1.yum安装

yum install -y yum-utils

yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo

yum -y install vault

2.修改配置文档:

[root@es-sky-131 tls]# cat /etc/vault.d/vault.hcl
# Full configuration options can be found at https://www.vaultproject.io/docs/configuration

ui = true

#mlock = true
#disable_mlock = true

storage "file" {
  path = "/opt/vault/data"
}

#storage "consul" {
#  address = "127.0.0.1:8500"
#  path    = "vault"
#}

# HTTP listener
#listener "tcp" {
#  address = "127.0.0.1:8200"
#  tls_disable = 1
#}

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/server.crt"
  tls_key_file  = "/opt/vault/tls/server.key"
}

# Enterprise license_path
# This will be required for enterprise as of v1.8
#license_path = "/etc/vault.d/vault.hclic"

# Example AWS KMS auto unseal
#seal "awskms" {
#  region = "us-east-1"
#  kms_key_id = "REPLACE-ME"
#}

# Example HSM auto unseal
#seal "pkcs11" {
#  lib            = "/usr/vault/lib/libCryptoki2_64.so"
#  slot           = "0"
#  pin            = "AAAA-BBBB-CCCC-DDDD"
#  key_label      = "vault-hsm-key"
#  hmac_key_label = "vault-hsm-hmac-key"
#}
View Code  

3.启动

systemctl start vault

systemctl enable vault

4.初始化:(由于自生成的证书有问题,需要重新生成)

cd /opt/vault/tls/
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/O=HashiCorp /CN=Vault" -days 34000 -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -key server.key -config test.cnf -subj "/CN=Vault" -out server.csr
openssl x509 -req -in server.csr -CA /opt/vault/tls/ca.crt -CAkey /opt/vault/tls/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile test.cnf -out server.crt
cp /opt/vault/tls/ca.* /etc/ssl/certs/
 
[root@es-sky-131 tls]# cat test.cnf 
[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[ req_distinguished_name ]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1=Vault
IP.2 = 192.168.146.131
IP.3 = 192.168.146.134
View Code
export export VAULT_ADDR='https://192.168.146.131:8200' VAULT_SSL=/opt/vault/tls
vault operator init
 
Unseal Key 1: 9RDh5U0/FfUlrZaPrwFn1uK/06H8Y0opI/8uJRA8D4G7
Unseal Key 2: Yep/Eroa3uN0VaMGDiuAYkunA31TNy3euS83mCJI8Hnv
Unseal Key 3: lz1VG6L5fLUy0QS0A1xebWIIS63sm7kAPht+vwaQU3aO
Unseal Key 4: sgAuNuC2RlL+tg72hDPDkQ/6cA38p5J/W5xDxXfKhOsl
Unseal Key 5: R4zImTjiMyJ8M7LkQgJQ468vYyx1EI/DnuDKLVF0yvLH
 
Initial Root Token: s.FkhVoIhfOz4Nc7Tt4QkIZVDV
 
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
 
Vault does not store the generated master key. Without at least 3 keys to
reconstruct the master key, Vault will remain permanently sealed!
 
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

解封:(需要执行三次)

vault operator unseal
登录:
vault login s.FkhVoIhfOz4Nc7Tt4QkIZVDV

 附:

1.service配置

root@es-sky-131 tls]# cat /usr/lib/systemd/system/vault.service
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3

[Service]
EnvironmentFile=/etc/vault.d/vault.env
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
LimitNOFILE=65536
LimitMEMLOCK=infinity

[Install]
WantedBy=multi-user.target
View Code

2.初始化可以指定参数

vault operator init -key-shares=5 -key-threshold=3 

# -key-shares:指定密钥的总股数, 

# -key-threshold:指定需要几股可解锁

3.

其他系统参考:Install Vault | Vault - HashiCorp Learn

其他安装方式参考:Install Vault | Vault by HashiCorp (vaultproject.io)