How to install Vault on the Ubuntu server

From PheonixSolutions
Jump to navigation Jump to search

How to install Vault on the Ubuntu server

Prerequisite

  1. Server root login credentials.

Step1:

Log in to your Ubuntu or Centos server as a user with sudo privileges. You can use SSH or directly access the server. 

  ssh root@IP address

Step2:

Let’s begin by updating the local package index to reflect the latest upstream changes. 

  sudo apt update

Step3:

First, add Hashicorp’s GPG key to your package manager so that your system trusts their package repositories. 

  curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -

Step4:

Then add the repository itself to your list of package sources, so it’ll be checked for regular updates. 

  sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"

Step5:

Then install the package 

  sudo apt install vault

Step6:

You can now use the vault command. Try checking Vault’s version to make sure it works. 

  vault --version

Step7:

We need to start the vault server. 

  systemctl start vault.service

Step8:

we need to enable the vault server. 

  systemctl enable vault.service

Step9:

And check if it is working or not. Using the below commands 

  systemctl status vault.service

Step10:

Next, we need to set up the Apache configuration file and domain setup. 

  vi /etc/apache2/sites-available/vault.conf

Open the vault configuration file and edit the file inside. Please follow the below steps. And these steps and commands are just a reference. 

  <VirtualHost *:80>
  ServerName vault.pheonixsolutions.com
  #ServerAlias www.vault.pheonixsolutions.com
  ServerAdmin admin-mail@localhost
  DocumentRoot /opt/vault/data
  <Directory /opt/vault/data>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride all
    Order deny,allow
    allow from all
    Require all granted
  </Directory>
  # NodeJS integration
    ProxyPass / http://127.0.0.1:8200/
    ProxyPassReverse / 127.0.0.1:8200/
  ProxyRequests On
  ProxyPreserveHost On
  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>
  <Location />
    ProxyPass http://127.0.0.1:8200/
    ProxyPassReverse http://127.0.0.1:8200/
  </Location>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =vault.pheonixsolutions.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
  </VirtualHost>

Step11:

Apache will analyze the configuration files and report any syntax errors or warnings. If your configuration is valid, you will see a message indicating that the syntax is OK.

If there are any errors or warnings, the command will provide information about the specific problem and the file in which it occurs. You will need to review the Apache configuration files mentioned in the error message to correct the issues. 

  sudo apachectl -t

Step12:

Restart Apache to apply the changes 

  systemctl restart apache2

Step13:

Vault’s default configuration is stored in /etc/vault.d/vault.hcl. You’ll use this file to control various options in Vault, such as where encrypted secrets are stored. Use the below command. And these steps and commands are just a reference. 

  vi /etc/vault.d/vault.hcl

After opening the vault.hcl file, do you need to edit the steps below the files. 

  # Copyright (c) HashiCorp, Inc.
  # SPDX-License-Identifier: MPL-2.0
  # Full configuration options can be found at https://www.vaultproject.io/docs/configuration
  ui = true
  #mlock = true
  #disable_mlock = true
  storage "file" {
  path = "/opt/vault/data"
  }
  #storage "consul" {
  # address = "127.0.0.1:8500"
  # path = "vault"
  #}
  # HTTP listener
  listener "tcp" {
  api_addr = "http://vault.pheonixsolutions.com:8200%22
  address = "127.0.0.1:8200"
  tls_disable = 1
  }
  # HTTPS listener
  #listener "tcp" {
  # address = "127.0.0.1:8200"
  # tls_cert_file = "/etc/letsencrypt/live/vault.pheonixsolutions.com/fullchain.pem"
  # tls_key_file = "/etc/letsencrypt/live/vault.pheonixsolutions.com/privkey.pem"
  #}
  # Enterprise license_path
  # This will be required for enterprise as of v1.8
  #license_path = "/etc/vault.d/vault.hclic"
  # Example AWS KMS auto unseal
  #seal "awskms" {
  # region = "us-east-1"
  # kms_key_id = "REPLACE-ME"
  #}
  # Example HSM auto unseal
  #seal "pkcs11" {
  # lib = "/usr/vault/lib/libCryptoki2_64.so"
  # slot = "0"
  # pin = "AAAA-BBBB-CCCC-DDDD"
  # key_label = "vault-hsm-key"
  # hmac_key_label = "vault-hsm-hmac-key"
  #}

Step14:

Restart the vault to apply the changes 

  systemctl restart vault.service

Step15:

The command echo $VAULT_ADDR is used to display the value of the VAULT_ADDR environment variable in a Unix-like shell, such as Bash.

Assuming that the VAULT_ADDR environment variable is set, running this command will print the value of VAULT_ADDR to the terminal. 

  echo $VAULT_ADDR

  export VAULT_ADDR=http://127.0.0.1:8200

Step16:

check vault status 

  vault status

Step17:

The vault operator init command is used to initialize a new vault server. Vault is a tool for managing secrets and sensitive data, and it's commonly used in environments where security and data protection are critical.

When you run vault operator init, several important actions occur.

Key Generation:

Vault generates a master key and splits it into multiple key shares using a technique called Shamir's Secret Sharing. By default, it creates 5 key shares, and you need a specified number of these shares (known as the threshold) to unseal Vault.

Unseal Keys:

The key shares are displayed on the screen as unseal keys. These are critical for unsealing a vault if it ever becomes sealed (usually due to security reasons). You'll want to securely store these keys in different locations or with different individuals to ensure you can recover Vault if necessary.

Initial Root Token:

Vault generates an initial root token, which is a highly privileged token that grants full access to Vault. You should also keep this token secure, as it's a critical piece of Vault's security infrastructure.

 

vault operator init

After running this command, Vault will provide you with the unseal keys and the initial root token. It's crucial to follow best practices for securing these keys and tokens, as they are essential for the operation and recovery of your Vault instance.

Once Vault is initialized, it is sealed by default, meaning it's in a locked state and won't provide access to its secrets until you unseal it using the unseal keys.

Here's a brief overview of the steps to unseal the vault:

Use the unseal keys you received during initialization. Run the vault operator unseal command multiple times, providing different unseal keys until the threshold is reached. After reaching the threshold, the vault is unsealed and operational.

Retrieved from "https://wiki.pheonixsolutions.com/index.php?title=How_to_install_Vault_on_the_Ubuntu_server&oldid=995"