Introduction
Vault is a management system for sensitive information. It stores, controls, and protects the data you use for authentication or authorization processes.
Vault restricts and manages access to “sensitive secrets” including passwords, certificates, or APIs. It also provides data encryption, on-demand secrets, and revocation. In this tutorial learn how to install and configure Vault on Ubuntu 18.04, as well as how to set up Consul.
Prerequisites
- Ubuntu 18.04
- A user account with sudo privileges
- Access to a terminal window/command-line (Ctrl-Alt-T)
Steps For Installing Vault on Linux Ubuntu 18.04
Step 1: Install Consul
Consul is a highly scalable and distributed service discovery and configuration system. You can coordinate Consul Storage as a back-end to Vault to ensure the software is highly available and fault-tolerant.
The first step is to install and configure Consul on Ubuntu 18.04.
1. Start by navigating to the official Consul webpage and clicking on the Download icon.
2. The browser then takes you to the Download page with all the available packages. Search for the Linux section and right-click on the 32 or 64-bit version. Copy the link location, as you will need it in the next step.
3. Open the terminal (Ctrl+Alt+T) and use the wget command to download the Consul package:
wget https://releases.hashicorp.com/consul/1.6.1/consul_1.6.1_linux_amd64.zip4. Next, unzip the package with the command:
unzip consul_1.6.1_linux_amd64.zipNote: To download unzip software use the command: sudo apt install unzip –y.
5. Then, move the installation package by typing the following command:
sudo mv consul /usr/bin6. End by verifying the installation with the command:
consulThe output should list all available consul commands, as in the image below:
Step 2: Configure Consul
1. Create and open a new file with:
sudo nano /etc/system/system/consul.service2. Add the following content to the consul.service file:
[Unit]
Description=Consul
Documentation=https://www.consul.io/
[Service]
ExecStart=/usr/bin/consul agent –server –ui –data-dir=/temp/consul –bootstrap-expect=1 –node=vault –bind=IP.ADDRESS.OF.SERVER –config-dir=/etc/consul.d/
ExecReload=/bin/kill –HUP $MAINPID
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
3. Save and exit the file.
4. Then, move on to creating a configuration directory and adding a new .json file in it:
sudo mkdir /etc/consul.dnano /etc/consul.d/ui.json5. To set up the ui to connect to anything, add the following content to the newly created file:
{
“addresses”: {
“http”: “0.0.0.0”
}
}6. Make sure to save before exiting the file.
7. For the changes to take place, you have to reload, start, and enable the consul service.
Reload the system with the command:
systemctl daemon-reloadRun the command for starting the service:
systemctl start consulThen, enable it by using:
systemctl enable consulVerify that the service is up and running with the journalctl command:
journalctl –f –u consulFollowed by opening a web browser and navigating to the URL:
vault.admintome.lab:8500/ui/This opens HashiCorp’s online management platform, and displays available services. If you see consul as a service, you have successfully set up the software.
Step 3: Installing Vault on Ubuntu
With Consul in place, move on to installing Vault on your Ubuntu 18.04 system.
1. Go to Vault’s official website, click on Download, and find the available package for Linux distributions.
2. Right-click on the Download icon and copy the link location.
3. Using the wget command, download the package by pasting the link location copied in the previous step:
wget https://releases.hashicorp.com/vault/1.2.3/vault_1.2.3_linux_amd64.zip4. Next, unzip the package using the following command:
unzip vault_1.2.3_linux_amd64.zip5. Then, move the package to the /usr/bin directory:
mv vault /usr/bin6. Check the installation using the following command:
vaultAs a result, a list of all available vault commands should appear, as in the image below:
Step 4: Configure Vault
1. Start by creating a configuration directory and a file within it:
sudo nano /etc/vault/config.hcl2. Then, type or paste the following content in the file:
storage “consul” {
address = “127.0.0.1:8500”
path = “vault/”
}
listener “tcp” {
address = ”IP.ADDRESS.OF.SERVER” [or “0.0.0.0” to listen to everything]
tls_disable = 1
}
ui = true3. Again, save and exit the file.
4. Next, you need to create a UNI (.uni) file, a commonly used extension for configuration files. The easiest way to do this is to copy Consul’s configuration file and modify the specifications to suit Vault.
Duplicate the existing service configuration file under a new name with the command:
cp /etc/system.system/consul.service /etc/system/system/vault.service5. Open the new vault.service file:
vim /etc/system/system/vault.service6. Make sure the content of the file matches the one below. Essentially, you’ll need to change all Consul specific values with the appropriate Vault ones.
[Unit]
Description=Vault
Documentation=https://www.vault.io/
[Service]
ExecStart=/usr/bin/vault server –config=/etc/vault/config.hcl
ExecReload=/bin/kill –HUP $MAINPID
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target7. After saving the file, exit back to the terminal shell and launch the service with the following commands:
systemctl daemon-reloadsystemctl start vaultsystemctl enable vaultsystemctl status vaultThe status should show the service is active (running).
8. Using a vault client, connect to the running service with the command:
export VAULT_ADDR=http://IP.ADDRESS.OF.VAULT:CLIENTStep 5: Initialize Vault
As you have already installed Consul to serve as the back-end storage, you’ll now need to initialize Vault manually for it to work correctly.
1. First, run the following command to see current Vault status:
vault status
As in the image above, the output displays that Vault is sealed and not initialized yet.
2. To change its status, you need three (3) keys you can find by running the command:
vault operator initThe terminal will return five (5) Unseal Keys as well as an Initial Root Token. Also, it explains that anytime the Vault package is re-sealed, restarted, or stopped, you will need to supply at least three (3) of these keys.
If you do not provide the specified keys, Vault will remain sealed. Therefore, copy all five keys and paste them in a separate file.
3. Once you have at least 3 unseal keys, run the command:
vault operator unseal4. Copy and paste the first key, and hit Enter.
5. Repeat the same procedure for the Unseal Key 2 and 3.
6. The last step to unseal Vault is to run the following command with the Initial Root Token (listed with the Unseal Keys):
vault login [root_token]7. Now, check the status again to verify that the software has been initialized:
vault status
Conclusion
This article walked you through installing Vault on Ubuntu 18.04. We also covered, configuring, initializing Vault, and outlined how to run Consul as a back-end storage service.
