Hashicorp Vault - Installation, Operator Seal, Unseal and Login process

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

point of view another important topic is installation seal and client login process so as in the previous session we have seen the architecture vault is having a core layer and which has a storage layer where all the secrets will store which will be internal storage or external any rdbms cloud or any database other one is a secret engine where you can store various types of secrets by using a vault and walt has an authentication and policy mechanism where you can use these are the ways you can log into the world and it will have a policies for authorization point of view and also world have audit capabilities where you can export the audit into the various other audit systems so this is architecture for a one single word system so let's say i have a one linux or any of the word server and i wanted to install i wanted to use so first step is you will install a world server second step is a world configuration then your wallet is ready now first installation point of view yes you will install as per the documentation you will go to the world and go to the docs and in the search install vault so install walt if you just click here right and the linux package and you will be able to see all the steps how to do and all right so second is a once you install vault is good but the thing is here configuration this is one of the major step where you will be configuring the storage listener telemetry replication etc so this is the step where you have to configure and once it is done then your world is ready to proceed further next world configuration so in the previous slide we have seen that this configuration is the most important right so what exactly this is configuration is like it's a hcl or json file yes like any system any software you install it must requires a configuration so here hclr json file it is located in xc vault d world.hcl you can configure json as well and how it looks this is the file and the bunch of looks like a terraform script yes it's a hcl dot hcl now next is these are the all the configuration settings with respect to the world server now so whoever is installs the world server that user will have a only right and execute permission whereas others doesn't have this permission if you want other linux users want to have a permission then you need to enable this set this environment variable and now look at the world configuration here storage file storage console means i wanted to provision a vault server by using a file storage this one and if you wanted to store the vault [Music] as a backend as a console then you install the console on the local server console runs on 8500 and you give here so here for the demo reference point of you i have given a both but if you are using a file then console won't be there if you are using a console then file won't be there then replication yes you wanted to replicate and you wanted to expose the tcp or https see if you wanted to expose your world server as a http yes then you need to pass a tcp certificate for key file and cert file tlsr so these are come by default but if you have a own domain like xyz example.com that domain specific certificates you have to sign it and put it here then telemetry is a matrix if you wanted to expose the world server matrix so all this you will configure and go to the documentation right here in the left side there is a configuration these are the and the first is the storage right overview right if you wanted to store the file storage this is the one and console aws or any kind of if you wanted to use hcd as a backend or if you wanted to use in memory my sql all the configurations are here you just go to the documentation and just as per the documentation you just configure right i am very curious to know about the how to configure dynamodb yeah right storage dynamodb which region and what is the table and all the parameters you need to pass as simple as that and aws level of course you need to give your permissions this one now coming to the next yeah so what server is started and i have configured everything all good now whenever you start world server it is by default in the sealed mode you need to unseal it so sealed mode is what by default it will be in the sealed mode as the very very first step which has must be performed otherwise it won't let you go inside even let you touch now unseal what exactly you will unseal for unsealing point of you will pass a multiple keys to create a master key that master key will then decrypt the another key that key will decrypt another key that the final second key will decrypt the actual data so this is the unsealed process so we will try to understand so once it is unsealed you will be able to login by using whatever the credential whatever the authentication mechanism now next see here seal unsealed so if you wanted to unseal first step you need to perform initialize here number of key shares threshold you are passing here so what exactly it is means this is a world server in the sealed mode by default of course you here in the previous step key shares total 5 and threshold is 3 i given right so means out of five keys it will accept three keys this should not be five you can configure any number of you can you can give a number three and out of two means here five out of three you are passing that means these three keys you have to enter three keys then that will generate a master key this is called a xiaomi secret sharing algorithm so if you can go and google search for a xiaomi secret sharing algorithm right xiaomi algorithm and this is the first one which is right this is the algorithm which uses internally so what exactly it does is multi from the multiple keys it will generate a master key and that master key will decrypt the another key this key will decrypt the actual key which stores here that key will decrypt the actual data of the world server so that it's entire process called as an unseal process so once it is done then you will be able to log in with your root key or whatever the key you wanted to log in right so this is a clan seal if you go more detail here as same step word server by default in a sealed state sealed state means worlds will have some database which is called a world storage world storage actual data is encrypted with one key ring that key will be used by another master key and this master key also stores along with the world storage means you will pass a bunch of keys that will combine into your one key that key will decrypt this key this key will decrypt this key this one will decrypt the actual data then what will unseal and will open something like whenever you buy an iphone it will be sealed so you have to unseal it something like this is the word since vault is a sensitive information storage system this is the what the answer process now yeah of course this is one two three four as i explained now what if you hosted this world server in aws azure or gcp how this seal and seal process because you will be storing this number of keys into the kms so there is a feature called auto unseal right you go to the documentation and maybe in the examination they may ask this kind of questions but just to do for the theory point of view right configuration point of view seal right uh so seal unsealed point of view auto until it is there so maybe you can just search here or to unseal yeah see see a lot of unseen so maybe you can just search the documentation you will be able to find it here right this is what the concept for the cloud based workloads but unsealed process must be performed on any of the world server no matter where it's hosted now so the steps first first world server will be in the sealed mode yes after that what you will do you will do the init operation for what purpose you are you will be entering a multiple number of keys the xiaomi algorithm then after that it will unseal then you will be able to log in so whatever the un unsealed process means seal to unseal process in between we will be performing in it operation of course initialize like right world initialize is nothing but you are unsealing as simple as that right so finally when you are logging so you will enter a root key or github key any other authentication mechanism now world will run on 8200 port right and world cluster 8201 if you wanted to perform some cluster operations you need to use this and whereas vault also exposes a http rest api this is a rest api so rest api is usually performed with a curl and you will passing other certificate right so this is so this is on a 443 and if you wanted to use a console as a database backend storage console runs on 8500 so you can explore the console documentation to understand more about that now it's a demo time so here i have a vagrant server right so let's go to the demo now first i have a one linux server so this is the linux server so and how i provision linux server is there is a world server in the github i will share this link i have provisioned this particular linux server by using ubuntu 22.04 which is the latest and what are the installation scripts under the scripts install vault and you go to the documentation right under the docs search for install vault so install vault right so it will come here and choose the linux and this is the one gpg key and sudo apt this one you need to add and sudo apt install a world and verify installation so all this uh right so the first install a world server so here install a world server i did by using this the same command i put it here but as we have seen in the previous slide right configuration so here until installation done here this is the configuration my world configuration right i will explain and this is the once the world server is started so started in the sealed mode so this is done so what i will do is this server is running already uh what i did i have exposed this world server to the my host machine so local host 8200 right so when i open this it's asking me to initialize so i will go here right say vagrant ssh what so this is a server just bear with me a second right clear so what ubuntu 22.04 lts which is the very latest right so now so as a first step so where is the world configuration is located right so if you go here this is a world configuration file so i'll go here cat sorry sudo seo so i wanted to login as a root user now cat so this is my world configuration file where i have given as a file storage this is the my actual storage of my world server will be stored and i i have exposed as a tcp listener which is this one port 8200 it's not an https so i i can use of https as well but this tls certificate is with some different name and my chrome browser will block so i need to so for the local demo point of view i expose zero zero zero so instead of your address zero zero zero you can put the your own ip address as well so means whatever this server ip address you can put so that you can access by using that iop address colon 8200 right and a telemetry i don't want to expose so these are commented this commented console also commented it's not required right and another important is a ui equal to true so here i specified ui equal to 2 hence it's allowing me over here if i don't specify ui equal to true then it won't work right so localhost right this is my word server now now clear vault see world is working fine in my system now go to the slide now init operation as the first operation is in it so you go you can go to the ui so you can do it from here and as well as here as well so here you can specify five and i want three or else you can three or you can give it two so it's your choice and based on your cluster setup so what i will do is uh i will go to the server right and so we will be doing init operation under operator in it so init operation so just remember vault has a audit auth debug kv leaves all this out of that so operator so now clear so vault [Music] operator in it so when i did alt operator in it right which is this particular step so it's generated one two three four five keys and along with that one initial root token and it is like vault initiated five key shares and a key threshold of three means it's a default setting let me copy this this is the most important notepad i have pasted here so let's go here so [Music] here you go to the wall to documentation point of view world project dot io and doc documents under the configuration right not on commands vault operator this is a world operator and init operation i did right so under that you can pass key shows key shares and k threshold as like you want but here in this case i have not passed anything so it took by default five and three so that means when i go to the ui and various other operations are there based on the your requirement you can go and explore that right now go to the world ui and just refresh it so now vault is still sealed why because i have a total five keys are here and one root token so let me just separate here right so just to make it separate so that we can easily visibility point of so this is a root token so i have to enter the five different keys here so you can do it from the ui all else you can do it so i just want i wanted to do it from the ui so here key number one so any combination so key number one copy and unseal key portion so it's asking to enter portion only number one unsealed and one out of three keys are provided and go to the vault here world status right so here what is unsealed progress out of three keys because total see seal type is the xiaomi yes xiaomi algorithm initialize yes we have initialized third one is total shares num out five yes it's generated the five and threshold is three yes it's by default it's defined and unsealed progress three out of one means from the ui somebody entered a one portion right and it's showing you one out of three so now what i will do is from here i will enter the second key so what is the command to enter vault same operator oh so oprah operator and go to the documentation right unseal so we are trying to unseal so this is a command you have to enter so what operator and seal and what it you have to enter go to the notepad and i entered first one so you can enter anything so i wanted to enter a fifth one just any random combination that's what the xiaomi algorithm so go here and paste it enter right now what is the word status out of three 2r processed so if you go here and refresh also it will ask the same thing it asking to enter the two keys are provided enter the third one so unsealing process is basically unique across the cluster that's what i'm trying to say so let's quickly do that vault operator unseal and i wanted to enter another key so i'll just go here and write in my notepad right and i wanted to enter the middle one ot copy put it here and see boom now done now sealed c initializer so sealed equal to false so far it was a seal equal to true now walt has sealed so vault status it's a clear so now go to the ui and just refresh it so what it's asking sign into the world sign in by using a token ldap username octa jwt github or any kind of this is again authentication mechanism right so here i have a key so this is a root key which starts with the svs so i will copy paste yes now i am inside the world ui so it's clearly showing that you are using a root token so let me see that say world login and it's asking me for the token i already since copied i pasted and see so here if you observe token start with hbs end with the a7 so go to here end with the a7 so whatever the token i have entered that token is showing and my token duration what is the duration it's infinity so right so since it's a root token so is it a token renewable it won't renew and it has a root permission root policies nothing but our back and identity policies no so everything is blank that means whoever this guy this guy has a full permissions that's what the it generated but usually this key will be kept very very confidential because only admins only will be used so this is a about one and what will be able to see the unseed status over here and if you wanted to manually sign out you can sign out and and it will ask you for the root token right and you can do the same thing from the command line as well whatever i see now and if you restart the server it will ask you for the unsealed passwords so right then next so this is all about the so let's go here so it's unsealed and logged in and ui so we have seen all the steps right now what i will do is i will go here and i will get out of my world server right and viagrant halt vault so i'm stopping my vagrant server right so it's a graceful shutdown and i will just pause the video yeah it's done so now grant status so vault is powered off so now you go here to the ui and try to refresh so its page is not displayed so now what i will do is uh i will cd now i am in my mac machine so how to install the world server in the mac machine if not is a ubuntu server so how to install that so for mac it's a very very simple right so in the world it's there yes i already installed in the mac how i installed brew install vault by using this command i have installed since already installed so if i wanted to use a vault in my local there is a concept called in a do server mode so how to do that [Music] so here clear so vault just enter and so we have seen operator used for all operation tasks next one is a [Music] vault so so vault server hyphen dev so whenever you run vault server div and enter basically walt will run on your local machine on 8200 port where cluster is 8201 as we have seen whereas it's it will use in memory internal memory so what exactly it is so if i go to this link right this is running from my local machine but as soon as i clicked on this 8200 url it's directly asking me for the token but it's not asking me for the silencer why because you read this warning whenever you run a world server as a dev server it will run it will uses in memory it's not for the production just for the development purpose where you can utilize and whereas unsealed keys this root token is this so i will copy this root token go here sign in yes i can see so this is running as a locally whereas if you if you wanted to use from the cli go to the create a new duplicate tab and you have to export this variable in your local environment of course in this world server as well wherever you want to use so this is my vault address now vault status is it a sealed no it's not sealed why because already automatically unsealed why because i am running as a dew server mode so here is clearly mentioned starts unsealed with a single unsealed key so only with just one unsilky so how you wanted to seal it here you can go it here right and you can restart or you can sign out or you can do the you can restart the world server so automatically it will unseal and it will ask you right and here if you wanted to login what login right it will ask for the token where the token token is here which is hbs and just copy go here enter yeah so again this is a different token which is ends with the k4 this is also token duration is infinity and there are no policies etc yeah that's it for this particular uh session point of view and all the commands are here i need not to note down all these commands why because all the commands whatever i told it's available here so it's a redundancy if you are copying here so so better all the commands are here right so yeah that's it for this particular session point of view and upcoming sessions are world certified certified associate we will go into those topics and until then see you bye bye let me know what you guys think about this particular session what you feel comment it what you feel and share subscribe that's it thank you bye

Info

Channel: Learn with GVR

Views: 5,521

Rating: undefined out of 5

Keywords: #learnwithgvr, learnwithgvr, vault, hashicorp, hashicorpvault, secretengine, vaultarchitecture, vaultusecases, vaultpricing, unseal, seal, vaultseal, vaultunseal, Shamir's Secret Sharing, vault hashicorp, hashicorp vault

Id: EiSYzqsub0A

Channel Id: undefined

Length: 26min 54sec (1614 seconds)

Published: Thu Apr 28 2022