Vault Auto-Unseal by hashicorp

Vault Auto-Unseal

Step 1 of 3

Configure and Start Vault 1

To enable Transit Auto-Unseal, you would need two Vault servers. Two options are provided to perform this lab. Choose one of the following options and perform the tasks as instructed.

Open the config-vault-1.hcl file to review the server configuration file for Vault 1:

disable_mlock = true
ui=true

storage "file" {
  path = "~/vault-1/data"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

For the purpose of demonstration, the file storage backend stores Vault's data on the filesystem using a standard directory structure (/vault-1/data) in this example.

The listener stanza specifies the TCP address/port that Vault listens to for incoming requests, and Vault 1 listens to port 8200.

Execute the following command to start the Vault 1 server:

vault server -config=config-vault-1.hcl

Notice the output indicating that the Storage is set to file system, and the Listener address is 0.0.0.0:8200.

==> Vault server configuration:

             Cgo: disabled
      Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
       Log Level: info
           Mlock: supported: true, enabled: false
         Storage: file
         Version: Vault v1.1.1
     Version Sha: a3dcd63451cf6da1d04928b601bbe9748d53842e

Click the + next to the opened Terminal, and select Open New Terminal.

New Terminal

Execute the following command to initialize the Vault.

export VAULT_ADDR="http://127.0.0.1:8200"
vault operator init -key-shares=1 -key-threshold=1 > key.txt

Execute the vault operator unseal command to enter the first unseal key:

vault operator unseal \
    $(grep 'Key 1:' key.txt | awk '{print $NF}')

Log into Vault using the initial root token (key.txt):

vault login $(grep 'Initial Root Token:' key.txt | awk '{print $NF}')

Next, you are going to setup a transit secrets engine in Vault 1.

Configure Auto-unseal Key Provider (Vault 1)

Execute the following command to enable the transit secrets engine and create a key.

vault secrets enable transit

Create a key named 'autounseal'

vault write -f transit/keys/autounseal

Execute the following file to create autounseal policy defined by autounseal.hcl policy file.

vault policy write autounseal autounseal.hcl

Create a new token with autounseal policy attached and save it in a file named, client_token.txt.

vault token create -policy="autounseal" \
      -format=json | jq -r ".auth.client_token" > client_token.txt

Set VAULT_TOKEN environment variable to the token you just generated.

export VAULT_TOKEN="$(cat client_token.txt)"

Configure Auto-unseal (Vault 2)

Open the config-vault-2.hcl file to review the server configuration file for Vault 2:

disable_mlock = true
ui=true

storage "file" {
  path = "~/vault-2/data"
}

listener "tcp" {
  address     = "0.0.0.0:8100"
  tls_disable = 1
}

seal "transit" {
  address = "http://127.0.0.1:8200"
  disable_renewal = "false"
  key_name = "autounseal"
  mount_path = "transit/"
  tls_skip_verify = "true"
}

Notice that the storage backend is set to ~/vault-2/data, and the Vault 2 will be listening to port 8100. The seal stanza points to the Vault 1 which is listening to port 8200. (NOTE: Since the client token is stored as VAULT_TOKEN environment variable, you don't need to set the token property in the configuration file.)

Start the vault server with configuration file.

vault server -config=config-vault-2.hcl

Click the + next to the opened Terminal, and select Open New Terminal to open third terminal window.

New Terminal

In the third terminal, initialize your second Vault server (Vault 2).

VAULT_ADDR=http://127.0.0.1:8100 vault operator init -recovery-shares=1 \
         -recovery-threshold=1 > recovery-key.txt

By passing the VAULT_ADDR, the subsequent command gets executed against the second Vault server (http://127.0.0.1:8100). Notice that you are setting the number of recovery key and recovery threshold because there is no unseal keys with auto-unseal. Vault 2's master key is now protected by the transit secret engine of Vault 1.

In the terminal where the server is running, you should see entries similar to:

...
[INFO]  core: security barrier not initialized
[INFO]  core: security barrier initialized: shares=1 threshold=1
[INFO]  core: post-unseal setup starting
...
[INFO]  core: vault is unsealed
[INFO]  core.cluster-listener: starting listener: listener_address=0.0.0.0:8101
...

Check the Vault 2 status.

VAULT_ADDR=http://127.0.0.1:8100 vault status

Vault 2 should be unsealed.

Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    1
Threshold                1
...

To verify the auto-unseal, you can press Ctrl + C in the Terminal 2 to stop the Vault 2 process. And then, restart Vault 2 again.

vault server -config=config-vault-2.hcl

Check the Vault 2 status, and the server should have been unsealed.

VAULT_ADDR=http://127.0.0.1:8100 vault status

cd <directory>	Change directory
ls	List directory
echo 'contents' > <file>	Write contents to a file
cat <file>	Output contents of file

i	In Command Mode	Change into Insert Mode, you can now insert and edit text in the file
esc	In Insert Mode	Change into Command Mode, you can now execute commands
:wq	In Command Mode	Save and Exit

Welcome!

Vault Auto-Unseal

Congratulations!

You've completed the scenario!

Scenario Rating

Resources:

Steps