Personal guide for installing and setting up a Vault server.
- Install and update required dependencies.
#!/bin/bash
sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get install -y wget
sudo apt-get install -y unzip
sudo apt-get install -y postgresql postgresql-contrib
sudo apt-get install -y nginx
# Certbot
sudo apt-get install -y software-properties-common
sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get -y update
sudo apt-get install -y python-certbot-nginx
- Fetch vault and install Vault
#!/bin/bash
cd
wget https://releases.hashicorp.com/vault/0.8.1/vault_0.8.1_linux_amd64.zip
unzip vault_*.zip
rm vault_*.zip
sudo chmod +x ./vault
sudo mv vault /usr/local/bin/vault
echo "export VAULT_ADDR=http://127.0.0.1:8200" >> /home/ubuntu/.profile
echo "export VAULT_ADDR=http://127.0.0.1:8200" >> /root/.profile
- Edit
/etc/postgresql/9.5/main/pg_hba.conf
to allow password authentication - Restart postgresql
sudo service postgresql restart
- Create user and db in postgresql
CREATE DATABASE secrets;
CREATE USER vault WITH PASSWORD 'password';
GRANT ALL PRIVILEGES ON DATABASE secrets TO vault;
- Sign in using previous credentials
psql -d secrets -U vault -W
- Create vault table
CREATE TABLE vault_kv_store (
parent_path TEXT COLLATE "C" NOT NULL,
path TEXT COLLATE "C",
key TEXT COLLATE "C",
value BYTEA,
CONSTRAINT pkey PRIMARY KEY (path, key)
);
CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
- Add vault config file
/home/ubuntu/config.hcl
storage "postgresql" {
connection_url = "postgres://vault:password@localhost:5432/secrets"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = "true"
}
-
Test configuration using
sudo vault -config config.hcl
-
Create systemd unit at
/etc/systemd/system/vault.service
[Unit]
Description=Unit that keeps vault server up and running
[Service]
Environment= VAULT_ADDR=http://127.0.0.1:8200
WorkingDirectory=/home/ubuntu
ExecStart=/usr/local/bin/vault server -config /home/ubuntu/config.hcl
Restart=always
[Install]
WantedBy=multi-user.target
- Start vault daemon with
sudo service vault start & sudo service vault status
- Init vault server and store keys securely
source ~/.profile & vault init
- Remove NGINX default websites with
sudo rm /etc/nginx/sites-*/default
- Add vault NGINX website at
/etc/nginx/sites-available/vault
upstream vault {
server 127.0.0.1:8200;
keepalive 64;
}
server {
listen 80;
listen [::]:80;
server_name example.com;
location / {
try_files $uri @proxy_to_app;
}
location @proxy_to_app {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://vault;
}
}
- Create site symbolic link with
sudo ln -s /etc/nginx/sites-available/vault /etc/nginx/sites-enabled/vault
- Restart NGINX with
sudo service nginx restart
- Execute Lets Encrypt's certbot with
sudo certbot --nginx
- Test your server endpoint by going to
http://example.com/v1/sys
, should be redirected to HTTPS and see vault response. - List available Firewall application with UFW
sudo ufw app list
- Allow SSH connection
sudo ufw allow OpenSSH
- Allow NGINX to handle HTTP connections
sudo ufw allow 'Nginx HTTP'
- Allow NGINX to handle HTTPS connections
sudo ufw allow 'Nginx HTTPS'
- Enable Firewall rules with
sudo ufw enable
- Check firewall status with
sudo ufw status
- Reboot server
- Profit 😎!