Install Hashicorp Vault on Unraid
This is a guide about how to install Hashicorp Vault on Unraid.
Manage secrets and protect sensitive data. Create and secure access to tokens, passwords, certificates, and encryption keys.
Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.
Here is a video about this post.
This image is an official one, I do not manage it, though, I will do my best to support it at this link : https://forums.unraid.net/topic/125455-support-vault/
The app is going to install HashiCorp Vault with a file backend (default), you can change this backend if you want to, with other parameters in VAULT_LOCAL_CONFIG variable :
NOTE: At startup, the container will read configuration HCL and JSON files from /vault/config (any information passed into VAULT_LOCAL_CONFIG is written into local.json in this directory and read as part of reading the directory for configuration files).
Please see Vault’s configuration documentation for a full list of options.
{"backend": {"file": {"path": "/vault/file"}},"listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable": 1}}, "ui": true}
Port
Vault is using port 8200 (default).
Volumes
We have two volumes in your installation :
- file: mandatory as you want the secrets to persist on your disks.
- logs: only if you want to audit logs. (commands in General usage section)
Setup
You can set up Vault from the WebUI, but I will go with the CLI.
After launching the app, install vault in your OS as a client : www.vaultproject.io/downloads
Set VAULT_ADDR to your Unraid server IP.
export VAULT_ADDR='http://192.168.0.100:8200'
Create key shares and set a threshold about how many keys you need to unseal Vault.
export VAULT_ADDR='http://192.168.0.100:8200'
e.g output (Keep these keys and Root token safe and do not share them!):
Unseal Key 1: xDElr...IofCZFSvPe
Unseal Key 2: 2TQgn...vyQ7fSdSWR
Unseal Key 3: JALI...EpHFSw7SsI
Unseal Key 4: knzg...xEFwfwWSbKQ
Unseal Key 5: bJJmA...DSwfsddOTc
Unseal Key 6: xft8...aTdVSTYZg5
Initial Root Token: hvs.tnhE...y8NkA
Run unseal command 3 times with different keys every time (depending of your threshold number):
NOTE : best practice would be to not write the key directly, and only type “vault operator unseal”, so the keys is not in your cli history.
vault operator unseal xDElr...IofCZFSvPe
vault operator unseal 2TQgn...vyQ7fSdSWR
vault operator unseal knzg...xEFwfwWSbKQ
After 3 times running this command, you should see Sealed false
Now Vault is unsealed, you can login to vault :
NOTE : best practice would be to not write the token directly, and only type “vault login”, so the token is not in your cli history.
vault login hvs.tnhE...y8NkA
Example Usage
There are many secret engines you can use : vaultproject.io/docs/secrets/
In this example, I will use the KV Engine as it’s the most basic one.
Enable the KV (Key Value) Engine vaultproject.io/docs/secrets/kv :
vault secrets enable -version=1 -path=secret kv
Create our first secret :
vault kv put secret/my-vault/password password=123456
List our secret :
vault kv list secret/
vault kv list secret/my-vault/
Read the secret (defaults in table format):
vault kv get secret/my-vault/password
====== Data ======
Key Value
--- -----
password 123456
Read the secret in json format:
vault kv get --format=json secret/my-vault/password
{
"request_id": "31915c6c-2f8f-f7c4-146c-3dc81e80033c",
"lease_id": "",
"lease_duration": 2764800,
"renewable": false,
"data": {
"password": "123456"
},
"warnings": null
}
Read only the password value in the secret:
vault kv get -field=password secret/my-vault/password
123456
Create a key with multiple secrets :
vault kv put secret/nextcloud/db db_name=nextcloud username=nextcloud_user password=secret
Read secrets in json :
vault kv get --format=json secret/nextcloud/db
{
"request_id": "db9604e4-f2eb-a529-c7f3-448b2846f565",
"lease_id": "",
"lease_duration": 2764800,
"renewable": false,
"data": {
"db_name": "nextcloud",
"password": "secret",
"username": "nextcloud_user"
},
"warnings": null
}
Only read username field :
vault kv get -field=username secret/nextcloud/db
nextcloud_user
Delete our secrets :
vault kv delete secret/nextcloud/db
If you want to activate the audit logs :
vault audit enable file file_path=/vault/logs/vault_audit.log
If you want to disable the audit logs :
vault audit disable file
Vault is pretty fun and there is a ton of different usages, from your bash scripts, in your code, in your CI/CD pipeline, SSH OTP, dynamic secrets, and cloud provider authentication… have fun!
Cheers!