Setting Up HashiCorp Vault - After Hours Blog

TLDR: This was a pretty simple setup and they have good documentation. I messed up by not paying attention to variables and such. I guess you\'re wondering why I tried this? Vault is something that I\'ve been hearing about a lot more when doing my devops work and I can\'t say I understand it. Per usual I like knowing about more about software and things that I use in my work. I was talking to my friend @[estplo.it](https://twitter.com/etsploit?s=21&t=nTXXt_OwVbqGvbTI_VFx0A) and he asked if I would stream my \"setup and testing\". The livestream is [here](https://youtu.be/GP3y2zNuZ4E), but I ended up stopping early not knowing what my problem was or how long I\'d spin my wheels. I\'m going to write up how you too can run Vault from a server, connect from your local machine, talk about where I went wrong, and what I learned. ![](content/images/2022/05/Screen-Shot-2022-05-20-at-18.59.44.png){.kg-image width="1185" height="1015" sizes="(min-width: 720px) 720px" srcset="/images/size/w600/2022/05/Screen-Shot-2022-05-20-at-18.59.44.png 600w, /images/size/w1000/2022/05/Screen-Shot-2022-05-20-at-18.59.44.png 1000w, /images/2022/05/Screen-Shot-2022-05-20-at-18.59.44.png 1185w"} Setup Instructions ------------------ 1. Setup a ubuntu server that is 1GB/ 250 MB 2. Update your server 3. Run the commands you find [here](https://learn.hashicorp.com/tutorials/vault/getting-started-install?in=vault/getting-started). If you can successfully run `vault` I\'m going to start deviating to my instructions. 4. Go back to where your server is and update your firewall. For ingress you should have the following ports: 22, 80, 443, and 8200 5. log back into your server and run `mkdir -p ./vault/data` 6. create a `config.hcl` file with the detail from the next section 7. run `vault server -config=config.hcl` 8. close your terminal to your server (don\'t cmd-c the vault server) 9. on your local machine install vault using the instructions here 10. run `vault status` 11. run `export VAULT_ADDR=<server-ip>:8200` 12. run `vault operator init` 13. copy the details to a txt file or your password manager 14. Now run `vault operator unseal` and use one of the unseal keys 15. Run **step 14** 2 more times, but use different unseal keys 16. run `vault status` again and verify `sealed = false` 17. Run `vault login` and insert your token. Also run `export VAULT_TOKEN=<token>` 18. Celebrate! your done and now shouldn\'t have any of my errors connecting to your vault instance. Config.HCL {#confighcl} ---------- storage "raft" { path = "./vault/data" node_id = "node1" } listener "tcp" { address = "<server-ip>:8200" tls_disable = "true" } disable_mlock = true api_addr = "http://<server-ip>:8200" cluster_addr = "https://<server-ip>:8201" ui = true ![](Screen-Shot-2022-05-20-at-19.06.14.png){.kg-image width="572" height="438"} What I learned -------------- So I made a lot of simple mistakes here and 99% of it was just me not reading. So here are things I think are important to highlight if you\'re looking to get started. 1. Double check your token value When I couldn\'t get things working I should have known a 403 was a Auth error. I was so into thinking I did my firewall setup wrong that I didn\'t really think about anything else. My API calls didn\'t work because I was using the wrong token. 2\. Keep the UI to true The UI really saved me. Once I was like \"let me see if it works then everything really clicked for me. I literally thought \"fam, your dumb, you never changed your key from the first time. So when in doubt, check the UI. 3\. Write policies from the UI Off stream I was trying to write a policy and I didn\'t like the command line way (because I\'m me). I think it\'s easier to write your policies form the UI. A lot of times GUIs reduce stress and I think most sys admin folks forget about that. 4\. After setup really study the setup I do a thing where I reflect on how the setup process went, what I think of the default things, and what I think I need to do security wise to make things stronger. I think this would be good for everyone to do. Vault is a common industry secrets manager. Whether you are using this personally or on your team I think this experience reflection helps you be objective long term. ### Will I keep using it? I think for me personally, Vault is a bit much. I\'m not running anything big that would require its use, but I understand it\'s use for teams/big orgs. I think secret management is so key for every org from a security perspective that you should also give vault a try and then let me know what you think. 😁