本文介紹在Ubuntu 18.04/Debian 9/CentOS 7/Fedora上安裝Vault服務器(Hashicorp Vault Server)、配置Vault systemd服務、初始化Vault、配置Vault角色和策略及寫下並獲得Secrets。
簡介
Hashicorp Vault是一款免費的開源工具,專爲安全存儲和訪問機密而設計,Secrets可以是密碼,API密鑰,證書等,Vault Server的工作是爲任何存儲的Secret提供統一的接口,同時提供嚴格的訪問控制並記錄詳細的審計日誌。
Vault具有Web用戶界面,你可以使用該界面與Vault進行交互,通過UI可以輕鬆創建,更新,讀取和刪除Secrets,進行身份驗證,開封等操作。
附:Vault的功能
以下是Vault的主要功能:
Secure Secret Storage:默認情況下,Vault會在將Secrets寫入持久存儲之前對其進行加密。
Support for Dynamic Secrets:Vault可以按需生成Secrets,並在租約到期後撤銷它們。
Leasing and Renewal:Vault中的所有Secrets都有與之相關的租約,該secret在租約結束時自動撤銷,可以通過內置續訂API進行續訂。
Secrets Revocation:保險櫃不僅可以撤銷單個Secrets,還可以撤銷Secrets樹,例如特定用戶讀取的所有Secrets,或特定類型的所有Secrets。
在Ubuntu/Debian/CentOS/Fedora上安裝Vault
Vault是用Go編寫的,二進制包可用於主要的Unix和Linux發行版,預編譯的Vault二進制文件位於https://releases.hashicorp.com/vault/頁面,下面下載及使用1.0.3版本:
curl -sO https://releases.hashicorp.com/vault/1.0.3/vault_1.0.3_linux_amd64.zip
提取下載的文件:
unzip vault_1.0.3_linux_amd64.zip
sudo mv vault /usr/local/bin/
對版本的檢查應與下載的版本匹配:
$ vault --version
Vault v1.0.3 ('85909e3373aa743c34a6a0ab59131f61fd9e8e43')
啓用命令自動完成:
vault -autocomplete-install
complete -C /usr/local/bin/vault vault
配置Vault systemd服務
安裝Vault後,讓我們配置systemd服務來管理其服務,首先創建一個獨特的非特權系統用戶來運行Vault。
創建Vault數據目錄:
sudo mkdir /etc/vault
sudo mkdir -p /var/lib/vault/data
然後創建名爲vault的用戶:
sudo useradd --system --home /etc/vault --shell /bin/false vault
sudo chown -R vault:vault /etc/vault /var/lib/vault/
在/etc/systemd/system/vault.service上創建Vault服務文件:
cat <<EOF | sudo tee /etc/systemd/system/vault.service
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault/config.hcl
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.hcl
ExecReload=/bin/kill --signal HUP
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitBurst=3
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
創建Vault /etc/vault/config.hcl文件:
touch /etc/vault/config.hcl
將Vault的基本配置設置添加到/etc/vault/config.hcl文件:
cat <<EOF | sudo tee /etc/vault/config.hcl
disable_cache = true
disable_mlock = true
ui = true
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
storage "file" {
path = "/var/lib/vault/data"
}
api_addr = "http://0.0.0.0:8200"
max_lease_ttl = "10h"
default_lease_ttl = "10h"
cluster_name = "vault"
raw_storage_endpoint = true
disable_sealwrap = true
disable_printable_check = true
EOF
你也可以使用Consul Storage後端,但首先你需要安裝Consul,參考在Ubuntu 18.04/16.04系統上設置Consul Cluster的方法。
Consul後端的配置類似於以下內容:
storage "consul" {
address = "127.0.0.1:8500"
path = "vault"
}
啓動並啓用Vault服務以在系統引導時啓動:
sudo systemctl daemon-reload
sudo systemctl enable --now vault
檢查服務狀態,運行systemctl status vault命令,它應顯示運行狀態:
初始化Vault服務器
在初始化Vault服務器之前導出VAULT_ADDR環境變量:
export VAULT_ADDR=http://127.0.0.1:8200
echo "export VAULT_ADDR=http://127.0.0.1:8200" >> ~/.bashrc
將127.0.0.1替換爲Vault服務器IP地址。
通過運行以下命令,使用默認選項開始初始化:
sudo rm -rf /var/lib/vault/data/*
vault operator init > /etc/vault/init.file
訪問地址如http://serverip:8200/ui中的Vault UI:
將“Unseal Keys”逐個粘貼到Unseal Vault,你可以在/etc/vault/init.file上獲取密鑰:
$ cat /etc/vault/init.file
Unseal Key 1: bNxZRU3azPZtzXjeS0pfGHLoif3Scs64fFk9j/FFtUN7
Unseal Key 2: kChe6UJ5+BnkU6UjSzalvjIuh01dLX8v/OMabz+uPtly
Unseal Key 3: MIRYhY1zQXZyod05tWtbgAnc14qBXM7hPHrqyEVQ7tCi
Unseal Key 4: KBVhzztVDUJRqNi2LDYfRFHThQe/iDbNdEaOFkAztMDN
Unseal Key 5: GJplvpcPVu6IQeJ3lqa5xvPfXTDA3ftgcZJT6xhrAUUL
Initial Root Token: s.RcW0LuNIyCoTLWxrDPtUDkCw
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
解封Vault後,使用“初始根令牌”登錄Vault:
你應該會在下一頁中看到Vault Web管理面板:
你還可以從CLI查看Vault狀態,運行vault status命令:
使用curl測試HTTP API端點以檢查初始化狀態:
$ curl http://127.0.0.1:8200/v1/sys/init
{"initialized":true}
配置Vault角色和策略
導出Vault根令牌:
export VAULT_TOKEN="s.RcW0LuNIyCoTLWxrDPtUDkCw"
將“s.BOKlKvEAxyn5OS0LvfhzvBur”替換爲存儲在/etc/vault/init.file文件中的初始根令牌。
然後啓用approle auth方法,該方法允許計算機或應用程序使用Vault定義的角色進行身份驗證:
$ vault auth enable approle
Success! Enabled approle auth method at: approle/
相同的命令可以用於其他身份驗證方法,例如:
# vault auth enable kubernetes
Success! Enabled kubernetes auth method at: kubernetes/
# vault auth enable userpass
Success! Enabled userpass auth method at: userpass/
# vault auth enable ldap
Success! Enabled ldap auth method at: ldap/
使用vault auth list命令列出所有身份驗證方法:
也可以從Web界面啓用其他身份驗證方法:
可以從Web控制檯“策略(Policies)”部分管理ACL策略:
寫下並獲得Secrets
現在我們已經安裝並配置了我們的Vault服務器,讓我們在Vault中編寫和檢索Secrets,我們使用vault kv來寫Secrets。
獲取Secrets引擎路徑,運行vault secrets list命令:
給你的kv secret引擎寫一個secret:
$ vault kv put secret/databases/db1 username=DBAdmin
Success! Data written to: secret/databases/db1
$ vault kv put secret/databases/db1 password=StrongPassword
Success! Data written to: secret/databases/db1
你甚至可以使用單行命令來寫入多個數據:
$ vault kv put secret/databases/db1 username=DBAdmin password=StrongPassword
Success! Data written to: secret/databases/db1
要獲得Secret,請使用vault get命令(vault kv get secret/databases/db1):
以json格式獲取數據:
$ vault kv get -format=json secret/databases/db1
{
"request_id": "f99170b5-ac38-84ce-8668-1f280b0981c1",
"lease_id": "",
"lease_duration": 36000,
"renewable": false,
"data": {
"password": "StrongPassword",
"username": "DBAdmin"
},
"warnings": null
}
要僅打印給定字段的值,請使用:
$ vault kv get -field=username secret/databases/db1
DBAdmin
要刪除Secret,請使用:
$ vault kv delete secret/databases/db1
Success! Data deleted (if it existed) at: secret/databases/db1
$ vault kv get secret/databases/db1
No value found at secret/databases/db1