Vault

Interactions

  export VAULT_ADDR=http://127.0.0.1:8200
  vault init -key-shares=1 -key-threshold=1  # Initialize vault. Save keys and root token
  vault unseal [unseal key]                  # Do this N number of times as -key-shares when initializing vault
  vault login [token]                        # Login into vault to perform actions

Endpoints

  vault secrets enable -path=[endpoint] [storage_backend]  # Create secret endpoint
  vault secrets enable -description="chimera simple ping sites" -path=sites kv     # Created key/value endpoint at /sites
  vault secrets enable -description="chimera passwords storage" -path=passwords kv # Created key/value endpoint at /passwords
  vault secrets enable -description="sqlmon connections storage" -path=sqlmon kv   # Created key/value endpoint at /sqlmon

  
  vault secrets list [-detailed]                           # List all available enpoints

Policies

  vault policy list                              # List policies
  
  vault policy read [policy_name]                # Read content of a policy
  vault policy read [chimera]
  
  vault policy write [policy_name] [policy_file] # Create a policy
  vault policy write synthetic policy.hcl
    # Sample policy file
    path "sites/*" {
      capabilities = ["create", "read", "update", "delete", "list"]
    }
    path "passwords/*" {
      capabilities = ["create", "read", "update", "delete", "list"]
    }

Tokens

  vault token lookup [token]                  # Display token info
  vault token lookup -accessor [accessor ID]  # Display token info by accessor ID
  
  vault token create -period=[lifetime]                 # Create token with specified lifetime (s, m, or h)
  vault token create -policy=[policy] -policy=[policy]  # Create token with policies
  vault token create -display-name=[display_name]       # Create a token with human display name
  vault token create -display-name=synthetic -policy=synthetic -period=87600h

Secrets

  vault list [path]  # Show all keys under endpoint
  vault list sites
  vault list passwords
  
  vault read [path]/[secret]           # Read content of secret endpoint
  vault read [path]/[folder]/[secret]  # Read content of nested secret endpoint
  vault read sites/oflows
  vault read sites/bottomline_tech
  
  vault write [path]/[secret] [k]=[v] [k]=[v]         # Write key/value to secret endpoint
  vault write passwords/pmx key1=val1 key2=val2
  
  vault write [path]/[folder]/[secret]                # Nested folders endpoint
  vault write passwords/lsm/legalx/site1 user1=pass1

PKI Certificates

# Reference: https://www.vaultproject.io/api/secret/pki/index.html

1. Enable PKI secrets
vault secrets enable pki

2. Set global secret TTL to 20 years
vault secrets tune -max-lease-ttl=175320h pki

3. Generate a CA
# SAVE THE PRIVATE KEY. CANNOT BE RETRIEVED LATER
vault write pki/root/generate/exported \
  common_name="Company Name Certificate Authority" \
  organization="Company Name" \
  country=US \
  province=State \
  locality=City \
  street_address="Address" \
  postal_code=Zip \
  ttl=87660h

4.  Set cert request and CRL endpoints
vault write pki/config/urls \
  issuing_certificates="https://localhost:8200/v1/pki/ca" \
  crl_distribution_points="https://localhost:8200/v1/pki/crl"

5. Create a role that can generate certificate
vault write pki/roles/[role] ...
vault write pki/roles/role1 \
  allowed_domains=example.com,home.local \
  allow_subdomains=true \
  allow_bare_domains=true \
  organization=Bottomline \
  country=US \
  province=State \
  locality=City \
  street_address="Address" \
  postal_code=Zip \
  ttl=87660h

6. Generate a client certifcate
vault write pki/issue/[role] ...
vault write pki/issue/role1 \
  common_name=localhost \
  alt_names=localhos7 \
  ip_sans=127.0.0.1,10.0.2.15,192.168.50.10 \
  ttl=43830h

Auto-Unseal Transit Engine

# Master
```shell
export VAULT_ADDR=http://master:8200
export VAULT_TOKEN=<master root token>
vault secrets enable transit
vault write -f transit/keys/autounseal
vim policy_autounseal.hcl
  path "transit/encrypt/autounseal" {
     capabilities = [ "update" ]
  }

  path "transit/decrypt/autounseal" {
     capabilities = [ "update" ]
  }
vault policy write autounseal policy_autounseal.hcl
vault token create -policy autounseal -period=87600h  # save the token

# Secondary
export VAULT_ADDR=http://secondary:8200
export VAULT_TOKEN=<token created from Master>
vim /etc/vault/config.hcl
  seal "transit" {
    address = "http://MASTER:8200"
    disable_renewal = "false"
    key_name = "autounseal"
    mount_path = "transit/"
  }
vault server -config /etc/vault/config.hcl
vault operator init -recovery-shares=5 -recovery-threshold=3
vault status  # Sealed should be false

Running

  vault server -config=/path/to/config.hcl
    # Sample config file
    storage "consul" {
      address = "127.0.0.1:8500"
      path = "vault"
      check_timeout = "300s"
      scheme = "http"
    }
    listener "tcp" {
      tls_disable = 1
    }