Installing Hashicorp Vault on a Raspberry Pi 4

Austin E Osuide
3 min readFeb 15, 2021

--

As you do, you’d want to have a ‘fully functional’ OSS instance of Vault in your homelab and not the ‘dev’ instance which loads ‘unsealed’. This is good practice if you want to simulate a production environment with the intricacies of certificate management and gives you a, more or less, permanent Vault for use in your lab. So, without further ado, the steps:

  • Install groovy gorilla: Ubuntu 20.10 on RPi 4

https://ubuntu.com/download/raspberry-pi

  • Download Hashicorp Vault

wget https://releases.hashicorp.com/vault/1.6.2/vault_1.6.2_linux_arm.zip

  • Install unzip & Unzip

unzip vault_1.6.2_linux_arm.zip

  • Move vault to /usr/bin

sudo mv vault /usr/bin

  • Confirm all good

vault -v

  • Set Linux capability flags which let vault perform memory locking without elevating its privileges:

sudo setcap cap_ipc_lock=+ep /usr/bin/vault

  • Create vault data folder

sudo mkdir ~/hashicorp/vault-data

#(make sure folder hashicorp already exists)

  • Create startup vault user:

sudo useradd -r -d ~/hashicorp/vault-data -s /bin/nologin vault

  • Set /vault-data ownership to vault user and group exclusively:

sudo install -o vault -g vault -m 750 -d ~/hashicorp/vault-data

  • Create Vault configuration file

sudo nano /etc/vault.hcl

ui = true

storage "file" {

path = "/home/ubuntu/hashicorp/vault-data"

}

listener "tcp" {

address = "192.168.1.79:8200"

tls_min_version = "tls12"

tls_cert_file = "/etc/letsencrypt/live/black-pearl/fullchain.pem"

tls_key_file = "/etc/letsencrypt/live/black-pearl/privkey.pem"

tls_disable_client_certs = true

}

  • Change ownership of file:

sudo chown vault:vault /etc/vault.hcl

sudo chmod 640 /etc/vault.hcl

  • Launch Vault as a service

sudo nano /etc/systemd/system/vault.service

[Unit]

Description=HashiCorp Vault to manage secrets

Documentation=https://vaultproject.io/docs/

After=network-online.target

ConditionFileNotEmpty=/etc/vault.hcl

[Service]

User=vault

Group=vault

ExecStart=/usr/bin/vault server -config=/etc/vault.hcl

ExecReload=/usr/bin/kill -1 $MAINPID

Restart=on-failure

KillMode=process

CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK

AmbientCapabilities=CAP_IPC_LOCK

SecureBits=keep-caps

NoNewPrivileges=yes

KillSignal=SIGINT

[Install]

WantedBy=multi-user.target

  • Get the service running:

systemctl daemon-reload

systemctl start vault.service

systemctl status vault.service

  • Let's get ready to rumble!! Set you env variables for Vault

export VAULT_ADDRESS=http://192.168.1.79:8200

echo "export VAULT_ADDR=http://192.168.1.79:8200" >> ~/.bashrc

  • Initialise Vault

vault operator init

Unseal Key 1: b199iVYvYNwvOEUCFVk6fv7lfGYgnlcxxxxxxxxxqgSC

Unseal Key 2: qQ0ogSS6oM0hm8nbAvxFFRakbBxxxxxxxxxxFYY+k9

Unseal Key 3: UMi3HKQwxxxxxxxxxxX2mdmEbO/WHfMSvLfOI93

Unseal Key 4: aREgLDE8c+oxxxxxxxxxxV4Kd2+x68xqYxax2qjSfnw/

Unseal Key 5: t/3kKShdtxxxxxxxxxxomb4c8Ho2hY5i21C8ZRpAgilq

Initial Root Token: s.aVnfOxFMxxxxxxxxx5Fe4flz7vp9Fo

  • Use the unseal keys to unseal vault

vault operator unseal b199iVYvYNwvOEUCFVk6fv7lfGYgnlcxxxxxxxxxqgSC

vault operator unseal qQ0ogSS6oM0hm8nbAvxFFRakbBxxxxxxxxxxFYY+k9

vault operator unseal UMi3HKQwxxxxxxxxxxX2mdmEbO/WHfMSvLfOI9

  • This should result in an unsealed Vault as shown below:

Key Value

--- -----

Seal Type shamir

Initialized true

Sealed false

Total Shares 5

Threshold 3

Version 1.6.2

Storage Type file

Cluster Name vault-cluster-ebcec4ba

Cluster ID bb776d03-25c3-966a-c0c8-9a336b73bc9e

HA Enabled false

  • The vault UI can also be accessed at the IP or hostname on server certificate

https://192.168.1.79:8200/ui/

  • The certificates distributed to vault come from an internal CA also running on a RPi
  • These certs have a validity period of 2hrs so need to rotate them. We use certbot & systemd for this.
  • Create certbot service

sudo nano /etc/systemd/system/certbot.service

# /etc/systemd/system/certbot.service
[Unit]
Description=certbot renewal service
Documentation=https://certbot.eff.org/#ubuntuxenial-nginx
After=network-online.target

[Service]
Environment=”REQUESTS_CA_BUNDLE=/home/ubuntu/.step/certs/root_ca.crt” \
“STEPPATH=/home/ubuntu/.step” \
“CERT_LOCATION=/etc/letsencrypt/live/<servername>/cert.pem” \
“KEY_LOCATION=/etc/letsencrypt/live/<servername>/key.pem”

ExecCondition=/usr/bin/bash -c \
‘step certificate inspect $CERT_LOCATION — format json — roots “$STEPPATH/certs/root_ca.crt” | \
jq -e “(((.validity.start | fromdate) + \
((.validity.end | fromdate) — (.validity.start | fromdate)) * 0.66) \
— now) <= 0” > /dev/null’
ExecStart=/snap/bin/certbot -q renew
ExecStartPost=/bin/systemctl reload vault.service
Type=oneshot

  • Create timer service that triggers certbot service:

sudo nano /etc/systemd/system/certbot.timer

[Unit]

Description=Ongoing renewal of certificates

[Timer]

OnCalendar=*:0/15

RandomizedDelaySec=10

Persistent=true

[Install]

WantedBy=timers.target

  • Reload the service daemon:

sudo systemctl daemon-reload

  • Enable the timer service:

sudo systemctl enable certbot.timer

  • Start the timer service:

sudo systemctl start certbot.timer

This should get Vault running and functional in your home lab with short-lived TLS certificates working in the mix.

  • Addendum:
    You may need to modify the permissions on /etc/letsencrypt/live/ and /etc/letsencrypt/archive/ with:

chmod 755 /etc/letsencrypt/live/
chmod 755 /etc/letsencrypt/archive/
(https://github.com/certbot/certbot/issues/5257)

Enjoy!!

--

--