1.yum安装
yum install -y yum-utils
yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
yum -y install vault
2.修改配置文档:
[root@es-sky-131 tls]# cat /etc/vault.d/vault.hcl # Full configuration options can be found at https://www.vaultproject.io/docs/configuration ui = true #mlock = true #disable_mlock = true storage "file" { path = "/opt/vault/data" } #storage "consul" { # address = "127.0.0.1:8500" # path = "vault" #} # HTTP listener #listener "tcp" { # address = "127.0.0.1:8200" # tls_disable = 1 #} # HTTPS listener listener "tcp" { address = "0.0.0.0:8200" tls_cert_file = "/opt/vault/tls/server.crt" tls_key_file = "/opt/vault/tls/server.key" } # Enterprise license_path # This will be required for enterprise as of v1.8 #license_path = "/etc/vault.d/vault.hclic" # Example AWS KMS auto unseal #seal "awskms" { # region = "us-east-1" # kms_key_id = "REPLACE-ME" #} # Example HSM auto unseal #seal "pkcs11" { # lib = "/usr/vault/lib/libCryptoki2_64.so" # slot = "0" # pin = "AAAA-BBBB-CCCC-DDDD" # key_label = "vault-hsm-key" # hmac_key_label = "vault-hsm-hmac-key" #}
3.启动
systemctl start vault
systemctl enable vault
4.初始化:(由于自生成的证书有问题,需要重新生成)
cd /opt/vault/tls/
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/O=HashiCorp /CN=Vault" -days 34000 -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -key server.key -config test.cnf -subj "/CN=Vault" -out server.csr
openssl x509 -req -in server.csr -CA /opt/vault/tls/ca.crt -CAkey /opt/vault/tls/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile test.cnf -out server.crt
cp /opt/vault/tls/ca.* /etc/ssl/certs/
[root@es-sky-131 tls]# cat test.cnf [ req ] req_extensions = v3_req distinguished_name = req_distinguished_name [ req_distinguished_name ] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.1=Vault IP.2 = 192.168.146.131 IP.3 = 192.168.146.134
export export VAULT_ADDR='https://192.168.146.131:8200' VAULT_SSL=/opt/vault/tls
vault operator init
Unseal Key 1: 9RDh5U0/FfUlrZaPrwFn1uK/06H8Y0opI/8uJRA8D4G7
Unseal Key 2: Yep/Eroa3uN0VaMGDiuAYkunA31TNy3euS83mCJI8Hnv
Unseal Key 3: lz1VG6L5fLUy0QS0A1xebWIIS63sm7kAPht+vwaQU3aO
Unseal Key 4: sgAuNuC2RlL+tg72hDPDkQ/6cA38p5J/W5xDxXfKhOsl
Unseal Key 5: R4zImTjiMyJ8M7LkQgJQ468vYyx1EI/DnuDKLVF0yvLH
Initial Root Token: s.FkhVoIhfOz4Nc7Tt4QkIZVDV
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 keys to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
解封:(需要执行三次)
vault operator unseal
登录:
vault login s.FkhVoIhfOz4Nc7Tt4QkIZVDV
附:
1.service配置
root@es-sky-131 tls]# cat /usr/lib/systemd/system/vault.service [Unit] Description="HashiCorp Vault - A tool for managing secrets" Documentation=https://www.vaultproject.io/docs/ Requires=network-online.target After=network-online.target ConditionFileNotEmpty=/etc/vault.d/vault.hcl StartLimitIntervalSec=60 StartLimitBurst=3 [Service] EnvironmentFile=/etc/vault.d/vault.env User=vault Group=vault ProtectSystem=full ProtectHome=read-only PrivateTmp=yes PrivateDevices=yes SecureBits=keep-caps AmbientCapabilities=CAP_IPC_LOCK CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK NoNewPrivileges=yes ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl ExecReload=/bin/kill --signal HUP $MAINPID KillMode=process KillSignal=SIGINT Restart=on-failure RestartSec=5 TimeoutStopSec=30 LimitNOFILE=65536 LimitMEMLOCK=infinity [Install] WantedBy=multi-user.target
2.初始化可以指定参数
vault operator init -key-shares=5 -key-threshold=3
# -key-shares:指定密钥的总股数,
# -key-threshold:指定需要几股可解锁
3.
其他系统参考:Install Vault | Vault - HashiCorp Learn
其他安装方式参考:Install Vault | Vault by HashiCorp (vaultproject.io)