Mishco

Setup HashiCorp Vault on docker

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault is primarily used in production environments to manage secrets. Vault is a complex system that has many different pieces. There is a clear separation of components that are inside or outside of the security barrier. Only the storage backend and the HTTP API are outside, all other components are inside the barrier.

Figure 1: Architecture of Vault and Spring App (Click to enlarge)

The storage backend is untrusted and is used to durably store encrypted data. When the Vault server is started, it must be provided with a storage backend so that data is available across restarts. The HTTP API similarly must be started by the Vault server on start so that clients can interact with it.

dakom

Shortcuts to key official docs

Read these first! :)

• Signals Tutorial
• DomBuilder
• SignalExt
• SignalVecExt

Concepts

kawsark

SSH CA use-case with Vault

In this scenario we are going to set up Vault to sign SSH keys using an internal CA. We will configure the SSH secrets engine and create a CA within Vault. We will then configure an SSH server to trust the CA key we just created. Finally we will attempt to SSH using a private key, and a public key signed by Vault SSH CA.

Prerequisites

• This guide assumes you have already provisioned a Vault server, SSH host using OpenSSH server, and a SSH client machine.
• The client system must be able to reach the Vault server and the OpenSSH server.
• We will refer to these systems respectively as:
• VAULT_SERVER