In this tutorial I will show an example for unsealing Vault using GPG. We generate for two users the keys and each user will use them to unseal. For the storage we use Consul.
Conditions
- Docker installed (latest Community Edition)
- Consul installed (1.2.2)
- Vault installed (0.10.4)
Host Preparation
First we need to setup, configure and start Consul and Vault.
Note: Because of the security settings of my provider, spaces are after “etc”. Please delete it after copy/paste.
# create new project $ mkdir -p ~/Projects/VaultConsulPGP/consul-data && cd ~/Projects/VaultConsulPGP # create private/public keys $ openssl req -newkey rsa:4096 -nodes -keyout private_key.pem -x509 -days 365 -out public_key.pem ... Country Name (2 letter code) []:CH State or Province Name (full name) []:Zuerich Locality Name (eg, city) []:Winterthur Organization Name (eg, company) []:Softwaretester Organizational Unit Name (eg, section) []:QA Common Name (eg, fully qualified host name) []:demo.env Email Address []:demo@demo.env ... # create HCL configuration $ touch ~/Projects/VaultConsulPGP/vault.hcl # add hosts entry $ echo -e "127.0.0.1 demo.env\n" >> /etc /hosts # start consul service $ consul agent -server -bootstrap-expect 1 -data-dir $HOME/Projects/VaultConsulPGP/consul-data -ui # start vault service $ vault server -config $HOME/Projects/VaultConsulPGP/vault.hcl
Do not stop and/or close any terminal sessions!
ui = true storage "consul" { address = "127.0.0.1:8500" path = "vault" } listener "tcp" { address = "demo.env:8200" tls_cert_file = "public_key.pem" tls_key_file = "private_key.pem" }
Your project folder now should look like this:
# show simple folder tree $ find . -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g' . |____private_key.pem |____vault_tutorial.md |____vault.hcl |____consul-data |____public_key.pem
Client Preparation
As I wrote – we need to simulate two users. Now to the Docker client’s…
# run client A $ docker run -ti --name client_a --mount type=bind,source=$HOME/Projects/VaultConsulPGP,target=/tmp/target bitnami/minideb /bin/bash # run client B docker run -ti --name client_b --mount type=bind,source=$HOME/Projects/VaultConsulPGP,target=/tmp/target bitnami/minideb /bin/bash
Both client’s need similar configuration, so please execute the following steps on both containers.
# install needed packages $ apt-get update && apt-get install -y curl unzip gnupg iputils-ping # get host IP $ HOST_IP=$(ping -c 1 host.docker.internal | grep "64 bytes from"|awk '{print $4}') # add hosts entry $ echo -e "${HOST_IP} demo.env\n" >> /etc /hosts # download vault $ curl -C - -k https://releases.hashicorp.com/vault/0.10.4/vault_0.10.4_linux_amd64.zip -o /tmp/vault.zip # extract archive and move binary and clean up $ unzip -d /tmp /tmp/vault.zip && mv /tmp/vault /usr/local/bin/ && rm /tmp/vault.zip # generate GPG key (1x for each client) $ gpg --gen-key ... Real name: usera ... Real name: userb ... # don't set a passphrase!!!! # export generated key (client 1) $ gpg --export [UID] | base64 > /tmp/target/usera.asc # export generated key (client 2) $ gpg --export [UID] | base64 > /tmp/target/userb.asc
Your project folder now should look like this:
# show simple folder tree $ find . -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g' . |____private_key.pem |____vault_tutorial.md |____vault.hcl |____consul-data |____ ... |____ ... |____public_key.pem |____usera.asc |____userb.asc
Initialize and Unseal Vault
On the host we initialize the Vault and share unseal key’s back to the client’s.
# set environment variables $ export VAULT_ADDR=https://demo.env:8200 $ export VAULT_CACERT=public_key.pem # ensure proper location (host) cd ~/Projects/VaultConsulPGP # initialize vault $ vault operator init -key-shares=2 -key-threshold=2 -pgp-keys="usera.asc,userb.asc"
Note: Save now all keys and share the correspondending <unseal keys> to the client’s!
Now our client’s can start the unseal of Vault. Even here, please execute the following steps on both containers.
# set environment variables $ export VAULT_ADDR=https://demo.env:8200 $ export VAULT_CACERT=/tmp/target/public_key.pem # decode unseal key $ echo "<unseal key>" | base64 -d | gpg -dq # unseal vault $ vault operator unseal <...>
Just for information
We configured both services (Consul and Vault) with WebUI.
# open Consul in Firefox $ open -a Firefox http://127.0.0.1:8500 # open Vault in Firefox $ open -a Firefox https://demo.env:8200/ui
Use the “Initial Root Token” to login into Vault’s WebUI.