Skip to main content

Vault Setup

VM Setup

VM Settings

Name: dev-vault-01
IP: 192.168.8.112

Clone from template

NO DOCKER --> 8GB Ram, 2 vCPU, 100GB HDD ub-24-min-no-docker

Update system packages

sudo vim /etc/netplan/50-cloud-init.yaml
:%d [ENTER]
network:
  version: 2
  ethernets:
    enp6s18:
      dhcp4: no
      addresses:
        - 192.168.8.7/22
      gateway4: 192.168.8.1
      nameservers:
        addresses:
          - 1.1.1.1
          - 8.8.8.8
sudo netplan apply

Reboot the server and login using 192.168.8.7

First, install Vault Server in HTTP mode

Update and Install Dependencies

sudo apt update && sudo apt upgrade -y
sudo apt install -y curl gnupg unzip

Add HashiCorp GPG Key and Repo

curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update

Install Vault

sudo apt install -y vault

Configure Vault for HTTP Access

Create the Vault configuration directory and config file:

sudo mkdir -p /etc/vault.d
sudo vim /etc/vault.d/vault.hcl

Paste the following minimal configuration for HTTP mode (make sure 0.0.0.0 is provided):

listener "tcp" {
    address     = "0.0.0.0:8200"
    tls_disable = 1
}

storage "file" {
  path = "/opt/vault/data"
}

disable_mlock = true
ui = true

Create the storage directory:

sudo mkdir -p /etc/vault.d
sudo chown -R vault:vault /opt/vault

Set Vault Environment Variables

export VAULT_ADDR="http://192.168.8.7:8200"

Enable and Start Vault as a Service. Edit systemd service to use the config file:

sudo systemctl enable vault
sudo systemctl status vault
sudo systemctl start vault

Initialize and Unseal Vault

vault operator init
info

You'll get 5 unseal keys and 1 root token — save them securely.

Unseal with 3 of the unseal keys:

vault operator unseal
vault operator unseal
vault operator unseal

Run the following command to check the status of the Vault server:

vault status

Enable required ports in firewall:

sudo ufw allow 8200
sudo ufw allow 80
sudo ufw allow 443
sudo ufw reload
sudo ufw status verbose

Login with the root token:

vault login

Access the Vault UI

http://192.168.8.7:8200/ui

Now, HTTPS for the Vault Server

info

Goal:

Access Vault at: https://dev.vault.aspireclan.com

With: Cloudflare DNS, Let's Encrypt SSL via DNS-01 challenge, Certbot using a secure API Token, NGINX reverse proxy, Vault running on localhost HTTP

info

💡Pre-Requirements:

dev.vault.aspireclan.com must point to the Vault Server IP (update A record in prod-dns-01).

After creating the above DNS record, run:

sudo systemctl restart named

Install Required Packages

sudo apt update && sudo apt install -y nginx certbot python3-certbot-dns-cloudflare unzip curl gnupg

Create Cloudflare Credentials File

sudo mkdir -p /etc/letsencrypt
sudo vim /etc/letsencrypt/cloudflare.ini

Copy below information

dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN

Replace YOUR_CLOUDFLARE_API_TOKEN with the token you created.
Secure the file:

sudo chmod 600 /etc/letsencrypt/cloudflare.ini

Issue SSL Certificate Using DNS-01 Challenge

sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
-d dev.vault.aspireclan.com \
--preferred-challenges dns-01 \
--agree-tos \
--no-eff-email \
--email aspireclan1208@gmail.com

Output cert files will be at:

/etc/letsencrypt/live/dev.vault.aspireclan.com/
sudo cat /etc/letsencrypt/live/dev.vault.aspireclan.com/

Configure NGINX as Reverse Proxy to Vault

Create an NGINX config for Vault:

sudo vim /etc/nginx/sites-available/vault

Paste the following configuration:

server {
  listen 80;
  server_name dev.vault.aspireclan.com;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  server_name dev.vault.aspireclan.com;

  ssl_certificate /etc/letsencrypt/live/dev.vault.aspireclan.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/dev.vault.aspireclan.com/privkey.pem;

  location / {
      proxy_pass http://127.0.0.1:8200;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

Enable the config:

sudo ln -s /etc/nginx/sites-available/vault /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Update Vault Config to Listen Only on Localhost

Edit Vault config:

sudo vim /etc/vault.d/vault.hcl
info

Ensure this section is correct: change 0.0.0.0 to 127.0.0.1

listener "tcp" {
    address     = "127.0.0.1:8200"
    tls_disable = 1
}

storage "file" {
  path = "/opt/vault/data"
}

disable_mlock = true
ui = true

Restart Vault:

sudo systemctl restart vault

=====================================================================

Automate SSL Renewal with Cron Job [Optional]

sudo apt update
sudo apt install cron
sudo apt install cron vim nano

Then enable and start the cron service:

sudo systemctl enable cron
sudo systemctl start cron

Create cron job:

sudo crontab -e

Select VIM as the editor. Usually the option 2.

0 3 * * * certbot renew --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini --quiet --post-hook "systemctl reload nginx"

=====================================================================

Test renewal manually:

sudo certbot renew --dry-run

Test the Setup:

Open your browser and go to:

https://dev.vault.aspireclan.com

=====================================================================