Install and configure HashiCorp Vault

perform the tasks in this section to install and configure vault the vault hsm managed keys feature requires vault enterprise with the advanced data protection module 1| download vault download precompiled vault binaries at https //releases hashicorp com/vault/ https //releases hashicorp com/vault/ , and download vault enterprise binaries by following the instructions available to hashicorp vault customers this integration requires the vault enterprise hsm binary , version 1 10 or later you can use the following link for testing https //releases hashicorp com/vault/1 10 0+ent hsm/ https //releases hashicorp com/vault/1 10 0+ent hsm/ 2 | install vault unzip the downloaded package and move the vault binary to /usr/local/bin/ $ unzip vault ${vault version}+ent hsm linux amd64 zip set the owner of the vault binary $ sudo chown root\ root vault ensure that vault is available on the system path $ sudo mv vault /usr/local/bin/ verify the vault version $ vault version the vault command features opt in autocompletion for flags, subcommands, and arguments (where supported) install autocompletion by using the following command $ vault autocomplete install enable autocompletion $ complete c /usr/local/bin/vault vault enable vault to use the mlock syscall without running the process as root the mlock syscall prevents memory from being swapped to disk $ sudo setcap cap ipc lock=+ep /usr/local/bin/vault create a unique, non privileged system user to run vault $ sudo useradd system home /etc/vault d shell /bin/bash vault 3 | configure systemd systemd uses documented sane defaults https //www freedesktop org/software/systemd/man/systemd directives html , so you must set only non default values in the configuration file create a vault service file in /etc/systemd/system/vault service $ sudo touch /etc/systemd/system/vault service add the following configuration details to the vault service file \[unit] description="hashicorp vault a tool for managing secrets" documentation=https //www vaultproject io/docs/ requires=network online target after=network online target conditionfilenotempty=/etc/vault d/vault hcl startlimitintervalsec=60 startlimitburst=3 \[service] user=vault group=vault protectsystem=full protecthome=read only privatetmp=yes privatedevices=yes securebits=keep caps ambientcapabilities=cap ipc lock capabilities=cap ipc lock+ep capabilityboundingset=cap syslog cap ipc lock nonewprivileges=yes execstart=/usr/local/bin/vault server config=/etc/vault d/vault hcl execreload=/bin/kill signal hup $mainpid killmode=process killsignal=sigint restart=on failure restartsec=5 timeoutstopsec=30 startlimitinterval=60 startlimitintervalsec=60 startlimitburst=3 limitnofile=65536 limitmemlock=infinity \[install] wantedby=multi user target 4 | configure vault vault uses documented sane defaults, so you must set only non default values in the configuration file create /etc/vault d directory $ sudo mkdir parents /etc/vault d create a vault configuration file, vault hcl $ sudo touch /etc/vault d/vault hcl set the ownership of the /etc/vault d directory $ sudo chown recursive vault\ vault /etc/vault d set the required file permissions $ sudo chmod 640 /etc/vault d/vault hcl 5 | configure managed keys the kms library stanza isolates platform specific configurations for managed keys it defines logical names referenced within an api configuration, keeping separated cluster and node specific details and deployment concerns for each to support the managed keys feature by integrating the vault enterprise server with an hsm, the configuration file must define the kms library stanza https //www vaultproject io/docs/configuration/kms library , providing necessary connection information example vault hcl \# provide your cryptohub connection information kms library "pkcs11" { name="hsm1" library = "/usr/local/bin/fxpkcs11/libfxpkcs11 so" } storage "file" { path = "/tmp/vault" } listener "tcp" { address = "0 0 0 0 8200" tls disable = "true" } disable mlock = true license path = "/usr/local/bin/license txt" api addr = "http //127 0 0 1 8200" cluster addr = "https //127 0 0 1 8201" ui = true this guide sets the storage backend to the local file system ( /tmp/vault ) to make verification easier save your vault license to a file on disk the preceding configuration file specifies it as license txt the example configuration defines the following elements in its kms library stanza name the logical name to be referenced by a managed key library the path to the pkcs #11 library shared object file you can define multiple kms library stanzas, with the only limitation being that the value for the name key must be unique across all the stanza definitions in a case insensitive manner for the full list of configuration parameters, refer to the vault documentation here https //www vaultproject io/docs/configuration/seal/pkcs11 html#pkcs11 parameters 6 | start the vault server log in with the vault user set the pkcs #11 pin for log in with the following command (the value is the {{ch}} identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file) $ export vault hsm pin='identity password' start the vault server $ vault server config=/etc/vault d/vault hcl if the command succeeds, you should see output similar to the following example ==> vault server configuration api address http //127 0 0 1 8200 cgo enabled cluster address https //127 0 0 1 8201 go version go1 17 7 listener 1 tcp (addr "0 0 0 0 8200", cluster address "0 0 0 0 8201", max request duration "1m30s", max request size "33554432", tls "disabled") log level info mlock supported true, enabled false recovery mode false storage file version vault v1 10 0+ent hsm version sha d71d7710888891761ce43ec4e5f9d9fdeff31d8e \==> vault server started! log data will stream in below open a new terminal window and leave the terminal running where you started the vault server