Basics of Hashicorp Vault

Starting Vault server

Most documentations give an example of using Hashicorp Consul / AWS S3 / GCS storage as the backend of Vault server. But vault server could also run with local file system as its backend.

Config used to start the server : config.hcl

storage "file" {
  path = "/mnt/vault/data"

listener "tcp" {
 address          = ""
 tls_disable      = "true"

disable_mlock = true

Make sure that the path /mnt/vault/ is owned / accessible by the Linux user which is used to host Vault server.

Do NOT start vault server with sudo permission. It’s a security best practice. That is why disable_mlock in the config is set to true. If not, then the server needs sudo permission to run.

To start the server use the following command (config.hcl contains the above content) :

vault server -config=config.hcl

Initializing Vault

Check if the command vault status works. If no, then debug the network connection.

Initialize the vault using the following command

vault operator init

The above command will create 5 unseal tokens in which any 3 should be used every time to unseal vault.

To initialize with a single unseal token, use

vault operator init -key-shares=1 -key-threshold=1

In both the above commands you would get a initial root token along with unseal token(s).

Vault is sealed by default. Unseal it using the unseal tokens.

vault unseal

It prompts for unseal token. Enter the unseal token which you got when initializing vault server. By default, you have to execute the command 3 times and provide 3 different unseal tokens.

How to login to Vault server from client

vault login

Enter the root token when prompted

How to revoke root token

Do not worry. Root tokens can be regenerated. But you should have unseal token with you to regenerate root token.

Login to vault using vault login and provide the root token. To delete the root token:

vault token revoke -self

How to generate vault root token

Generate OTP

vault operator generate-root -generate-otp

Use the generated OTP with the following command. In use the OTP y6fqSf9uen3JGBbB0t0Examp13 as example.

vault operator generate-root -init -otp=y6fqSf9uen3JGBbB0t0Examp13

You would require unseal token for the next command. Enter the unseal token when prompted.

vault operator generate-root

If the above command is successful, you would get a new “Encoded Token”. Let’s say the encoded token is ChgAHgE/DDlSKEozLSgqIQBaDShaHdOtio4. For the next command pass both the generated OTP and the encoded token.

vault operator generate-root -otp=y6fqSf9uen3JGBbB0t0Examp13 -decode=ChgAHgE/DDlSKEozLSgqIQBaDShaHdOtio4 

This is give the new root token. Use vault login to login as root with the new user token.

Create Vault server audit logs

Create a log file (/var/log/vault_audit.log) and make sure it’s accessible by the Linux user account which is used to host vault server.

sudo touch /var/log/vault_audit.log
sudo chown `whoami` /var/log/vault_audit.log

Enable audit logging

vault audit enable file file_path=/var/log/vault_audit.log

Other Useful Resources