HashiCorp Vault

In this section we will discuss the content of Vault Associate Certification exam.

Here is the course repo.

Exam

Exam Objectives

Introduction to Vault

Benefits of Vault

Vault Components

• Storage Backends
  • Consul
• Secrets Engines
  • Store.
  • Generate.
  • Encrypt.
• Authentication Methods
• Audit Devices

Storage Backends

Secrets Engines

Authentication Methods

Audit Devices

Vault Architecture

Vault Paths

---

Vault Data Protection

---

Seal and Unseal

---

---

Unsealing with Key Shards (Shamir's Secret Sharing Algorithm)

---

Pick five trusted employees and give them a key shard. To unseal vault, you need at least three key shards.

vault status
# Shamir
# Sealed True

Vault Unseal Process

vault status

vault operator init

Vault Auto Unseal

---

Vault Transit Auto Unseal

---

---

Vault Initialization

Vault Configuration File

---

---

You will typically have multiple stanzas and global level parameters.

listener "tcp" {
    address = "0.0.0.0:8200"
    cluster_address = "0.0.0.0:8201"
    tls_disable = "true"
}
seal "awskms" {
    region = "us-west-2"
    kms_key_id = "<kms_key>"
}
api_addr = "https://IP_ADDRESS:8200"
ui = true
cluster_name = "vault-cluster"

Available Stanzas

• Seal: seal type.
• Listener (Required): addresses, ports for Vault.
• Storage: backend storage.
• Telemetry: Where to publish metrics to upstream systems.

Diagnose

vault operator diagnose - config=/etc/vault.d/vault.hcl

Storage Backends

So support HA and some do not.

---

Choosing a Storage Backend