Install Hashicorp Vault on Unraid

2022-07-04 749 words 4 minutes

/install-vault-on-unraid/featured-image.webp

Contents

This is a guide about how to install Hashicorp Vault on Unraid.

Manage secrets and protect sensitive data. Create and secure access to tokens, passwords, certificates, and encryption keys.

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.

Here is a video about this post.

This image is an official one, I do not manage it, though, I will do my best to support it at this link : https://forums.unraid.net/topic/125455-support-vault/

The app is going to install HashiCorp Vault with a file backend (default), you can change this backend if you want to, with other parameters in VAULT_LOCAL_CONFIG variable :

NOTE: At startup, the container will read configuration HCL and JSON files from /vault/config (any information passed into VAULT_LOCAL_CONFIG is written into local.json in this directory and read as part of reading the directory for configuration files).

Please see Vault’s configuration documentation for a full list of options.

1
{"backend": {"file": {"path": "/vault/file"}},"listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable": 1}}, "ui": true}

Port

Vault is using port 8200 (default).

Volumes

We have two volumes in your installation :

file: mandatory as you want the secrets to persist on your disks.
logs: only if you want to audit logs. (commands in General usage section)

Setup

You can set up Vault from the WebUI, but I will go with the CLI.

After launching the app, install vault in your OS as a client : www.vaultproject.io/downloads

Set VAULT_ADDR to your Unraid server IP.

1
export VAULT_ADDR='http://192.168.0.100:8200'

Create key shares and set a threshold about how many keys you need to unseal Vault.

1
vault operator init -key-shares=6 -key-threshold=3

e.g output (Keep these keys and Root token safe and do not share them!):

1
2
3
4
5
6
7
8
Unseal Key 1: xDElr...IofCZFSvPe
Unseal Key 2: 2TQgn...vyQ7fSdSWR
Unseal Key 3: JALI...EpHFSw7SsI
Unseal Key 4: knzg...xEFwfwWSbKQ
Unseal Key 5: bJJmA...DSwfsddOTc
Unseal Key 6: xft8...aTdVSTYZg5

Initial Root Token: hvs.tnhE...y8NkA

Run unseal command 3 times with different keys every time (depending of your threshold number):

NOTE : best practice would be to not write the key directly, and only type “vault operator unseal”, so the keys is not in your cli history.

1
2
3
vault operator unseal xDElr...IofCZFSvPe
vault operator unseal 2TQgn...vyQ7fSdSWR
vault operator unseal knzg...xEFwfwWSbKQ

After 3 times running this command, you should see Sealed false

Now Vault is unsealed, you can login to vault :

NOTE : best practice would be to not write the token directly, and only type “vault login”, so the token is not in your cli history.

1
vault login hvs.tnhE...y8NkA

Example Usage

There are many secret engines you can use : vaultproject.io/docs/secrets/

In this example, I will use the KV Engine as it’s the most basic one.

Enable the KV (Key Value) Engine vaultproject.io/docs/secrets/kv :

1
vault secrets enable -version=1 -path=secret kv

Create our first secret :

1
vault kv put secret/my-vault/password password=123456

List our secret :

1
2
vault kv list secret/
vault kv list secret/my-vault/

Read the secret (defaults in table format):

1
2
3
4
5
vault kv get secret/my-vault/password
====== Data ======
Key         Value
---         -----
password    123456

Read the secret in json format:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
vault kv get --format=json secret/my-vault/password
{
  "request_id": "31915c6c-2f8f-f7c4-146c-3dc81e80033c",
  "lease_id": "",
  "lease_duration": 2764800,
  "renewable": false,
  "data": {
    "password": "123456"
  },
  "warnings": null
}

Read only the password value in the secret:

1
2
vault kv get -field=password secret/my-vault/password
123456

Create a key with multiple secrets :

1
vault kv put secret/nextcloud/db db_name=nextcloud username=nextcloud_user password=secret

Read secrets in json :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
vault kv get --format=json secret/nextcloud/db
{
  "request_id": "db9604e4-f2eb-a529-c7f3-448b2846f565",
  "lease_id": "",
  "lease_duration": 2764800,
  "renewable": false,
  "data": {
    "db_name": "nextcloud",
    "password": "secret",
    "username": "nextcloud_user"
  },
  "warnings": null
}

Only read username field :

1
2
vault kv get -field=username secret/nextcloud/db
nextcloud_user

Delete our secrets :

1
vault kv delete secret/nextcloud/db

If you want to activate the audit logs :

1
vault audit enable file file_path=/vault/logs/vault_audit.log

If you want to disable the audit logs :

1
vault audit disable file

Vault is pretty fun and there is a ton of different usages, from your bash scripts, in your code, in your CI/CD pipeline, SSH OTP, dynamic secrets, and cloud provider authentication… have fun!

Cheers!