Docker based Hashicorp Vault

This guide will show you how to setup Hashicorp’s Vault package in a docker based environment.

Github repo: https://github.com/tjth-ltd/password-vault

Installation:

This guide assumes you have both docker and docker-compose installed on the server on which you will be running the password repostiory.

Firstly – Clone the repository to your machine and build the container using docker-compose:

cd password-vault && sudo docker-compose up -d

When the container has created, your Password vault should be accessible at http://[your-docker-host]:8201/ui

Configuration:

Browse to your Vault’s UI interface on the above mentioned port (8201) and complete the initial configuration. The vault I am using is locked down by source IP addresses so security is not of huge importance but adjust security parameters as appropriate for your environment.

For a basic setup, enter 1 keyshare andd 1 for the key threshold on the initial UI page before clicking Initialize.

The following page will be your master Unseal key and root Token to login to Vault – Ensure to document these securely (Not in the vault!). Once you have documented these keys you may proceed to Unlock your vault using the Key and use the root login to log into the Vault for the first time.

Creating a Password Secrets location:

To create your first password repository (We will create two in this guide to demonstrate the ACL access Policies – Click on the “Enable new engine” on the Secrets page of your vault.

Select the KV Engine type chose a name for your password area before clicking “Enable Engine”. For this guide I will be creating two password areas “servers” and “websites

Creating an Access Policy.

The next thing to do after creating your repositories will be to create an ACL Policy to allow your users to access them. How you do this will be dependant on your setup but I typically base my ACLs on the default group (removing access as required).

To do this, go to the Policies area and select the “Default” ACL – Copy the contents from the configuration page before going back and Creating a new Policy.

Because I have created two password areas (“servers” and “websites”) I wil be creating two Policies to provide access to these different password stores (They will be named the same for clarity).

In the new ACL policy, add a section as below to provide access from this ACL to the “servers” password store created previously (Adjust this path for the “websites” ACL to be created afterwards).:

# Allow access to "Servers" password store.
path "servers/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}

When you are done – Save your ACLs and move onto the next section..

Enabling Username/Password Authentication:

When you first login you will see a setup guide on the right hand side, we will be setting up Simple Username/Password Authentication now so you can dismiss this (It can be relaunched at any time).

The first step will be to enable Username/Password Authentication – To do this, go to Access (At the top) ands elect Username & Password authentication Method – Click “Enable Method” to enable this.

Creating a User:

To create a new user, click on the Terminal button at the top right hand corner of the page and run the below command (Updating the username / password / policy as appropriate).

vault write auth/userpass/users/[username] password=[secure password] policies=servers

You should now be able to login with your newly created user account in a separate tab and have access only to the “servers” password store (Not “websites”!)

Backup/Restore Process:

The process for backing up the Password Registry is to simply adjust and make the backup.sh script in the repository executable.

The restore process is simply to clone the repository onto a new srever and extract the archive into the data/ directory.

Any comments or questions? Get in touch here or Email me at [email protected]