Vault从入门到精通系列之一:深入了解安全工具Vault、Vault根令牌和解封密钥,详细整理部署Vault的详细步骤
- 一、深入了解安全工具Vault
- 二、Vault根令牌和解封密钥的含义和作用
- 三、centos7上部署和启动Vault的流程
- 四、vault下载地址
- 五、安装vault
- 六、启动Vault
- 七、总结和延伸
一、深入了解安全工具Vault
- Vault是一种开源工具,用于安全地存储、管理和控制访问各种机密信息,如密码、API令牌、安全配置和其他敏感数据。Vault使用强大的加密和安全管理技术来保护这些机密信息,并为应用程序和服务提供安全的访问控制机制。该工具支持各种云平台和技术堆栈,并提供多种API和CLI接口,使其易于集成和使用。Vault的主要特点包括中心化管理、角色分配和权限控制、审计和日志记录、动态秘钥持续更新等。这些功能使得Vault成为一款颇受开发者和企业信赖的安全工具。
二、Vault根令牌和解封密钥的含义和作用
Vault 中的根令牌和解封密钥是用于管理和保护 Vault 中加密数据的重要凭据。
- 根令牌是 Vault 中的最高权限凭据,拥有此令牌的用户可以在 Vault 中进行任何操作,包括创建和删除机密、管理策略、配置身份验证等。因此,根令牌需要严格保密,并只在必要时进行使用。
- 解封密钥则是用于解密 Vault 中加密数据的重要凭据,可以用于解密 Vault 的存储密钥,解密后可以访问存储在 Vault 中的机密信息。因此,解封密钥也需要严格保密,通常会将其存储在冷存储中,以防止未经授权的访问和泄露。只有在必要时才使用解封密钥,例如在进行恢复操作或在创建新的存储密钥时。
三、centos7上部署和启动Vault的流程
在CentOS 7上部署和启动Vault可以按照以下步骤进行:
-
下载Vault二进制文件:可以从官网下载,也可以使用wget命令从Vault的GitHub页面下载。
-
安装Vault:将Vault二进制文件移到/usr/local/bin目录下,并添加执行权限。
-
配置Vault:可以在/etc目录下创建一个Vault配置文件,指定Vault的监听地址和端口,以及存储Vault数据的路径。
-
启动Vault:使用vault server命令启动Vault服务,会自动读取/etc目录下的配置文件并启动服务。
-
初始化Vault:使用vault init命令初始化Vault,生成一组Root Token和Unseal Key。
-
解封Vault:使用vault unseal命令输入Unseal Key解封Vault服务。
-
登录Vault:使用vault login命令输入Root Token登录Vault。
四、vault下载地址
vault下载地址:
- vault官方下载地址
- 选择下载的版本
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
sudo yum -y install vault
五、安装vault
执行命令:
- sudo yum install -y yum-utils
sudo yum install -y yum-utils
Loaded plugins: fastestmirror, langpacks, priorities, versionlock
Determining fastest mirrors
epel | 4.7 kB 00:00:00
extras | 2.9 kB 00:00:00
hashicorp | 1.4 kB 00:00:00
os | 3.6 kB 00:00:00
pgdg-common/7/x86_64/signature | 198 B 00:00:00
pgdg-common/7/x86_64/signature | 2.9 kB 00:00:00 !!!
pgdg11/7/x86_64/signature | 198 B 00:00:00
pgdg11/7/x86_64/signature | 3.6 kB 00:00:00 !!!
pgdg12/7/x86_64/signature | 198 B 00:00:00
pgdg12/7/x86_64/signature | 3.6 kB 00:00:00 !!!
pgdg13/7/x86_64/signature | 198 B 00:00:00
pgdg13/7/x86_64/signature | 3.6 kB 00:00:00 !!!
pgdg14/7/x86_64/signature | 198 B 00:00:00
pgdg14/7/x86_64/signature | 3.6 kB 00:00:00 !!!
pgdg15/7/x86_64/signature | 198 B 00:00:00
pgdg15/7/x86_64/signature | 3.6 kB 00:00:00 !!!
updates | 2.9 kB 00:00:00
(1/2): pgdg-common/7/x86_64/primary_db | 181 kB 00:00:02
(2/2): hashicorp/7/x86_64/primary | 165 kB 00:00:05
hashicorp 1196/1196
Package yum-utils-1.1.31-54.el7_8.noarch already installed and latest version
Nothing to do
执行命令:sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
Loaded plugins: fastestmirror, langpacks, priorities, versionlock
adding repo from: https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
grabbing file https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo to /etc/yum.repos.d/hashicorp.repo
repo saved to /etc/yum.repos.d/hashicorp.repo
执行命令:sudo yum -y install vault
sudo yum -y install vault
Loaded plugins: fastestmirror, langpacks, priorities, versionlock
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package vault.x86_64 0:1.13.3-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================================
Installing:
vault x86_64 1.13.3-1 hashicorp 92 M
Transaction Summary
==================================================================================================================================================
Install 1 Package
Total download size: 92 M
Installed size: 234 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
warning: /var/cache/yum/x86_64/7/hashicorp/packages/vault-1.13.3-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID a621e701: NOKEY00:00:00 ETA
Public key for vault-1.13.3-1.x86_64.rpm is not installed
vault-1.13.3-1.x86_64.rpm | 92 MB 00:00:24
Retrieving key from https://rpm.releases.hashicorp.com/gpg
Importing GPG key 0xA621E701:
Userid : "HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>"
Fingerprint: 798a ec65 4e5c 1542 8c8e 42ee aa16 fcbc a621 e701
From : https://rpm.releases.hashicorp.com/gpg
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : vault-1.13.3-1.x86_64 1/1Generating Vault TLS key and self-signed certificate...
Generating a 4096 bit RSA private key
.......................++
.................................................................................................++
writing new private key to 'tls.key'
-----
Vault TLS key and self-signed certificate have been generated in '/opt/vault/tls'.
Verifying : vault-1.13.3-1.x86_64 1/1
Installed:
vault.x86_64 0:1.13.3-1
Complete!
六、启动Vault
执行启动命令:
- vault server -dev -dev-root-token-id=“dev-only-token”
vault server -dev -dev-root-token-id="dev-only-token"
==> Vault server configuration:
Api Address: http://127.0.0.1:8200
Cgo: disabled
Cluster Address: https://127.0.0.1:8201
Environment Variables: CLASSPATH, FLINK_HOME, GODEBUG, HADOOP_HOME, HISTFILE, HISTSIZE, HISTTIMEFORMAT, HIVE_HOME, HOME, HOSTNAME, JAVA_HOME, LANG, LESSOPEN, LOGNAME, LS_COLORS, MAIL, MONGODB_HOME, MSSQL_HOME, PATH, PROMPT_COMMAND, PWD, PYTHON3_HOME, QT_GRAPHICSSYSTEM, QT_GRAPHICSSYSTEM_CHECKED, SHELL, SHLVL, SPARK_HOME, SUDO_COMMAND, SUDO_GID, SUDO_UID, SUDO_USER, TERM, TMOUT, USER, USERNAME, XDG_SESSION_ID, ZOOKEEP_HOME, _
Go Version: go1.20.4
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level:
Mlock: supported: true, enabled: false
Recovery Mode: false
Storage: inmem
Version: Vault v1.13.3, built 2023-06-06T18:12:37Z
Version Sha: 3bedf816cbf851656ae9e6bd65dd4a67a9ddff5e
==> Vault server started! Log data will stream in below:
2023-06-19T10:38:19.735+0800 [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=""
2023-06-19T10:38:19.735+0800 [WARN] no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2023-06-19T10:38:19.736+0800 [INFO] core: Initializing version history cache for core
2023-06-19T10:38:19.736+0800 [INFO] core: security barrier not initialized
2023-06-19T10:38:19.736+0800 [INFO] core: security barrier initialized: stored=1 shares=1 threshold=1
2023-06-19T10:38:19.737+0800 [INFO] core: post-unseal setup starting
2023-06-19T10:38:19.751+0800 [INFO] core: loaded wrapping token key
2023-06-19T10:38:19.751+0800 [INFO] core: successfully setup plugin catalog: plugin-directory=""
2023-06-19T10:38:19.751+0800 [INFO] core: no mounts; adding default mount table
2023-06-19T10:38:19.753+0800 [INFO] core: successfully mounted: type=cubbyhole version="v1.13.3+builtin.vault" path=cubbyhole/ namespace="ID: root. Path: "
2023-06-19T10:38:19.753+0800 [INFO] core: successfully mounted: type=system version="v1.13.3+builtin.vault" path=sys/ namespace="ID: root. Path: "
2023-06-19T10:38:19.754+0800 [INFO] core: successfully mounted: type=identity version="v1.13.3+builtin.vault" path=identity/ namespace="ID: root. Path: "
2023-06-19T10:38:19.755+0800 [INFO] core: successfully mounted: type=token version="v1.13.3+builtin.vault" path=token/ namespace="ID: root. Path: "
2023-06-19T10:38:19.756+0800 [INFO] rollback: starting rollback manager
2023-06-19T10:38:19.757+0800 [INFO] core: restoring leases
2023-06-19T10:38:19.758+0800 [INFO] expiration: lease restore complete
2023-06-19T10:38:19.758+0800 [INFO] identity: entities restored
2023-06-19T10:38:19.759+0800 [INFO] identity: groups restored
2023-06-19T10:38:19.759+0800 [INFO] core: Recorded vault version: vault version=1.13.3 upgrade time="2023-06-19 02:38:19.759135384 +0000 UTC" build date=2023-06-06T18:12:37Z
2023-06-19T10:38:19.981+0800 [INFO] core: post-unseal setup complete
2023-06-19T10:38:19.981+0800 [INFO] core: root token generated
2023-06-19T10:38:19.981+0800 [INFO] core: pre-seal teardown starting
2023-06-19T10:38:19.981+0800 [INFO] rollback: stopping rollback manager
2023-06-19T10:38:19.982+0800 [INFO] core: pre-seal teardown complete
2023-06-19T10:38:19.982+0800 [INFO] core.cluster-listener.tcp: starting listener: listener_address=127.0.0.1:8201
2023-06-19T10:38:19.982+0800 [INFO] core.cluster-listener: serving cluster requests: cluster_listen_address=127.0.0.1:8201
2023-06-19T10:38:19.982+0800 [INFO] core: post-unseal setup starting
2023-06-19T10:38:19.982+0800 [INFO] core: loaded wrapping token key
2023-06-19T10:38:19.982+0800 [INFO] core: successfully setup plugin catalog: plugin-directory=""
2023-06-19T10:38:19.983+0800 [INFO] core: successfully mounted: type=system version="v1.13.3+builtin.vault" path=sys/ namespace="ID: root. Path: "
2023-06-19T10:38:19.983+0800 [INFO] core: successfully mounted: type=identity version="v1.13.3+builtin.vault" path=identity/ namespace="ID: root. Path: "
2023-06-19T10:38:19.983+0800 [INFO] core: successfully mounted: type=cubbyhole version="v1.13.3+builtin.vault" path=cubbyhole/ namespace="ID: root. Path: "
2023-06-19T10:38:19.984+0800 [INFO] core: successfully mounted: type=token version="v1.13.3+builtin.vault" path=token/ namespace="ID: root. Path: "
2023-06-19T10:38:19.984+0800 [INFO] rollback: starting rollback manager
2023-06-19T10:38:19.984+0800 [INFO] core: restoring leases
2023-06-19T10:38:19.985+0800 [INFO] identity: entities restored
2023-06-19T10:38:19.985+0800 [INFO] identity: groups restored
2023-06-19T10:38:19.985+0800 [INFO] expiration: lease restore complete
2023-06-19T10:38:19.985+0800 [INFO] core: post-unseal setup complete
2023-06-19T10:38:19.985+0800 [INFO] core: vault is unsealed
2023-06-19T10:38:19.987+0800 [INFO] expiration: revoked lease: lease_id=auth/token/root/h272562f04a210e20b2b4d865e2a84db2d53929c149d30e4e06dcd93ebe88dbac
2023-06-19T10:38:19.989+0800 [INFO] core: successful mount: namespace="" path=secret/ type=kv version=""
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variables:
$ export VAULT_ADDR='http://127.0.0.1:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: DY/t5B7OSPzH1XZq5RJoEr0o7l4Ea5epNl9h0b/zaF4=
Root Token: dev-only-token
Development mode should NOT be used in production installations!
如上所示,成功启动Vault,至此成功安装部署Vault
注意命令行输出的解封密钥和根令牌,要妥善保存解封密钥和根令牌:
- Unseal Key: DY/t5B7OSPzH1XZq5RJoEr0o7l4Ea5epNl9h0b/zaF4=
- Root Token: dev-only-token
七、总结和延伸
总结:
- 至此成功安装部署Vault
延展:
- 下一篇详细了解下如何应用安全工具Vault