Installing Hashicorp Vault on a Raspberry Pi 4
As you do, you’d want to have a ‘fully functional’ OSS instance of Vault in your homelab and not the ‘dev’ instance which loads ‘unsealed’. This is good practice if you want to simulate a production environment with the intricacies of certificate management and gives you a, more or less, permanent Vault for use in your lab. So, without further ado, the steps:
- Install groovy gorilla: Ubuntu 20.10 on RPi 4
https://ubuntu.com/download/raspberry-pi
- Download Hashicorp Vault
wget https://releases.hashicorp.com/vault/1.6.2/vault_1.6.2_linux_arm.zip
- Install unzip & Unzip
unzip vault_1.6.2_linux_arm.zip
- Move vault to /usr/bin
sudo mv vault /usr/bin
- Confirm all good
vault -v
- Set Linux capability flags which let vault perform memory locking without elevating its privileges:
sudo setcap cap_ipc_lock=+ep /usr/bin/vault
- Create vault data folder
sudo mkdir ~/hashicorp/vault-data
#(make sure folder hashicorp already exists)
- Create startup vault user:
sudo useradd -r -d ~/hashicorp/vault-data -s /bin/nologin vault
- Set /vault-data ownership to vault user and group exclusively:
sudo install -o vault -g vault -m 750 -d ~/hashicorp/vault-data
- Create Vault configuration file
sudo nano /etc/vault.hcl
ui = true
storage "file" {
path = "/home/ubuntu/hashicorp/vault-data"
}
listener "tcp" {
address = "192.168.1.79:8200"
tls_min_version = "tls12"
tls_cert_file = "/etc/letsencrypt/live/black-pearl/fullchain.pem"
tls_key_file = "/etc/letsencrypt/live/black-pearl/privkey.pem"
tls_disable_client_certs = true
}
- Change ownership of file:
sudo chown vault:vault /etc/vault.hcl
sudo chmod 640 /etc/vault.hcl
- Launch Vault as a service
sudo nano /etc/systemd/system/vault.service
[Unit]
Description=HashiCorp Vault to manage secrets
Documentation=https://vaultproject.io/docs/
After=network-online.target
ConditionFileNotEmpty=/etc/vault.hcl
[Service]
User=vault
Group=vault
ExecStart=/usr/bin/vault server -config=/etc/vault.hcl
ExecReload=/usr/bin/kill -1 $MAINPID
Restart=on-failure
KillMode=process
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
AmbientCapabilities=CAP_IPC_LOCK
SecureBits=keep-caps
NoNewPrivileges=yes
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target
- Get the service running:
systemctl daemon-reload
systemctl start vault.service
systemctl status vault.service
- Let's get ready to rumble!! Set you env variables for Vault
export VAULT_ADDRESS=http://192.168.1.79:8200
echo "export VAULT_ADDR=http://192.168.1.79:8200" >> ~/.bashrc
- Initialise Vault
vault operator init
Unseal Key 1: b199iVYvYNwvOEUCFVk6fv7lfGYgnlcxxxxxxxxxqgSC
Unseal Key 2: qQ0ogSS6oM0hm8nbAvxFFRakbBxxxxxxxxxxFYY+k9
Unseal Key 3: UMi3HKQwxxxxxxxxxxX2mdmEbO/WHfMSvLfOI93
Unseal Key 4: aREgLDE8c+oxxxxxxxxxxV4Kd2+x68xqYxax2qjSfnw/
Unseal Key 5: t/3kKShdtxxxxxxxxxxomb4c8Ho2hY5i21C8ZRpAgilq
Initial Root Token: s.aVnfOxFMxxxxxxxxx5Fe4flz7vp9Fo
- Use the unseal keys to unseal vault
vault operator unseal b199iVYvYNwvOEUCFVk6fv7lfGYgnlcxxxxxxxxxqgSC
vault operator unseal qQ0ogSS6oM0hm8nbAvxFFRakbBxxxxxxxxxxFYY+k9
vault operator unseal UMi3HKQwxxxxxxxxxxX2mdmEbO/WHfMSvLfOI9
- This should result in an unsealed Vault as shown below:
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.6.2
Storage Type file
Cluster Name vault-cluster-ebcec4ba
Cluster ID bb776d03-25c3-966a-c0c8-9a336b73bc9e
HA Enabled false
- The vault UI can also be accessed at the IP or hostname on server certificate
- The certificates distributed to vault come from an internal CA also running on a RPi
- These certs have a validity period of 2hrs so need to rotate them. We use certbot & systemd for this.
- Create certbot service
sudo nano /etc/systemd/system/certbot.service
# /etc/systemd/system/certbot.service
[Unit]
Description=certbot renewal service
Documentation=https://certbot.eff.org/#ubuntuxenial-nginx
After=network-online.target[Service]
Environment=”REQUESTS_CA_BUNDLE=/home/ubuntu/.step/certs/root_ca.crt” \
“STEPPATH=/home/ubuntu/.step” \
“CERT_LOCATION=/etc/letsencrypt/live/<servername>/cert.pem” \
“KEY_LOCATION=/etc/letsencrypt/live/<servername>/key.pem”ExecCondition=/usr/bin/bash -c \
‘step certificate inspect $CERT_LOCATION — format json — roots “$STEPPATH/certs/root_ca.crt” | \
jq -e “(((.validity.start | fromdate) + \
((.validity.end | fromdate) — (.validity.start | fromdate)) * 0.66) \
— now) <= 0” > /dev/null’
ExecStart=/snap/bin/certbot -q renew
ExecStartPost=/bin/systemctl reload vault.service
Type=oneshot
- Create timer service that triggers certbot service:
sudo nano /etc/systemd/system/certbot.timer
[Unit]
Description=Ongoing renewal of certificates
[Timer]
OnCalendar=*:0/15
RandomizedDelaySec=10
Persistent=true
[Install]
WantedBy=timers.target
- Reload the service daemon:
sudo systemctl daemon-reload
- Enable the timer service:
sudo systemctl enable certbot.timer
- Start the timer service:
sudo systemctl start certbot.timer
This should get Vault running and functional in your home lab with short-lived TLS certificates working in the mix.
- Addendum:
You may need to modify the permissions on /etc/letsencrypt/live/ and /etc/letsencrypt/archive/ with:
chmod 755 /etc/letsencrypt/live/
chmod 755 /etc/letsencrypt/archive/
(https://github.com/certbot/certbot/issues/5257)
Enjoy!!