Install Hashicorp Vault on Unraid
![Install Hashicorp Vault on Unraid. /install-vault-on-unraid/featured-image.webp](/install-vault-on-unraid/featured-image.webp)
This is a guide about how to install Hashicorp Vault on Unraid.
Manage secrets and protect sensitive data. Create and secure access to tokens, passwords, certificates, and encryption keys.
Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.
Here is a video about this post.
This image is an official one, I do not manage it, though, I will do my best to support it at this link : https://forums.unraid.net/topic/125455-support-vault/
The app is going to install HashiCorp Vault with a file backend (default), you can change this backend if you want to, with other parameters in VAULT_LOCAL_CONFIG variable :
NOTE: At startup, the container will read configuration HCL and JSON files from /vault/config (any information passed into VAULT_LOCAL_CONFIG is written into local.json in this directory and read as part of reading the directory for configuration files).
Please see Vault’s configuration documentation for a full list of options.
|
|
Port
Vault is using port 8200 (default).
Volumes
We have two volumes in your installation :
- file: mandatory as you want the secrets to persist on your disks.
- logs: only if you want to audit logs. (commands in General usage section)
Setup
You can set up Vault from the WebUI, but I will go with the CLI.
After launching the app, install vault in your OS as a client : www.vaultproject.io/downloads
Set VAULT_ADDR to your Unraid server IP.
|
|
Create key shares and set a threshold about how many keys you need to unseal Vault.
|
|
e.g output (Keep these keys and Root token safe and do not share them!):
|
|
Run unseal command 3 times with different keys every time (depending of your threshold number):
NOTE : best practice would be to not write the key directly, and only type “vault operator unseal”, so the keys is not in your cli history.
|
|
After 3 times running this command, you should see Sealed false
Now Vault is unsealed, you can login to vault :
NOTE : best practice would be to not write the token directly, and only type “vault login”, so the token is not in your cli history.
|
|
Example Usage
There are many secret engines you can use : vaultproject.io/docs/secrets/
In this example, I will use the KV Engine as it’s the most basic one.
Enable the KV (Key Value) Engine vaultproject.io/docs/secrets/kv :
|
|
Create our first secret :
|
|
List our secret :
|
|
Read the secret (defaults in table format):
|
|
Read the secret in json format:
|
|
Read only the password value in the secret:
|
|
Create a key with multiple secrets :
|
|
Read secrets in json :
|
|
Only read username field :
|
|
Delete our secrets :
|
|
If you want to activate the audit logs :
|
|
If you want to disable the audit logs :
|
|
Vault is pretty fun and there is a ton of different usages, from your bash scripts, in your code, in your CI/CD pipeline, SSH OTP, dynamic secrets, and cloud provider authentication… have fun!
Cheers!