How to setup a Vault server (step by step)

Vault.md

Vault server setup

Personal guide for installing and setting up a Vault server.

• Install and update required dependencies.

#!/bin/bash

sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get install -y wget
sudo apt-get install -y unzip
sudo apt-get install -y postgresql postgresql-contrib
sudo apt-get install -y nginx

# Certbot
sudo apt-get install -y software-properties-common
sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get -y update
sudo apt-get install -y python-certbot-nginx 

• Fetch vault and install Vault

#!/bin/bash

cd
wget https://releases.hashicorp.com/vault/0.8.1/vault_0.8.1_linux_amd64.zip
unzip vault_*.zip
rm vault_*.zip
sudo chmod +x ./vault
sudo mv vault /usr/local/bin/vault

echo "export VAULT_ADDR=http://127.0.0.1:8200" >> /home/ubuntu/.profile
echo "export VAULT_ADDR=http://127.0.0.1:8200" >> /root/.profile

• Edit /etc/postgresql/9.5/main/pg_hba.conf to allow password authentication
• Restart postgresql sudo service postgresql restart
• Create user and db in postgresql

CREATE DATABASE secrets;
CREATE USER vault WITH PASSWORD 'password';
GRANT ALL PRIVILEGES ON DATABASE secrets TO vault;

• Sign in using previous credentials

psql -d secrets -U vault -W

• Create vault table

CREATE TABLE vault_kv_store (
  parent_path TEXT COLLATE "C" NOT NULL,
  path        TEXT COLLATE "C",
  key         TEXT COLLATE "C",
  value       BYTEA,
  CONSTRAINT pkey PRIMARY KEY (path, key)
);

CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);

• Add vault config file /home/ubuntu/config.hcl

storage "postgresql" {
  connection_url = "postgres://vault:password@localhost:5432/secrets"
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = "true"
}

• Test configuration using sudo vault -config config.hcl

• Create systemd unit at /etc/systemd/system/vault.service

[Unit]
Description=Unit that keeps vault server up and running

[Service]
Environment= VAULT_ADDR=http://127.0.0.1:8200
WorkingDirectory=/home/ubuntu
ExecStart=/usr/local/bin/vault server -config /home/ubuntu/config.hcl
Restart=always

[Install]
WantedBy=multi-user.target

• Start vault daemon with sudo service vault start & sudo service vault status
• Init vault server and store keys securely source ~/.profile & vault init
• Remove NGINX default websites with sudo rm /etc/nginx/sites-*/default
• Add vault NGINX website at /etc/nginx/sites-available/vault

upstream vault {
    server 127.0.0.1:8200;
    keepalive 64;
}

server {
    listen 80;
    listen [::]:80;

    server_name example.com;

    location / {
        try_files $uri @proxy_to_app;
    }

    location @proxy_to_app {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass   http://vault;
    }
}

• Create site symbolic link with sudo ln -s /etc/nginx/sites-available/vault /etc/nginx/sites-enabled/vault
• Restart NGINX with sudo service nginx restart
• Execute Lets Encrypt's certbot with sudo certbot --nginx
• Test your server endpoint by going to http://example.com/v1/sys, should be redirected to HTTPS and see vault response.
• List available Firewall application with UFW sudo ufw app list
• Allow SSH connection sudo ufw allow OpenSSH
• Allow NGINX to handle HTTP connections sudo ufw allow 'Nginx HTTP'
• Allow NGINX to handle HTTPS connections sudo ufw allow 'Nginx HTTPS'
• Enable Firewall rules with sudo ufw enable
• Check firewall status with sudo ufw status
• Reboot server
• Profit 😎!