul.service

• Systemd for a Consul client (that would run on the Vault node):
• https://github.com/btkrausen/hashicorp/blob/master/vault/config_files/consul-client.json
Running Vault Server in ProducKon
Single Node

Not a Recommended Architecture

• No Redundancy
----
--
• No Scalability
--

Configuration
TLS
File

Storage
Backend
Running Vault Server in Production
MulQ-Node Vault Cluster (with Integrated Storage)

Vault Node A Vault Node B Vault Node C

Integrated Storage
Replication
(network)
Running Vault Server in Production
Multi-Node Vault Cluster (with external storage backend)

Vault Node A Vault Node B Vault Node C

Storage
Backend (HA)
 Running Vault Server in Production
Step-by-Step Manual Install

1 Download Vault from HashiCorp 5 Create Systemd Service File

2 Unpackage Vault to a Directory 6 Download Consul from HashiCorp

3 Set Path to Executable 7 Configure and Join Consul Cluster

4 Add ConfiguraBon File & Customize 8 Launch Vault Service

Deploying the Consul Storage Backend

Provides Durable K/V Storage For Vault Supports High Availability

Can Independently Scale Backend Distributed System

Easy To Automate Built-in Snapshots For Data Retention

Built-in Integration Between Consul/Vault HashiCorp Supported

 Deploying the Consul Storage Backend

• Consul is deployed using multiple nodes and configured as a cluster

• Clusters are deployed in odd numbers (for voting members)
• All data is replicated among all nodes in the cluster
• A leader election promotes a single Consul node as the leader
• The leader accepts new logs entries and replicates to all other nodes
• Consul cluster for Vault storage backend shouldn’t be used for Consul
functions in a production setting
Deploying the Consul Storage Backend
Region

VPC

Availability Zone 1 Availability Zone 2 Availability Zone 3

Private Subnet Private Subnet Private Subnet

Special Install of Consul using Redundancy Zones

 Deploying the Consul Storage Backend

Vault Node A Vault Node B Vault Node C

Vault
Communicates
with local
Consul Agent

Local Consul Agent

joins the Consul cluster
as client
Deploying the Consul Storage Backend
Example Consul Server Configuration File

storage "consul" {
address = "127.0.0.1:8500"
path = "vault/"
token = "1a2b3c4d-1234-abdc-1234-1a2b3c4d5e6a"
}
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_disable = 0
tls_cert_file = "/etc/vault.d/client.pem"
tls_key_file = "/etc/vault.d/cert.key"
tls_disable_client_certs = "true"
}
seal "awskms" {
region = "us-east-1"
kms_key_id = "12345678-abcd-1234-abcd-123456789101",
endpoint = "example.kms.us-east-1.vpce.amazonaws.com"
}
api_addr = "https://vault-us-east-1.example.com:8200"
cluster_addr = " https://node-a-us-east-1.example.com:8201"
cluster_name = "vault-prod-us-east-1"
ui = true
log_level = "INFO"
https://github.com/btkrausen/hashicorp/blob/master/vault/config_files/vault.hcl
Deploying the Consul Storage Backend
Example Consul Server Configuration File
{
"log_level": "INFO",
"server": true,
"key_file": "/etc/consul.d/cert.key",
"cert_file": "/etc/consul.d/client.pem",
"ca_file": "/etc/consul.d/chain.pem",
"verify_incoming": true,
"verify_outgoing": true,
"verify_server_hostname": true,
"ui": true,
"encrypt": "xxxxxxxxxxxxxx",
"leave_on_terminate": true,
"data_dir": "/opt/consul/data",
"datacenter": "us-east-1",
"client_addr": "0.0.0.0",
"bind_addr": "10.11.11.11",
"advertise_addr": "10.11.11.11",
"bootstrap_expect": 5,
"retry_join": ["provider=aws tag_key=Environment-Name tag_value=consul-cluster region=us-east-1"],
"enable_syslog": true,
"acl": {
"enabled": true,
"default_policy": "deny",
"down_policy": "extend-cache",
"tokens": {
"agent": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
},
"performance": {
"raft_multiplier": 1
}
} https://github.com/btkrausen/hashicorp/blob/master/consul/config.hcl
Looking for More on Consul?

For a deeper dive on Consul, check

out my dedicated course on Consul:

Getting Started with

HashiCorp Consul

Coupons Available on github.com/btkrausen/hashicorp

Deploying the Integrated Storage Backend

Vault Internal Storage Option Supports High Availability

Leverages RaG Consensus Protocol Only need to troubleshoot Vault

All Vault nodes have copy of Vault's Data Built-in Snapshots For Data Retention

Eliminates Network Hop to Consul HashiCorp Supported

 Deploying the Integrated Storage Backend

• Integrated Storage (aka Raft) allows Vault nodes to provide its own
replicated storage across the Vault nodes within a cluster
• Define a local path to store replicated data
• All data is replicated among all nodes in the cluster
• Eliminates the need to also run a Consul cluster and manage it
Deploying the Integrated Storage Backend
Vault Node A Vault Node B Vault Node C

tcp/8201

Vault Node D Vault Node E

Deploying the Integrated Storage Backend
Example Vault Server ConfiguraOon File

storage "raft" {
path = "/opt/vault/data"
node_id = "node-a-us-east-1.example.com"
retry_join {
auto_join = "provider=aws region=us-east-1 tag_key=vault tag_value=us-east-1"
}
}
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_disable = 0
tls_cert_file = "/etc/vault.d/client.pem"
tls_key_file = "/etc/vault.d/cert.key"
tls_disable_client_certs = "true"
}
seal "awskms" {
region = "us-east-1"
kms_key_id = "12345678-abcd-1234-abcd-123456789101",
endpoint = "example.kms.us-east-1.vpce.amazonaws.com"
}
api_addr = "https://vault-us-east-1.example.com:8200"
cluster_addr = " https://node-a-us-east-1.example.com:8201"
cluster_name = "vault-prod-us-east-1"
ui = true
log_level = "INFO"
https://github.com/btkrausen/hashicorp/blob/master/vault/config_files/vault_int_storage.hcl
 Deploying the Integrated Storage Backend

• Manually join standby nodes to the cluster using the CLI:

Terminal

$ vault operator raft join https://active_node.example.com:8200

Vault Node A Vault Node B Vault Node C Vault Node D Vault Node E

HA
Cluster
Leader Follower Follower Follower Follower

Replicated Data
 Deploying the Integrated Storage Backend

• List the cluster members

Terminal

$ vault operator raft list-peers

Node Address State Voter

---- ------- ----- -----
vault_1 10.0.101.22:8201 leader true
vault_2 10.0.101.23:8201 follower true
vault_3 10.0.101.24:8201 follower true
vault_4 10.0.101.25:8201 follower true
vault_5 10.0.101.26:8201 follower true
END OF SECTION