Vault Setup
VM Setup
VM Settings
Name: dev-vault-01
IP: 192.168.8.112
Clone from template
NO DOCKER --> 8GB Ram, 2 vCPU, 100GB HDD ub-24-min-no-docker
First, install Vault Server in HTTP mode
Update and Install Dependencies
sudo apt update && sudo apt upgrade -ysudo apt install -y curl gnupg unzipEnable required ports in firewall:
sudo ufw allow 22/tcpsudo ufw allow 443/tcpsudo ufw enablesudo ufw reloadsudo ufw status verboseAdd HashiCorp GPG Key and Repo
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpgecho "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.listsudo apt updateInstall Vault
sudo apt install -y vaultConfigure Vault for HTTP Access
Create the Vault configuration directory and config file:
sudo mkdir -p /etc/vault.dsudo vim /etc/vault.d/vault.hclPaste the following minimal configuration for HTTP mode (make sure 0.0.0.0 is provided):
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
storage "file" {
path = "/opt/vault/data"
}
disable_mlock = true
ui = truesudo chown -R vault:vault /opt/vaultEnable and Start Vault as a Service. Edit systemd service to use the config file:
sudo systemctl enable vaultsudo systemctl start vaultsudo systemctl status vaultInitialize and Unseal Vault
export VAULT_ADDR="http://127.0.0.1:8200"vault operator initYou'll get 5 unseal keys and 1 root token — save them securely.
Unseal with 3 of the unseal keys:
vault operator unsealvault operator unsealvault operator unsealvault loginRun the following command to check the status of the Vault server:
vault statusNow, HTTPS for the Vault Server
Goal:
Access Vault at: https://vault.aspireclan.com
With: Cloudflare DNS, Let's Encrypt SSL via DNS-01 challenge, Certbot using a secure API Token, NGINX reverse proxy, Vault running on localhost HTTP
💡Pre-Requirements:
vault.aspireclan.com must point to the Vault Server IP (update A record in Cloudflare).
Install Required Packages
sudo apt update && sudo apt install -y nginx certbot python3-certbot-dns-cloudflare unzip curl gnupgCreate Cloudflare Credentials File
sudo mkdir -p /etc/letsencryptsudo vim /etc/letsencrypt/cloudflare.iniCopy below information
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKENReplace YOUR_CLOUDFLARE_API_TOKEN with the token you created.
Secure the file:
sudo chmod 600 /etc/letsencrypt/cloudflare.iniIssue SSL Certificate Using DNS-01 Challenge
sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
-d vault.aspireclan.com \
--preferred-challenges dns-01 \
--agree-tos \
--no-eff-email \
--email aspireclan1208@gmail.comOutput cert files will be at:
sudo ls /etc/letsencrypt/live/vault.aspireclan.com/Configure NGINX as Reverse Proxy to Vault
Create an NGINX config for Vault:
sudo vim /etc/nginx/sites-available/vaultPaste the following configuration:
server {
listen 443 ssl;
server_name vault.aspireclan.com;
ssl_certificate /etc/letsencrypt/live/vault.aspireclan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vault.aspireclan.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:8200;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}Enable the config:
sudo ln -s /etc/nginx/sites-available/vault /etc/nginx/sites-enabled/sudo nginx -tsudo systemctl reload nginxsudo systemctl restart nginxRestart Vault:
sudo systemctl restart vault