Hasicorp Vault

Service Overview #

Hashicorp Vault is a tool for A tool for secrets management, encryption as a service, and privileged access management. Within the n3tuk Organisation, Vault provides:

1. Storage and rotation of secrets with controlled access based on locally-managed policies, both directly via the service and via the Secrets Store CSI in Kubernetes;
2. Dynamic generation of credentials for access to third-party providers (such as AWS or Databases), both with standard and custom policies for access;
3. OIDC provider and client authentication, allowing users to authenticate in local services, and local services to authenticate against Vault for access by users.

Service Details #

Upstream Dependencies #

This service is currently dependent upon the following services and/or systems for normal operation, and for what reasons that dependency is needed.

Downstream Dependencies #

This service is currently dependent upon by following services and/or systems for normal operation, and for what reasons that dependency is needed.

Maintenance Tasks #

Unseal on Upgrade/Restart #

Vault is configured with a local store that is encrypted at rest on each of the nodes of the cluster (even though those drives are encrypted at rest too). The key to this local store is not saved with Vault and as such when each of the nodes in the cluster restarts it must be provided with the unseal key to unlock the store and start processing requests.

• In order to check if the Vault cluster is sealed and therefore cannot serve requests, run the following command:

  $ vault status -format=json | jq -r '.sealed'
  true # The vault is sealed and needs unsealing
  

1. Run the unseal command with vault using the decrypted unseal key:

   vault operator unseal (
     pass show n3tuk/clusters/vault/keys/unseal \
       | base64 -d \
       | gpg -d)
   

2. Re-run the above check to verify that the result is true.

Rekey the Unseal Key #

As n3tuk is purely a private system for Jonathan Wright, and no others are involved, the unseal key for Vault is just a single value with only that one value being required to unlock.

In the event that this changes, or during normal rotation of the unseal key, then we must rekey the unseal key.

• There are no investigative steps or tests for this task.

1. Verify that there is no existing re-keying underway:

   $ vault operator rekey -status -format=json | jq '.started'
   false
   

   If there is a rekey started, then run the command to cancel it:

   vault operator rekey -cancel
   

2. Ensure that the VAULT_TOKEN has been escalated to the root token for the Vault cluster:

   set -e VAULT_TOKEN
   set -Ux VAULT_TOKEN (pass show n3tuk/clusters/vault/tokens/root)
   

3. Initiate the rekey sequence by configuring the key and the recipients:

   vault operator rekey \
     -init \
     -key-shares=1 -key-threshold=1 \
     -pgp-keys=keybase:jonathanio \
     -backup
   

4. Next, provide the unseal key, and as there is just a single key normally, the updated unseal key should be returned, so ensure it is saved back into the password store:

   vault operator rekey (
     pass show n3tuk/clusters/vault/keys/unseal \
       | base64 -d \
       | gpg -d) \
    | grep -E '^Key' \
    | awk '{print $3}' \
    | pass insert --echo --force n3tuk/clusters/vault/keys/unseal
   

5. If there is an issue with the rekey process and the original keys have not been deleted or destroyed, the original unseal keys in Vault can be restored by retrieving the backup:

   vault operator rekey \
     -backup-retrieve
   

   Otherwise they can be deleted:

   vault operator rekey \
     -backup-delete