Playground: https://demo.vaultproject.io/ui
admin/password
https://demo.vaultproject.io/ui/vault/secrets
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:c9:c7:04 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global noprefixroute dynamic eth0
valid_lft 85737sec preferred_lft 85737sec
inet6 fe80::5054:ff:fec9:c704/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:e6:e0:16 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 brd 192.168.1.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fee6:e016/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]# yum install unzip wget vim -y
[root@localhost ~]# wget https://releases.hashicorp.com/vault/0.11.3/vault_0.11.3_linux_amd64.zip
–2018-10-11 13:54:27– https://releases.hashicorp.com/vault/0.11.3/vault_0.11.3_linux_amd64.zip
Resolving releases.hashicorp.com (releases.hashicorp.com)… 151.101.9.183, 2a04:4e42:1d::439
Connecting to releases.hashicorp.com (releases.hashicorp.com)|151.101.9.183|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 33213330 (32M) [application/zip]
Saving to: ‘vault_0.11.3_linux_amd64.zip’
100%[============================================================================================================================================>] 33,213,330 5.17MB/s in 6.6s
2018-10-11 13:54:36 (4.81 MB/s) – ‘vault_0.11.3_linux_amd64.zip’ saved [33213330/33213330]
[root@localhost ~]# unzip
unzip unzipsfx
[root@localhost ~]# unzip vault_0.11.3_linux_amd64.zip
Archive: vault_0.11.3_linux_amd64.zip
inflating: vault
[root@localhost ~]# cp vault /usr/bin/
[root@localhost ~]# mkdir /etc/vault
[root@localhost ~]# mkdir /vault-data
[root@localhost ~]# mkdir -p /logs/vault/
[root@localhost ~]# vim /etc/vault/config.json
{
“listener”: [{
“tcp”: {
“address” : “0.0.0.0:8200”,
“tls_disable” : 1
}
}],
“api_addr”: “http://192.168.1.2:8200″,
“storage”: {
“file”: {
“path” : “/vault-data”
}
},
“max_lease_ttl”: “5h”,
“default_lease_ttl”: “5h”,
“ui”:true
}
[root@localhost ~]# vim /etc/systemd/system/vault.service
[Unit]
Description=vault service
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault/config.json
[Service]
EnvironmentFile=-/etc/sysconfig/vault
Environment=GOMAXPROCS=2
Restart=on-failure
ExecStart=/usr/bin/vault server -config=/etc/vault/config.json
StandardOutput=/logs/vault/output.log
StandardError=/logs/vault/error.log
LimitMEMLOCK=infinity
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM
[Install]
WantedBy=multi-user.target
[root@localhost ~]# systemctl enable vault.service
Created symlink from /etc/systemd/system/multi-user.target.wants/vault.service to /etc/systemd/system/vault.service.
[root@localhost ~]# systemctl status vault.service
● vault.service – vault service
Loaded: loaded (/etc/systemd/system/vault.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Oct 11 14:05:44 localhost.localdomain systemd[1]: [/etc/systemd/system/vault.service:12] Failed to parse output specifier, ignoring: /logs/vault/output.log
Oct 11 14:05:44 localhost.localdomain systemd[1]: [/etc/systemd/system/vault.service:13] Failed to parse output specifier, ignoring: /logs/vault/error.log
[root@localhost ~]# systemctl start vault.service
[root@localhost ~]# systemctl status vault.service
● vault.service – vault service
Loaded: loaded (/etc/systemd/system/vault.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2018-10-11 14:05:51 UTC; 1s ago
Main PID: 1384 (vault)
CGroup: /system.slice/vault.service
└─1384 /usr/bin/vault server -config=/etc/vault/config.json
Oct 11 14:05:53 localhost.localdomain vault[1384]: Api Address: http://192.168.1.2:8200
Oct 11 14:05:53 localhost.localdomain vault[1384]: Cgo: disabled
Oct 11 14:05:53 localhost.localdomain vault[1384]: Cluster Address: https://192.168.1.2:8201
Oct 11 14:05:53 localhost.localdomain vault[1384]: Listener 1: tcp (addr: “0.0.0.0:8200”, cluster address: “0.0.0.0:8201”, max_request_duration: “1m30s”, max_request_si…”disabled”)
Oct 11 14:05:53 localhost.localdomain vault[1384]: Log Level: (not set)
Oct 11 14:05:53 localhost.localdomain vault[1384]: Mlock: supported: true, enabled: true
Oct 11 14:05:53 localhost.localdomain vault[1384]: Storage: file
Oct 11 14:05:53 localhost.localdomain vault[1384]: Version: Vault v0.11.3
Oct 11 14:05:53 localhost.localdomain vault[1384]: Version Sha: fb601237bfbe4bc16ff679f642248ee8a86e627b
Oct 11 14:05:53 localhost.localdomain vault[1384]: ==> Vault server started! Log data will stream in below:
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]# export VAULT_ADDR=http://192.168.1.2:8200
[root@localhost ~]# echo “export VAULT_ADDR=http://192.168.1.2:8200” >> ~/.bashrc
[root@localhost ~]# vault
Usage: vault <command> [args]
Common commands:
read Read data and retrieves secrets
write Write data, configuration, and secrets
delete Delete secrets and configuration
list List data or secrets
login Authenticate locally
agent Start a Vault agent
server Start a Vault server
status Print seal and HA status
unwrap Unwrap a wrapped secret
Other commands:
audit Interact with audit devices
auth Interact with auth methods
kv Interact with Vault’s Key-Value storage
lease Interact with leases
namespace Interact with namespaces
operator Perform operator-specific tasks
path-help Retrieve API help for paths
plugin Interact with Vault plugins and catalog
policy Interact with policies
secrets Interact with secrets engines
ssh Initiate an SSH session
token Interact with tokens
[root@localhost ~]# vault status
Key Value
— —–
Seal Type shamir
Initialized false
Sealed true
Total Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version n/a
HA Enabled false
[root@localhost ~]# vault operator init > /etc/vault/init.file
[root@localhost ~]# vault operator init > /etc/vault/init.file
[root@localhost ~]# cat /etc/vault/init.file
Unseal Key 1: GPt2duNKv5F+gr9WFKZ8fsWZmyIAlK6l8ZiKq3lFCKVS
Unseal Key 2: qjt2/Uh9XFv4mFd1KHcB6WPDAh8TB7UbCAwKlFpTmCmr
Unseal Key 3: ZrGddPFfKBj+usqr+ENz3ARXuT13Ow6ay+xTVia9xQKN
Unseal Key 4: blYs3qSqW3igSLF3c2L4rdhPpz8woP+DlYBGIgCsHTHw
Unseal Key 5: 1mUcdROe2xXTfi8MQ4p/7pU7ciyxCtdsnnagdD8Nukth
Initial Root Token: 2oPbVnXJ0tEDho3ekNK8d2ZB
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See “vault operator rekey” for more information.

[root@localhost ~]# vault status
Key Value
— —–
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 0/3
Unseal Nonce n/a
Version 0.11.3
HA Enabled false
[root@localhost ~]# vault operator unseal GPt2duNKv5F+gr9WFKZ8fsWZmyIAlK6l8ZiKq3lFCKVS
Key Value
— —–
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce 7586585d-deb9-d708-97e2-080e9a3d3745
Version 0.11.3
HA Enabled false
http://192.168.1.2:8200/ui/vault/unseal
image vault-1
[root@localhost ~]# vault operator unseal qjt2/Uh9XFv4mFd1KHcB6WPDAh8TB7UbCAwKlFpTmCmr
Key Value
— —–
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 2/3
Unseal Nonce 7586585d-deb9-d708-97e2-080e9a3d3745
Version 0.11.3
HA Enabled false
[root@localhost ~]# vault operator unseal ZrGddPFfKBj+usqr+ENz3ARXuT13Ow6ay+xTVia9xQKN
Key Value
— —–
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 0.11.3
Cluster Name vault-cluster-28a6cb7d
Cluster ID 659bdbfb-6fd8-89c0-a933-75ce615a0ef0
HA Enabled false

[root@localhost ~]# grep Token /etc/vault/init.file
Initial Root Token: 2oPbVnXJ0tEDho3ekNK8d2ZB




http://192.168.1.2:8200/ui/vault/settings/mount-secret-backend
http://192.168.1.2:8200/ui/vault/settings/auth/enable

When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn’t know how to decrypt any of it.
Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.
Prior to unsealing, almost no operations are possible with Vault. For example authentication, managing the mount tables, etc. are all not possible. The only possible operations are to unseal the Vault and check the status of the unseal
https://www.vaultproject.io/docs/concepts/seal.html
.
