Store Passwords Securely with Hashicorp Vault on Ubuntu 20.04

It is always not possible to remember all the secret keys, passphrases, and tokens. Sometimes managing and maintaining secrets might be challenging tasks. We may need to store such secrets somewhere which we can use when needed. Hashicorp Vault is a solution that can be used to store secrets. It protects all the secrets stored on it and keeps secured. In this article, we will learn how to install Hashicorp vault on ubuntu 20.04.

Prerequisites

• Freshly installed ubuntu system
• Root privileged user account
• Internet connection to download packages

Update the server

Before starting the setup, make sure that your ubuntu server is up to date. Run the following command to update and upgrade application packages.

$ sudo apt-get update && sudo apt-get upgrade -y

Download the latest version of a vault

The latest version of the vault application is available on the Hashicorp vault download page. Go to the link https://www.vaultproject.io/downloads and search “Latest Downloads ” at the bottom of the page. Find the download package for Linux and copy the download link.

Once the link is copied, the application can be downloaded using the wget command.

$ wget https://releases.hashicorp.com/vault/1.8.2/vault_1.8.2_linux_amd64.zip

Extract the file

Once the download is completed, extract the archive and move the file to /usr/bin directory.

$ unzip vault_1.8.2_linux_amd64.zip

$ sudo mv vault /usr/bin

You can type vault command which will display the common vault commands.

$ vault

Create a vault configuration file

Create some directories to store vault data and configuration files. In this article, we will store configuration files under the directory /etc/vault and vault data under the directory /var/lib/vault/data .

$ sudo mkdir /etc/vault

$ sudo mkdir -p /var/lib/vault/data

Now create a hashicorp vault configuration file in /etc/vault directory.

$ sudo vi /etc/vault/config.hcl

Paste the following contents and save.

disable_cache = true
disable_mlock = true
ui = true
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
storage "file" {
path = "/var/lib/vault/data"
}
api_addr = "http://0.0.0.0:8200"
max_lease_ttl = "8h"
default_lease_ttl = "8h"
cluster_name = "vault"
raw_storage_endpoint = true
disable_sealwrap = true
disable_printable_check = true

Configure vault to run as service

We need to create a vault service file to run the vault application as a service. Go to the directory /etc/systemd/system/ and create a service file with the following contents.

$ sudo vi /etc/systemd/system/vault.service

[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault/config.hcl

[Service]
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/bin/vault server -config=/etc/vault/config.hcl
ExecReload=/bin/kill --signal HUP
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitBurst=3
LimitNOFILE=6553

[Install]
WantedBy=multi-user.target

Save the file and exit.

Enable and start vault service

Run the following command to start and enable vault service.

$ sudo systemctl daemon-reload
$ sudo systemctl start vault
$ sudo systemctl enable vault

To check the vault service status, run the following command.

$ sudo systemctl status vault

Access vault UI using browser

We have installed and configured the vault. Now you can access vault UI using the following URL.

http://your_server_ip:8200

You can initialize and use the vault as your password manager.

Conclusion

In this article, we learned how to install and configure the Hashicorp vault on the Ubuntu system to store secret tokens, passwords, and certificates.