How to install Hashcorp Vault in MacOS
You can install Hashcorp Vault in MacOs using brew:
$ brew tap hashicorp/tap
$ brew install hashicorp/tap/vault
$ brew upgrade hashicorp/tap/vaultTo install in other O.S. check this page https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-install
Check the installation
$ vaultYou should see something like this:
Usage: vault <command> [args]
Common commands:
read Read data and retrieves secrets
write Write data, configuration, and secrets
delete Delete secrets and configuration
list List data or secrets
login Authenticate locally
agent Start a Vault agent
server Start a Vault server
status Print seal and HA status
unwrap Unwrap a wrapped secret
Other commands:
audit Interact with audit devices
auth Interact with auth methods
debug Runs the debug command
kv Interact with Vault's Key-Value storage
lease Interact with leases
monitor Stream log messages from a Vault server
namespace Interact with namespaces
operator Perform operator-specific tasks
path-help Retrieve API help for paths
plugin Interact with Vault plugins and catalog
policy Interact with policies
print Prints runtime configurations
secrets Interact with secrets engines
ssh Initiate an SSH session
token Interact with tokensRunning the dev server
$ vault server -dev
==> Vault server configuration:
Api Address: http://127.0.0.1:8200
Cgo: disabled
Cluster Address: https://127.0.0.1:8201
Go Version: go1.19.1
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: false, enabled: false
Recovery Mode: false
Storage: inmem
Version: Vault v1.13.0-dev1, built 2022-09-26T14:39:49Z
Version Sha: 2a7c3f2f76e6fd6a7f8622ea68d82bcf9dcf9686
==> Vault server started! Log data will stream in below:
# ...snip...
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variables:
$ export VAULT_ADDR='http://127.0.0.1:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: PLV0OXO9VmF5VB8qAnq4pQIGzWkzzYypRNcDtrhSSgU=
Root Token: hvs.6j4cuewowBGit65rheNoceI7
Development mode should NOT be used in production installations!
You can set these two env vars
$ export VAULT_ADDR='http://127.0.0.1:8200'
$ export VAULT_TOKEN="hvs.6j4cuewowBGit65rheNoceI7"Check the server running
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.11.3
Build Date 2022-08-26T10:27:10Z
Storage Type inmem
Cluster Name vault-cluster-2b0b44fd
Cluster ID a6f87c32-fe6a-6647-0d22-e814d125a5c4
HA Enabled falseCreating our first secrets
Create a secret via CLI
$ vault kv put -mount=secret mypath foo=bar
=== Secret Path ===
secret/data/mypath
======= Metadata =======
Key Value
--- -----
created_time 2023-08-10T22:49:06.247615Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1Reading a secret via CLI
$ vault kv get -mount=secret mypath
=== Secret Path ===
secret/data/mypath
======= Metadata =======
Key Value
--- -----
created_time 2023-08-10T22:49:06.247615Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
=== Data ===
Key Value
--- -----
foo bar
Deleting a secret
$ vault kv delete -mount=secret hello
Success! Data deleted (if it existed) at: secret/data/helloTry to read a deleted secret
$ vault kv get -mount=secret hello
== Secret Path ==
secret/data/hello
======= Metadata =======
Key Value
--- -----
created_time 2022-01-15T01:40:09.888293Z
custom_metadata <nil>
deletion_time 2022-01-15T01:40:41.786995Z
destroyed false
version 2It’s destroyed false, so we can undelete
Undeleting a secret
$ vault kv undelete -mount=secret -versions=2 hello
Success! Data written to: secret/undelete/helloTry to read a deleted secret again
$ vault kv get -mount=secret hello
======= Metadata =======
Key Value
--- -----
created_time 2022-01-15T01:40:09.888293Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 2
===== Data =====
Key Value
--- -----
excited yes
foo world
Destroy a secret
$ vault kv destroy -mount=secret -versions=2 hello
Success! Data written to: secret/destroy/helloTrying to access a destroyed secret. (Note the destroyed True)
$ vault kv get -mount=secret hello
== Secret Path ==
secret/data/hello
======= Metadata =======
Key Value
--- -----
created_time 2023-07-21T18:29:58.114285Z
custom_metadata <nil>
deletion_time n/a
destroyed true
version 3Other Secret Engines
We did all of that using the kv (key-value) secrets engine that is enabled by default on Vault, but Vault also has other secret engines and many plugins to make our lives easier.
Available secrets engines
AWS Secret engine
We can configure Vault to use AWS secrets engine. It will connect our Vault to our AWS account and will allow us to handle dynamic secrets for AWS services access like S3, RDS, EC2 and so on.
More info here https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets
DB secret engine
We can enable the database engine to connect Vault with our databases
$ vault secrets enable databaseMore info here https://developer.hashicorp.com/vault/tutorials/db-credentials/database-secrets
Flask app using database engine and Postgres
Example Flask app using Vault to access the db
https://github.com/testdrivenio/vault-consul-flask
Blog post https://testdriven.io/blog/dynamic-secret-generation-with-vault-and-flask/
Vault and Python with hvac
hvac is the lib used to integrate Vault and Python
We can install it with pip
$ pip install hvacThen we can use like this example
import hvac
# instantiate the client
client = hvac.Client(
url='http://127.0.0.1:8200', # we can use the env var VAULT_ADDR
token='hvs.o47BOnYjn6D9GmOmTKzn1imT', # we can use the env var VAULT_TOKEN
)
# create a secret
create_secret = client.secrets.kv.v2.create_or_update_secret(path='mypath', secret={'hello': 'world'})
# read the secret
read_secret = client.secrets.kv.read_secret_version(path='mypath')
read_secret['data'][ 'data']['hello']
So…
HashiCorp Vault has proven to be an excellent tool in the world of secrets management.
By implementing best practices, we can harness the full potential of HashiCorp Vault and elevate our secrets management practices to new heights, ensuring the protection of our organization’s most valuable assets. Secure deployments, consistent backups, and disaster recovery plans form the bedrock of a robust Vault implementation, allowing us to remain resilient even in the face of unexpected challenges.
Embracing the principle of least privilege, and utilizing dynamic secrets are key to mitigating the risks associated with compromised credentials and elevating our security posture to safeguard our sensitive data.
Staying updated with the latest Vault versions and security patches is essential to remain vigilant against emerging threats, while regular security audits and penetration testing empower us to identify and address potential weaknesses in our Vault deployment proactively.
References:
Website: https://www.hashicorp.com/products/vault
Blog: https://www.hashicorp.com/blog/products/vault
Interesting posts:
https://www.hashicorp.com/blog/vault-1-14-brings-acme-for-pki-aws-roles-and-more-improvements
https://www.hashicorp.com/blog/announcing-hcp-vault-secrets-public-beta
Features: https://www.hashicorp.com/products/vault/features
Use cases: https://www.hashicorp.com/products/vault/use-cases
Getting started: https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets
Handle db secrets: https://developer.hashicorp.com/vault/docs/secrets/databases
Pros and Cons: https://www.contino.io/insights/hashicorp-vault
Best practices:
https://www.linkedin.com/pulse/securely-storing-secrets-best-practices-hashicorp-vault-pavel-topal/