Updated README to include detailed autounseal configuration description.

2026-02-02 21:16:02 +01:00
parent 4c489a05f5
commit bdddad694b
2 changed files with 69 additions and 10 deletions
--- a/README.md
+++ b/README.md
@@ -95,18 +95,16 @@ The default Vault unseal method uses Shamir's Secret Sharing, which requires man
 4. Apply the policy:

    ```shell
-    vault policy write transit-unseal-policy transit-unseal-policy.hcl
+    vault policy write transit-unseal transit_unseal_policy.hcl
    ```

 5. Create a token with the policy attached:

    ```shell
-    vault token create -policy="transit-unseal-policy"
+    vault token create -orphan -policy="transit-unseal" -wrap-ttl=120 -period=24h -field=wrapping_token > wrapping-token.txt
    ```

-    Save the generated token for later use.
-
-6. Verify connectivity from the main Vault to the KMS Vault.
+6. Copy the `wrapping-token.txt` file securely to the main Vault server. It can be copied using `scp` or any other secure method.

 7. Store the KMS Vault unseal key and root token securely. Make an offline backup of the KMS Vault.

@@ -156,16 +154,57 @@ Depending on main Vault state (new or existing), some of the following steps are

 1. If the main Vault is already initialized, shut it down and back up its data directory and configuration file.

-2. Update the main Vault configuration file (usually located at `/etc/vault.d/vault.hcl`) to include the Auto Unseal configuration:
+2. Verify connectivity from the main Vault to the KMS Vault.
+
+    ```shell
+    VAULT_ADDR=https://kms.koszewscy.waw.pl:8200 vault status
+    ```
+
+    or
+
+    ```shell
+    curl -s https://kms.koszewscy.waw.pl:8200/v1/sys/seal-status | jq .
+    ```
+
+
+3. Update the main Vault configuration file (usually located at `/etc/vault.d/vault.hcl`) to include the Auto Unseal configuration:

    ```hcl
+    ui = true
+
+    storage "file" {
+      path = "/opt/vault/data"
+    }
+
+    # HTTP listener
+    listener "tcp" {
+      address = "127.0.0.1:8200"
+      tls_disable = "true"
+    }
+
+    # HTTPS listener
+    listener "tcp" {
+      address       = "192.168.2.10:443"
+      tls_cert_file = "/opt/vault/tls/tls.crt"
+      tls_key_file  = "/opt/vault/tls/tls.key"
+    }
+
    seal "transit" {
-      address            = "https://pbs.koszewscy.waw.pl:8200"
-      key_name           = "transit-unseal"
-      mount_path        = "transit/"
+      address         = "https://kms.koszewscy.waw.pl:8200"
+      disable_renewal = "false"
+      key_name        = "unseal-key"
+      mount_path      = "transit/"
    }
    ```
-3. Put the KMS Vault token created earlier into the environment file `/etc/vault.d/vault.env`:
+
+
+4. Unwrap the token to get the KMS Vault token:
+
+    ```shell
+    VAULT_ADDR=https://kms.koszewscy.waw.pl:8200 vault unwrap -field=token $(cat wrapping-token.txt) > kms-vault-token.txt
+    ```
+
+5. Put the unwrapped KMS Vault token into the environment file `/etc/vault.d/vault.env`:

    ```shell
    VAULT_TOKEN="s.xxxxxxx"
@@ -178,6 +217,17 @@ Depending on main Vault state (new or existing), some of the following steps are
    EnvironmentFile=/etc/vault.d/vault.env
    ```

+5. Add systemd override `/etc/systemd/system/vault.service.d/override.conf` if not already present:
+
+    ```ini
+    [Service]
+    AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE
+    CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE
+    NoNewPrivileges=yes
+    ```
+
+    That will allow the vault process to bind to low-numbered ports (443) and lock memory.
+
 5. If the main Vault was already initialized, start it and unseal with `-migrate` parameter.

    ```shell
@@ -189,6 +239,8 @@ Depending on main Vault state (new or existing), some of the following steps are

 7. Uninitialized main Vault will automatically encrypt the root key with the transit key from the KMS Vault during initialization and present recovery keys for Shamir's Secret Sharing.

+If for any reason the Auto Unseal method fails, you can always unseal the main Vault using the recovery keys provided during initialization. If the token expires, generate a new one using the KMS Vault, and transfer it to the main Vault as described above.
+
 ## Offline Backup

 Vault installs the following directories:
--- a/policies/transit_unseal_policy.hcl
+++ b/policies/transit_unseal_policy.hcl
@@ -0,0 +1,7 @@
+path "transit/decrypt/unseal-key" {
+  capabilities = ["update"]
+}
+
+path "transit/encrypt/unseal-key" {
+  capabilities = ["update"]
+}