Installing and Configuring HashiCorp Vault - spring-boot-in-practice/repo GitHub Wiki

In this section, we'll show you how to install and configure Hashicorp Vault. We'll show you how to configure vault in Windows operating system.

  1. Download Vault from Vault website
  2. Extract the ZIP file and you'll find vault.exe file
  3. Create the following vault.conf file in the same folder where you've the vault exe file:
backend "inmem" {
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}

disable_mlock = true

There are several ways, you can configure vault. In the above configuration, we've provided a bare minimum configuration to proceed with the technique.

  • We are using an in-memory backend
  • The protocol is TCP and the vault server is configured to run at localhost on port 8200. We've disabled the TLS certificates. This runs the vault with HTTP. In a production application, you should run vault with HTTS
  1. Run the following command from the command prompt window:
vault server -config vault.conf

This will start the vault server and you'll see an output similar to this:

==> Vault server configuration:

                     Cgo: disabled
              Go Version: go1.15.11
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: false, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.7.2
             Version Sha: db0e4245d5119b5929e611ea4d9bf66e47f3f208

==> Vault server started! Log data will stream in below:

2021-05-23T07:24:08.427+0530 [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2021-05-23T07:24:08.428+0530 [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
  1. Open a new command prompt and set the VAULT_ADDR environment variable with the http://localhost:8200 URL:
set VAULT_ADDR=http://localhost:8200
  1. By default the vault is sealed. We need the keys to unseal it. Execute the following command:
vault operator init

You'll find output similar to this:

Unseal Key 1: dWySvH4YUA/0PsEc/89jkvafReAdzWCM9uTKEWRzKs0l
Unseal Key 2: vclmTKiuvWSg+G/o7kFRwIhlEiTVU4UvqhH/e/LdTRm2
Unseal Key 3: 8Uck9MRcb+vIw2DdS7P76/kbb/Z7DI/ngJQjaX8mD1ce
Unseal Key 4: kv1QWqNbH5b2ueCHJmhmF8Il8zhdvQfT+bi0eK63viV/
Unseal Key 5: 5rHgCvltXtFxRoKoiw4RzP4XMKgiKblSvSnd9PyhSHSw

Initial Root Token: s.YGgzy5qOtEf4d6Xo0i6qqQGL

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
  1. If you run the vault status command, you'll find the vault is sealed and requires at least three of the above keys to unseal it.
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    0/3
Unseal Nonce       n/a
Version            1.7.2
HA Enabled         false
  1. We'll use the following commands to unseal the vault. You can use any of the three Unseal Keys from step 6:
vault operator unseal <YOUR KEY 1>
vault operator unseal <YOUR KEY 2>
vault operator unseal <YOUR KEY 3>

e.g.,
vault operator unseal 8Uck9MRcb+vIw2DdS7P76/kbb/Z7DI/ngJQjaX8mD1ce
vault operator unseal kv1QWqNbH5b2ueCHJmhmF8Il8zhdvQfT+bi0eK63viV/
vault operator unseal 5rHgCvltXtFxRoKoiw4RzP4XMKgiKblSvSnd9PyhSHSw
  1. Next, set the VAULT_TOKEN environment variable with the Initial Root Token from step 6:
set VAULT_TOKEN=<INITIAL ROOT TOKEN>

e.g.,
set VAULT_TOKEN=s.YGgzy5qOtEf4d6Xo0i6qqQGL
  1. Now the vault is ready to use. Let us now enable the kv secret engine:
vault secrets enable -path=secret kv
  1. Let's store the secret into the vault:
vault write secret/coursetracker keystore=p@ssw0rd

In the above configuration, we have stored a key called keystore with a value called p@ssw0rd for the coursetracker application.

Supplementary content for the Spring Boot in Practice book

⚠️ **GitHub.com Fallback** ⚠️