Starting by unsealing Vault

Download the latest binary from the Vault project's website (https://www.vaultproject.io/downloads.html), according to your operating system, and install it. To start Vault, you need to have a file—vault.conf—in which we will specify some of the options that are needed for Vault to start. Here is a sample vault.conf file that you can use:

backend "inmem" {
} 
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}
disable_mlock = true

In the vault.conf file, we explicitly set the address that it will listen to and also disable TLS/SSL (so that it runs in plain text mode).

Start Vault by specifying the location of the vault.conf file with the following command:

./vault server -config vault.conf

As you can see from the screenshot below, Vault is running in plain text mode (with TLS/SSL disabled):

Figure 8: Starting and configuring Vault

Open a new command prompt, which is where we will now start administering Vault. Set an environment variable by executing the following command to let the clients know that they have to use plain text to connect to Vault (as we have disabled TLS/SSL):

export VAULT_ADDR=http://127.0.0.1:8200

After this, initialize Vault key generation by executing the following command:

Figure 9: Initializing Vault

The command that we have used gave us five key shares and a key threshold of two. It's important to note that we cannot change these values once Vault is initialized (output is shown only once). Be careful to gather the necessary information; otherwise, you will not be able to retrieve any data stored in Vault. As you can see from the preceding screenshot, the init command of Vault gives us the keys and token that are needed to unseal Vault. Before we can use Vault, it has to be unsealed.

Unsealing (https://www.vaultproject.io/docs/concepts/seal.html) is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault. Prior to unsealing, almost no operations are possible with Vault.

You can unseal Vault by executing the following command and providing any of the keys generated during the Vault initialization process:

./vault unseal <any key generated using initialization>

The following screenshot shows the successful execution of the preceding command:

Figure 10: Unsealing Vault

Once it is unsealed, your Vault is now ready to store the secret data that you may want to use in your application.

After you have successfully unsealed Vault, to store any data, you first need to authenticate. When we initialized Vault, we were shown a token (on the screen), and this token is used to authenticate. One of the easiest ways to achieve authentication using this token is to set up a new environment variable (VAULT_TOKEN). Execute the following command as shown, and when Vault starts, it will make use of this environment variable and authenticate itself:

export VAULT_TOKEN=ee60f275-7b16-48ea-0e74-dc48b4b3729c

Once the preceding command is executed, you can now write your secret by executing the following command:

./vault write secret/movie-application password=randomstring

After you enter the command, you should receive the following output:

Figure 11: Writing a secret to your Vault

Tokens are the primary way in which authentication is done in Vault. Besides that, there are other mechanisms, such as LDAP and username/password, with which authentication can be done.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.147.160