Using Vault to store LUKS keys – Part Four

This is a continuation from my previous four posts (Part Zero, Part One, Part Two, Part Three ) about the need to have automated way of storing and pull LUKS keys for my servers.

In this post im going through preparing Vault for storing our LUKS keys and getting the details we will need to add onto hosts for them to be able to use Vault.

I’d like to point out again that this SHOULD NOT be used in a production environment in its current form. I have left things too ambiguous to say i have confidence in this holding up against any form of attack. On the other hand, in its current form an attacker would need physical access to your environment for them to be able to get any details. In which case its already game over.

Approle

We will be creating a new backend on Vault using approles instead of the KV store we previously setup. Approles are useful when its a machine / service that will be logging into vault to retrieve secrets, rather than a person.

This means usually we will need the approle_id and then the secret_id for us to be able to get a valid token from vault in order for us to work with it. In its current form, this process DOES NOT need the secret_id, just the approle and also to be on the cidr i specified when creating the approle.

Here is the command i used:

vault write auth/approle/role/vaultlocker bound_cidr_list=192.168.0.0/24 token_bound_cidrs=192.168.0.0/24 policies=vaultlocker

Its pretty self-explanatory but in short it creates an approle named vaultlocker using the policy vaultlocker (we havnt created this yet) and only allows access from my internal network.

Next we need to create the policy.

Policy

Much like when we created the kv-secrets policy previously, we need to create a policy for this approle. I lost hours of time on this due to me not knowing the paths well enough. It was rather frustrating. Anyway, here is my policy:

path "/vaultlocker/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

Create that policy then run the approle creation again.

That should be all we need to do here.