Using Vault to store LUKS keys – Part Two

Posted on by

This is a continuation from my previous two posts (Part Zero and Part One) about the need to have automated way of storing and pull LUKS keys for my servers.

In this post, we are going to setup the Vault servers.

I will preface this by saying, i really would not recommend using this setup in production without some major reworking. The internal comms are currently not using TLS for starters. That will be added very shortly, but at the moment this was more a proof of concept.

Setting up the Vault Servers

The configuration of the vault servers is done in 2 parts. First you need to install consul to run as an agent (rather than a server) to communicate with the consul cluster we setup previously. Then you need to install the vault server itself.

Setting up the Consul Agent

This is a very similar process to setting up the Consul servers, just with a change in the config.json.

Grab consul:

wget https://releases.hashicorp.com/consul/1.6.1/consul_1.6.1_linux_amd64.zip

Unzip it:

unzip consul_1.6.1_linux_amd64.zip

Move it to /usr/local/bin

mv consul /usr/local/bin/

Set the owner to root

chown root:root /usr/local/bin/consul

Create the required directories:

mkdir /etc/consul
mkdir -p /var/consul/data

Now we need to create the consul client config, open the following file in your favourite text editor.

vim /etc/consul/client.json

Enter in the following:

{
  "server": false,
  "datacenter": "Haynet",
  "node_name": "vault1",
  "data_dir": "/var/consul/data",
  "bind_addr": "192.168.0.194",
  "client_addr": "127.0.0.1",
  "retry_join": ["192.168.0.191", "192.168.0.193", "192.168.0.72"],
  "encrypt": "SAME KEY FROM SERVER SECTION",
  "log_level": "DEBUG",
  "enable_syslog": true,
  "acl_enforce_version_8": false
}

You will need to set the ‘encrypt’ key to the same that you set in the Consul server setup above.

You will also need to set the bind_addr to the IP of the server and the ‘retry join’ to the IP’s of you consul servers.

Do this on both Vault servers, but change the ‘node_name’.

We are going to have consul run as its own user now. So lets add a consul system user:

useradd --system --home /etc/consul.d --shell /bin/false consul

Now we need to set the correct permissions on one of the directories we created:

chown consul:consul /var/consul -R

Next we need to create the service file to start the consul agent.

In your favourite text editor open the following file: /etc/systemd/system/consul-agent.service

and enter the following:

[Unit]
Description=Consul client agent
Requires=network-online.target
After=network-online.target

[Service]
User=consul
Group=consul
PIDFile=/var/run/consul/consul.pid
PermissionsStartOnly=true
ExecStartPre=-/bin/mkdir -p /var/run/consul
ExecStartPre=/bin/chown -R consul:consul /var/run/consul
ExecStart=/usr/local/bin/consul agent \
    -config-file=/etc/consul/client.json \
    -pid-file=/var/run/consul/consul.pid
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

Finally lets get the agent started:

systemctl daemon-reload
systemctl enable consul-agent
systemctl start consul-agent

If you check back on your Consul UI, you should see the new hosts added on there.

Setting up Vault on the Vault servers

Now we need to setup vault on these servers. The process is very similar to the consul setup.

Grab the vault binary:

wget https://releases.hashicorp.com/vault/1.2.3/vault_1.2.3_linux_amd64.zip

Unzip it:

unzip vault_1.2.3_linux_amd64.zip

Move it to /usr/local/bin:

mv vault /usr/local/bin/

Check it works:

[root@vault1 ~]# vault -h
Usage: vault <command> [args]

Common commands:
    read        Read data and retrieves secrets
    write       Write data, configuration, and secrets
    delete      Delete secrets and configuration
    list        List data or secrets
......

Now create the required directories:

mkdir /etc/vault
mkdir /var/log/vault

Create the following file and open it with you favourite text editor:

vim /etc/vault/config.json

And enter in the following details:

{
"listener": [{
"tcp": {
"address" : "0.0.0.0:8200",
"tls_disable" : 1
}
}],
"api_addr": "http://192.168.0.194:8200",
"storage": {
   "consul" : {
      "address" : "127.0.0.1:8500",
      "path": "vault"
    }
 },
"max_lease_ttl": "10h",
"default_lease_ttl": "10h",
"ui":true
}

Remember to change the api_addr

Now to create the service file, create and open the following file in your favourite text editor

vim /etc/systemd/system/vault.service

and enter in the following details:

[Unit]
Description=vault service
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault/config.json
 
[Service]
EnvironmentFile=-/etc/sysconfig/vault
Environment=GOMAXPROCS=2
Restart=on-failure
ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json
StandardOutput=/var/log/vault/output.log
StandardError=/var/log/vault/error.log
LimitMEMLOCK=infinity
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM
 
[Install]
WantedBy=multi-user.target

We are also going to need to open a bunch of firewall rules (some of these may not be needed – but for the purpose of this POC i have added all the consul ports and the vault port:

firewall-cmd --permanent --add-port=8200/tcp
firewall-cmd --permanent --add-port=8201/tcp
firewall-cmd --permanent --add-port=8300/tcp
firewall-cmd --permanent --add-port=8301/tcp
firewall-cmd --permanent --add-port=8301/udp
firewall-cmd --permanent --add-port=8302/tcp
firewall-cmd --permanent --add-port=8302/udp
firewall-cmd --permanent --add-port=8400/tcp
firewall-cmd --permanent --add-port=8500/tcp
firewall-cmd --permanent --add-port=8600/tcp
firewall-cmd --permanent --add-port=8600/udp
firewall-cmd --reload

Finally, lets get vault started:

systemctl daemon-reload
systemctl enable vault
systemctl start vault

Its worth checking that vault has come up, first run the following to add the vault address environment variable:

echo "export VAULT_ADDR=http://192.168.0.194:8200" >> ~/.bashrc

Then run the following to confirm vault is up

[root@vault1 ~]# vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.2.3
Cluster Name    vault-cluster-e093bfc5
Cluster ID      b3f75720-44b7-a057-bf58-d80e4d54932d
HA Enabled      true
HA Cluster      https://192.168.0.194:8201
HA Mode         active

Note: Your output will be different, the above is with vaul unsealed.

That is it for the installation. Now its onto configuring Vault.

Head over to the next section to configure vault.