Introduction
Vault is a management system for sensitive information. It stores, controls, and protects the data you use for authentication or authorization processes.
Vault restricts and manages access to “sensitive secrets” including passwords, certificates, or APIs. It also provides data encryption, on-demand secrets, and revocation. In this tutorial learn how to install and configure Vault on Ubuntu 18.04, as well as how to set up Consul.
Prerequisites
- Ubuntu 18.04
- A user account with sudo privileges
- Access to a terminal window/command-line (Ctrl-Alt-T)
Steps For Installing Vault on Linux Ubuntu 18.04
Step 1: Install Consul
Consul is a highly scalable and distributed service discovery and configuration system. You can coordinate Consul Storage as a back-end to Vault to ensure the software is highly available and fault-tolerant.
The first step is to install and configure Consul on Ubuntu 18.04.
1. Start by navigating to the official Consul webpage and clicking on the Download icon.
2. The browser then takes you to the Download page with all the available packages. Search for the Linux section and right-click on the 32 or 64-bit version. Copy the link location, as you will need it in the next step.
3. Open the terminal (Ctrl+Alt+T) and use the wget
command to download the Consul package:
wget https://releases.hashicorp.com/consul/1.6.1/consul_1.6.1_linux_amd64.zip
4. Next, unzip the package with the command:
unzip consul_1.6.1_linux_amd64.zip
Note: To download unzip software use the command: sudo apt install unzip –y
.
5. Then, move the installation package by typing the following command:
sudo mv consul /usr/bin
6. End by verifying the installation with the command:
consul
The output should list all available consul commands, as in the image below:
Step 2: Configure Consul
1. Create and open a new file with:
sudo nano /etc/system/system/consul.service
2. Add the following content to the consul.service file:
[Unit]
Description=Consul
Documentation=https://www.consul.io/
[Service]
ExecStart=/usr/bin/consul agent –server –ui –data-dir=/temp/consul –bootstrap-expect=1 –node=vault –bind=IP.ADDRESS.OF.SERVER –config-dir=/etc/consul.d/
ExecReload=/bin/kill –HUP $MAINPID
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
3. Save and exit the file.
4. Then, move on to creating a configuration directory and adding a new .json file in it:
sudo mkdir /etc/consul.d
nano /etc/consul.d/ui.json
5. To set up the ui to connect to anything, add the following content to the newly created file:
{
“addresses”: {
“http”: “0.0.0.0”
}
}
6. Make sure to save before exiting the file.
7. For the changes to take place, you have to reload, start, and enable the consul service.
Reload the system with the command:
systemctl daemon-reload
Run the command for starting the service:
systemctl start consul
Then, enable it by using:
systemctl enable consul
Verify that the service is up and running with the command:
journalctl –f –u consul
Followed by opening a web browser and navigating to the URL:
vault.admintome.lab:8500/ui/
This opens HashiCorp’s online management platform, and displays available services. If you see consul as a service, you have successfully set up the software.
Step 3: Installing Vault on Ubuntu
With Consul in place, move on to installing Vault on your Ubuntu 18.04 system.
1. Go to Vault’s official website, click on Download, and find the available package for Linux distributions.
2. Right-click on the Download icon and copy the link location.
3. Using the wget command, download the package by pasting the link location copied in the previous step:
wget https://releases.hashicorp.com/vault/1.2.3/vault_1.2.3_linux_amd64.zip
4. Next, unzip the package using the following command:
unzip vault_1.2.3_linux_amd64.zip
5. Then, move the package to the /usr/bin directory:
mv vault /usr/bin
6. Check the installation using the following command:
vault
As a result, a list of all available vault commands should appear, as in the image below:
Step 4: Configure Vault
1. Start by creating a configuration directory and a file within it:
sudo nano /etc/vault/config.hcl
2. Then, type or paste the following content in the file:
storage “consul” {
address = “127.0.0.1:8500”
path = “vault/”
}
listener “tcp” {
address = ”IP.ADDRESS.OF.SERVER” [or “0.0.0.0” to listen to everything]
tls_disable = 1
}
ui = true
3. Again, save and exit the file.
4. Next, you need to create a UNI (.uni) file, a commonly used extension for configuration files. The easiest way to do this is to copy Consul’s configuration file and modify the specifications to suit Vault.
Duplicate the existing service configuration file under a new name with the command:
cp /etc/system.system/consul.service /etc/system/system/vault.service
5. Open the new vault.service file:
vim /etc/system/system/vault.service
6. Make sure the content of the file matches the one below. Essentially, you’ll need to change all Consul specific values with the appropriate Vault ones.
[Unit]
Description=Vault
Documentation=https://www.vault.io/
[Service]
ExecStart=/usr/bin/vault server –config=/etc/vault/config.hcl
ExecReload=/bin/kill –HUP $MAINPID
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
7. After saving the file, exit back to the terminal shell and launch the service with the following commands:
systemctl daemon-reload
systemctl start vault
systemctl enable vault
systemctl status vault
The status should show the service is active (running).
8. Using a vault client, connect to the running service with the command:
export VAULT_ADDR=http://IP.ADDRESS.OF.VAULT:CLIENT
Step 5: Initialize Vault
As you have already installed Consul to serve as the back-end storage, you’ll now need to initialize Vault manually for it to work correctly.
1. First, run the following command to see current Vault status:
vault status
As in the image above, the output displays that Vault is sealed and not initialized yet.
2. To change its status, you need three (3) keys you can find by running the command:
vault operator init
The terminal will return five (5) Unseal Keys as well as an Initial Root Token. Also, it explains that anytime the Vault package is re-sealed, restarted, or stopped, you will need to supply at least three (3) of these keys.
If you do not provide the specified keys, Vault will remain sealed. Therefore, copy all five keys and paste them in a separate file.
3. Once you have at least 3 unseal keys, run the command:
vault operator unseal
4. Copy and paste the first key, and hit Enter.
5. Repeat the same procedure for the Unseal Key 2 and 3.
6. The last step to unseal Vault is to run the following command with the Initial Root Token (listed with the Unseal Keys):
vault login [root_token]
7. Now, check the status again to verify that the software has been initialized:
vault status
Conclusion
This article walked you through installing Vault on Ubuntu 18.04. We also covered, configuring, initializing Vault, and outlined how to run Consul as a back-end storage service.
Next you should also read
How to Install Hashicorp Vault on CentOS 7
December 17, 2019
If you need a management system that will store and protect your authentication and authorization data, you…
How To Install SSL Certificate on Apache for CentOS 7
September 15, 2019
Learn how to obtain and install SSL Certificates on Apache CentOS 7. The article explains how to use an…
21 Server Security Tips to Secure Your Server
April 20, 2019
Hackers are always on the lookout for server vulnerabilities. Minimize risks and be confident your data is…
DevOps and Development,Virtualization
Vagrant Tutorial: Everything a Beginner Needs To Know
April 17, 2019
Vagrant is a tool for configuring and deploying an exact image of a virtual operating system. It is often…
Author
Sofija Simic
Sofija Simic is an aspiring Technical Writer at phoenixNAP. Alongside her educational background in teaching and writing, she has had a lifelong passion for information technology. She is committed to unscrambling confusing IT concepts and streamlining intricate software installations.