slawek/vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated README to include detailed autounseal configuration description.

Browse Source
This commit is contained in:
Sławek Koszewski
2026-02-02 21:16:02 +01:00
parent 4c489a05f5
commit bdddad694b
2 changed files with 69 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
README.md
View File

@@ -95,18 +95,16 @@ The default Vault unseal method uses Shamir's Secret Sharing, which requires man
4. Apply the policy: 4. Apply the policy:
```shell ```shell
vault policy write transit-unseal-policy transit-unseal-policy.hcl vault policy write transit-unseal transit_unseal_policy.hcl
``` ```
5. Create a token with the policy attached: 5. Create a token with the policy attached:
```shell ```shell
vault token create -policy="transit-unseal-policy" vault token create -orphan -policy="transit-unseal" -wrap-ttl=120 -period=24h -field=wrapping_token > wrapping-token.txt
``` ```
Save the generated token for later use. 6. Copy the `wrapping-token.txt` file securely to the main Vault server. It can be copied using `scp` or any other secure method.
6. Verify connectivity from the main Vault to the KMS Vault.
7. Store the KMS Vault unseal key and root token securely. Make an offline backup of the KMS Vault. 7. Store the KMS Vault unseal key and root token securely. Make an offline backup of the KMS Vault.
@@ -156,16 +154,57 @@ Depending on main Vault state (new or existing), some of the following steps are
1. If the main Vault is already initialized, shut it down and back up its data directory and configuration file. 1. If the main Vault is already initialized, shut it down and back up its data directory and configuration file.
2. Update the main Vault configuration file (usually located at `/etc/vault.d/vault.hcl`) to include the Auto Unseal configuration: 2. Verify connectivity from the main Vault to the KMS Vault.
```shell
VAULT_ADDR=https://kms.koszewscy.waw.pl:8200 vault status
```
or
```shell
curl -s https://kms.koszewscy.waw.pl:8200/v1/sys/seal-status | jq .
```
3. Update the main Vault configuration file (usually located at `/etc/vault.d/vault.hcl`) to include the Auto Unseal configuration:
```hcl ```hcl
ui = true
storage "file" {
path = "/opt/vault/data"
}
# HTTP listener
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = "true"
}
# HTTPS listener
listener "tcp" {
address = "192.168.2.10:443"
tls_cert_file = "/opt/vault/tls/tls.crt"
tls_key_file = "/opt/vault/tls/tls.key"
}
seal "transit" { seal "transit" {
address = "https://pbs.koszewscy.waw.pl:8200" address = "https://kms.koszewscy.waw.pl:8200"
key_name = "transit-unseal" disable_renewal = "false"
mount_path = "transit/" key_name = "unseal-key"
mount_path = "transit/"
} }
``` ```
3. Put the KMS Vault token created earlier into the environment file `/etc/vault.d/vault.env`:
4. Unwrap the token to get the KMS Vault token:
```shell
VAULT_ADDR=https://kms.koszewscy.waw.pl:8200 vault unwrap -field=token $(cat wrapping-token.txt) > kms-vault-token.txt
```
5. Put the unwrapped KMS Vault token into the environment file `/etc/vault.d/vault.env`:
```shell ```shell
VAULT_TOKEN="s.xxxxxxx" VAULT_TOKEN="s.xxxxxxx"
@@ -178,6 +217,17 @@ Depending on main Vault state (new or existing), some of the following steps are
EnvironmentFile=/etc/vault.d/vault.env EnvironmentFile=/etc/vault.d/vault.env
``` ```
5. Add systemd override `/etc/systemd/system/vault.service.d/override.conf` if not already present:
```ini
[Service]
AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
```
That will allow the vault process to bind to low-numbered ports (443) and lock memory.
5. If the main Vault was already initialized, start it and unseal with `-migrate` parameter. 5. If the main Vault was already initialized, start it and unseal with `-migrate` parameter.
```shell ```shell
@@ -189,6 +239,8 @@ Depending on main Vault state (new or existing), some of the following steps are
7. Uninitialized main Vault will automatically encrypt the root key with the transit key from the KMS Vault during initialization and present recovery keys for Shamir's Secret Sharing. 7. Uninitialized main Vault will automatically encrypt the root key with the transit key from the KMS Vault during initialization and present recovery keys for Shamir's Secret Sharing.
If for any reason the Auto Unseal method fails, you can always unseal the main Vault using the recovery keys provided during initialization. If the token expires, generate a new one using the KMS Vault, and transfer it to the main Vault as described above.
## Offline Backup ## Offline Backup
Vault installs the following directories: Vault installs the following directories:

7
policies/transit_unseal_policy.hcl Normal file
View File

@@ -0,0 +1,7 @@
path "transit/decrypt/unseal-key" {
capabilities = ["update"]
}
path "transit/encrypt/unseal-key" {
capabilities = ["update"]
}