What is Vault?

Vault Guide Book

Mar 08, 2024

Contents

Introduction Topic What is Vault?Architecture of Vault 1. Storage Backend 2. Barrier 3. Secret Engine 4. Audit Device 5. Audit Method 6. Client Token 7. Secrets 8. Server 9. Vault Server Installation and Basic Usage 10. Run Dev Server in Vault 11. Seal/Unseal 12. Data Input/Output

Introduction

Thank you for clicking through to my arcticle. I've been a DevOps engineer for 2 years in dev-team of 7 engineers.

My name is MINSEOK, LEE, but I use Unchaptered as an alias on the interenet. So, you can call me anythings "MINSEOK, LEE" or "Unchaptered" to ask something.

Topic

What is Vault?

Vault is Cross-Platform Password and Authentication System.
Store and manage passowrd, api-key, tokens.

Architecture of Vault

Storage Backend
Barrier
Audit Device
Audit Method
Client Token

1. Storage Backend

Storage Backend is storage to save encryped data.
Vault don't guarantee any availability and type of storage.

Customer choose what do you want to use backend.

Can use many Solutions as a storage backend.

2. Barrier

The barrier is firewall.
All traffic passed this barrier.

The barrier only records encrypted data, and ensures that the data is decrypted at necessary time. Just like bank, you can only access when passing through the barrier.

3. Secret Engine

The secret engine is a componenets that store, generates and encrypts data.
It can store and read data in simple key & value format in encrypted Redis / Memcached.

Other secret engines can dynamically generate credentials at the point of connecting to a service and making a request.

Can use many Solutions as a secret engine.

4. Audit Device

The audit device manage audit logs.
All request and reponse make a log when it's passing through the audit device.

So, administrators can manage audit logs for checking system statement.

5. Audit Method

The audit method is used for verifying user and application to connect vault.
After verifying, it returns policy list about connected users and usable applications.

In this time, it returns client token.
After first verifying, vault system use client token.

Can use many Solutions as a audit method.

6. Client Token

Client Token(Vault Token) seems like Session Cookie in websites.

When verifying of user, vault returns client token.
After verifying of user, you can use clients token for some process.

Vault use client token to identify clients and check application access policy.
This token is passing through HTTP requests with HTTP Header.

7. Secrets

The secrets means all kind of data vault returns, include encrypted data.
It is some kind of lease object. After end of lease, vault destory secrets.
The administartor check lease information for destorying or extending secrets.

But all response of vault isn't secrets.
Such as, system configuration, status information, policy isn't secrets.

$ vault kv put secret/hello foo=world
Key              Value
---              -----
created_time     2019-08-19T03:53:56.491587848Z
deletion_time    n/a
destroyed        false
version          1

8. Server

Vault is client/server application.
Vault server interact data storage and backend.
It works single components in vault architecture.

Clients can communicate it as TLS conneciton, using Vault CLI

9. Vault Server Installation and Basic Usage

I have installed Windows 11, 386 version.
Unzip it and register the path as a system environment variable.

10. Run Dev Server in Vault

The vault provide dev server.
It can use dev and test.

vault server -dev

And set environment

set VAULT_ADDR=http://127.0.0.1:8200

11. Seal/Unseal

The vault server has seal/unseal status.

The "Seal" has sealed state.
- In this state, vault knows location and method to access data.
- But vault can't decrypt data.
The "Unseal" has unsealed state.
- For decrypt data, you change state from seal to unseal to configure master key. For unseal, system needs unseal key.
- Vault can decrypt data.

[Process]

Check state of vault
```
# Good
vault status -address=%VAULT_ADDR%

# Wrong
vault status
```
Without -address option you can encounter this error.
1. Script
  vault status
2. Error
  Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client
3. [Solution]
  vault status -address=http://127.0.0.1:8200
Put secrets
```
# Good
vault kv put -address=%VAULT_ADDR% secret/hello foo=world

# Wrong
vault kv put secret/hello foo=world -address=%VAULT_ADDR%
```
Without -address option you can encounter this error.
1. Script
  vault kv put secret/hello foo=world -address=http://127.0.0.1:8200
2. Error
  Command flags must be provided before positional arguments. The following arguments will not be parsed as flags: [-address=http://127.0.0.1:8200]
  Get "https://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret/hello": http: server gave HTTP response to HTTPS client
3. Solution
  vault kv put -address=http://127.0.0.1:8200 secret/hello foo=world

Get Secret

# Good
vault kv get -address=%VAULT_ADDR% secret/hello

Seal vault

vault operator seal -address=%VAULT_ADDR%

Get Secrets after sealed.

vault kv get -address=%VAULT_ADDR% secret/hello

You will encounter this error
Error making API request.

URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret/hello
Code: 503. Errors:

* Vault is sealed
... 😊😊😊😊😊😊😊😊😊😊