HashiCorp Vault ist ein zentrales System für Secrets Management. Es speichert Credentials, API-Keys und Zertifikate sicher und kann dynamische Secrets generieren.
Installation
# Binary herunterladen
wget https://releases.hashicorp.com/vault/1.15.4/vault_1.15.4_linux_amd64.zip
unzip vault_1.15.4_linux_amd64.zip
mv vault /usr/local/bin/
# Version prüfen
vault versionDevelopment-Modus
# Für Tests (nicht produktiv!)
vault server -dev
# Root-Token in Ausgabe notieren
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='root-token'Produktions-Setup
Server-Konfiguration
# /etc/vault.d/vault.hcl
storage "file" {
path = "/var/lib/vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = false
tls_cert_file = "/etc/vault.d/tls/vault.crt"
tls_key_file = "/etc/vault.d/tls/vault.key"
}
api_addr = "https://vault.example.de:8200"
cluster_addr = "https://vault.example.de:8201"
ui = trueSystemd-Service
# /etc/systemd/system/vault.service
[Unit]
Description=HashiCorp Vault
After=network-online.target
[Service]
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
User=vault
Group=vault
CapabilityBoundingSet=CAP_IPC_LOCK
AmbientCapabilities=CAP_IPC_LOCK
NoNewPrivileges=yes
[Install]
WantedBy=multi-user.targetInitialisierung
# Vault initialisieren
vault operator init
# Ausgabe (sicher aufbewahren!):
# Unseal Key 1: xxx
# Unseal Key 2: xxx
# Unseal Key 3: xxx
# Unseal Key 4: xxx
# Unseal Key 5: xxx
# Initial Root Token: xxx
# Entsiegeln (3 von 5 Keys)
vault operator unseal KEY1
vault operator unseal KEY2
vault operator unseal KEY3Secret Engines
KV (Key-Value)
# KV v2 aktivieren
vault secrets enable -path=secret kv-v2
# Secret speichern
vault kv put secret/myapp/config username="admin" password="secret123"
# Secret lesen
vault kv get secret/myapp/config
vault kv get -field=password secret/myapp/config
# Versioniert
vault kv get -version=1 secret/myapp/config
# Löschen
vault kv delete secret/myapp/configDatabase Secrets
# Engine aktivieren
vault secrets enable database
# PostgreSQL konfigurieren
vault write database/config/postgres \
plugin_name=postgresql-database-plugin \
connection_url="postgresql://{{username}}:{{password}}@db.example.de:5432/mydb" \
allowed_roles="app-role" \
username="vault" \
password="vault-password"
# Rolle erstellen
vault write database/roles/app-role \
db_name=postgres \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="24h"
# Dynamische Credentials abrufen
vault read database/creds/app-rolePKI (Zertifikate)
# Root CA
vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki
vault write -field=certificate pki/root/generate/internal \
common_name="Example Root CA" ttl=87600h > ca.crt
# Intermediate CA
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
vault write pki_int/intermediate/generate/internal \
common_name="Example Intermediate CA" | jq -r .data.csr > pki_int.csr
# Zertifikat ausstellen
vault write pki_int/issue/server-role \
common_name="server.example.de" ttl="720h"Authentifizierung
Token
# Token erstellen
vault token create -policy=app-policy -ttl=24h
# Token erneuern
vault token renew TOKEN
# Token widerrufen
vault token revoke TOKENAppRole
# AppRole aktivieren
vault auth enable approle
# Rolle erstellen
vault write auth/approle/role/app-role \
token_policies="app-policy" \
token_ttl=1h \
token_max_ttl=4h
# Role-ID und Secret-ID
vault read auth/approle/role/app-role/role-id
vault write -f auth/approle/role/app-role/secret-id
# Login
vault write auth/approle/login \
role_id="ROLE_ID" \
secret_id="SECRET_ID"LDAP
vault auth enable ldap
vault write auth/ldap/config \
url="ldap://ldap.example.de" \
binddn="cn=admin,dc=example,dc=de" \
bindpass="password" \
userdn="ou=users,dc=example,dc=de" \
userattr="uid" \
groupdn="ou=groups,dc=example,dc=de"Policies
Policy erstellen
# app-policy.hcl
path "secret/data/myapp/*" {
capabilities = ["read", "list"]
}
path "database/creds/app-role" {
capabilities = ["read"]
}vault policy write app-policy app-policy.hclCapabilities
| Capability | Beschreibung | |------------|--------------| | create | Erstellen | | read | Lesen | | update | Aktualisieren | | delete | Löschen | | list | Auflisten | | sudo | Root-ähnliche Rechte | | deny | Explizit verbieten |
Transit (Encryption as a Service)
# Transit aktivieren
vault secrets enable transit
# Encryption Key erstellen
vault write -f transit/keys/my-key
# Verschlüsseln
vault write transit/encrypt/my-key plaintext=$(echo "secret data" | base64)
# Entschlüsseln
vault write transit/decrypt/my-key ciphertext="vault:v1:xxx..."API-Nutzung
HTTP API
# Secret lesen
curl -H "X-Vault-Token: $VAULT_TOKEN" \
$VAULT_ADDR/v1/secret/data/myapp/config
# Secret schreiben
curl -X POST -H "X-Vault-Token: $VAULT_TOKEN" \
-d '{"data":{"username":"admin","password":"secret"}}' \
$VAULT_ADDR/v1/secret/data/myapp/configAgent
# /etc/vault.d/agent.hcl
vault {
address = "https://vault.example.de:8200"
}
auto_auth {
method "approle" {
config = {
role_id_file_path = "/etc/vault.d/role-id"
secret_id_file_path = "/etc/vault.d/secret-id"
}
}
sink "file" {
config = {
path = "/tmp/vault-token"
}
}
}
template {
source = "/etc/vault.d/templates/config.ctmpl"
destination = "/etc/myapp/config.json"
}High Availability
Consul Storage
storage "consul" {
address = "127.0.0.1:8500"
path = "vault/"
}
ha_storage "consul" {
address = "127.0.0.1:8500"
path = "vault/"
}Status prüfen
vault status
# Sealed: false
# HA Enabled: true
# HA Mode: activeAudit
# Audit-Log aktivieren
vault audit enable file file_path=/var/log/vault/audit.log
# Audit-Logs prüfen
vault audit listBackup
# Snapshot (Raft-Storage)
vault operator raft snapshot save backup.snap
# Restore
vault operator raft snapshot restore backup.snapZusammenfassung
| Befehl | Funktion | |--------|----------| | vault operator init | Initialisieren | | vault operator unseal | Entsiegeln | | vault kv put/get | KV-Secrets | | vault read | Secret lesen | | vault write | Secret schreiben | | vault token create | Token erstellen | | vault policy write | Policy erstellen |
| Secret Engine | Verwendung | |---------------|------------| | kv | Statische Secrets | | database | Dynamische DB-Credentials | | pki | Zertifikate | | transit | Verschlüsselung | | aws/gcp | Cloud-Credentials |
| Port | Dienst | |------|--------| | 8200 | API/UI | | 8201 | Cluster |
Fazit
Vault zentralisiert Secrets Management sicher. Dynamische Secrets reduzieren Risiken. Die API-Integration ist einfach. Audit-Logs sorgen für Nachverfolgbarkeit. Für Produktion ist High Availability essentiell.
