Running Hashicorp's Vault
Possibly the easiest way to run vault is to run it via docker – this way you'll not need to worry about writing and setting configurations. There will simply be 2 different modes of operation that you'll be using with vault – one is their development mode and the second is their production mode. We'll get into a little more with that later on. For this example we'll focus on using Hashicorp's docker image on dockerhub.
Using Vault in Development Mode
Development mode strips away most of the security settings of vault and allows a user to access the api with just the api token. This is great for testing purposes as it reduces the complexity to get started with using vault. However once you start using vault in a production environment, things become a little more involved.
Using Vault in Production Mode
Using vault in production requires a few additional steps to get it running. Vault has the concept of sealing and unsealing it's data. A master encryption key is stored in vault and in addition this master key is encrypted with another key which is the unseal-key, which is then externalized from vault. Vault provides several different methods for storing the unseal-key which can be stored in cloud based secrets managers, key management systems or using an api call with the unseal-key to decrypt the data.
I present a simple step-by-step tutorial on how to launch vault with an attached docker volume and a simple addition to the docker-entrypoint script to automatically unseal vault on startup.
I've included below a simple script that is run with a docker-entrypoint.sh
script.
#!/bin/sh
echo ">>>> Right before vault initialization <<<<"
while true
do
netstat -uplnt | grep :8200 | grep LISTEN > /dev/null
verifier=$?
if [ 0 = $verifier ]
then
echo "Unsealing Vault"
vault operator unseal <your unseal token here>
break
else
echo "vault is not running yet"
sleep 2
fi
done
The trick to running this script would be to first run the docker image in server mode and capture the unseal token from the command prompt and paste the unseal token into this script. You'll also want to capture the root token and store it in a safe location for you to login to vault api. Just a note, while I agree that having the unseal token in a script to be not ideal, in order to get the secrets management tool chain working you'll need to have some level of trust. The important thing here is to ensure that the machine you run vault on is secured (where only trusted members of your team have access).
Finally mount the above script into the docker container at /usr/local/bin/unseal.sh
and modify docker-entrypoint.sh
file to include the following command /usr/local/bin/unseal.sh &
near the top of the script. This will have the unseal process run in the background and unseal vault once the service is online.
If you're interested in the full docker-compose file with script to see this working become a subscriber and post will provide a link below with sample code to get it running.
Premium Members: Vault Initialization Code
I've provided below a zip file with all the details you'll need to try this out yourself.