vault 설치 및 사용법

암호화 오픈소스 설치

 

 

1. 리눅스버전 파일 다운로드

wget https://releases.hashicorp.com/vault/1.9.1/vault_1.9.1_linux_amd64.zip

 

2. unzip을 하게되면 vault 파일이 생성 되어 있다.

아래와 같이 dev 실행

$ export VAULT_HOME=$HOME/usr/local/vault-1.9.1

$ vault server -dev
......
2021-12-13T11:32:56.792+0900 [INFO]  identity: entities restored
2021-12-13T11:32:56.792+0900 [INFO]  identity: groups restored
2021-12-13T11:32:56.792+0900 [INFO]  core: post-unseal setup complete
2021-12-13T11:32:56.792+0900 [INFO]  core: vault is unsealed
2021-12-13T11:32:56.800+0900 [INFO]  core: successful mount: namespace="\"\"" path=secret/ type=kv
2021-12-13T11:32:56.808+0900 [INFO]  expiration: lease restore complete
2021-12-13T11:32:56.810+0900 [INFO]  secrets.kv.kv_d442597f: collecting keys to upgrade
2021-12-13T11:32:56.810+0900 [INFO]  secrets.kv.kv_d442597f: done collecting keys: num_keys=1
2021-12-13T11:32:56.810+0900 [INFO]  secrets.kv.kv_d442597f: upgrading keys finished
2021-12-13T11:32:56.813+0900 [INFO]  rollback: starting rollback manager
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

    $ export VAULT_ADDR='http://127.0.0.1:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: BG/hRtl2nxC36hR4zoCNVI/QMuVUTZL32Jze27Iy2wM=
Root Token: s.Vi42J7ih1IRs40FEZdKTqbu1

Development mode should NOT be used in production installations!

 

3. 다른 터미널창을 열어서 아래와 같이 환경 구성

$ export VAULT_ADDR='http://127.0.0.1:8200'
$ echo "BG/hRtl2nxC36hR4zoCNVI/QMuVUTZL32Jze27Iy2wM=" > unseal.key
$ export VAULT_DEV_ROOT_TOKEN_ID=s.Vi42J7ih1IRs40FEZdKTqbu1

 

4. 사용법 seal/unseal, 데이터 생성/조회

[eva@hadoop01 jjh]$ vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.9.1
Storage Type    inmem
Cluster Name    vault-cluster-e747d46a
Cluster ID      9e1f5b5a-fa55-0b72-bee4-f6e8c1519496
HA Enabled      false
[eva@hadoop01 jjh]$
[eva@hadoop01 jjh]$ vault operator seal
Success! Vault is sealed.
[eva@hadoop01 jjh]$
[eva@hadoop01 jjh]$ vault operator unseal BG/hRtl2nxC36hR4zoCNVI/QMuVUTZL32Jze27Iy2wM=
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.9.1
Storage Type    inmem
Cluster Name    vault-cluster-e747d46a
Cluster ID      9e1f5b5a-fa55-0b72-bee4-f6e8c1519496
HA Enabled      false
[eva@hadoop01 jjh]$ vault kv put secret/hello foo=woorld
Key                Value
---                -----
created_time       2021-12-13T07:39:10.976376945Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2
[eva@hadoop01 jjh]$ vault kv get secret/hello
======= Metadata =======
Key                Value
---                -----
created_time       2021-12-13T07:39:10.976376945Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

=== Data ===
Key    Value
---    -----
foo    woorld

 

5. python hvac라이브러리 사용법

[eva@hadoop01 bin]$ python3
Python 3.9.9 (main, Dec 13 2021, 13:00:28)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hvac
>>> client = hvac.Client(url='http://127.0.0.1:8200', token='s.Vi42J7ih1IRs40FEZdKTqbu1')
>>> client.is_authenticated()
True
>>> client.sys.is_sealed()
False
>>> read_response = client.secrets.kv.read_secret_version(path='hello')
>>> print(read_response)
{'request_id': 'a94f3e8f-c6c1-f397-80f4-975f0950fd1c', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'data': {'foo': 'woorld'}, 'metadata': {'created_time': '2021-12-13T06:19:49.288796711Z', 'custom_metadata': None, 'deletion_time': '', 'destroyed': False, 'version': 1}}, 'wrap_info': None, 'warnings': None, 'auth': None}
>>> print(read_response['request_id'])
a94f3e8f-c6c1-f397-80f4-975f0950fd1c
>>> print(read_response['data']['data']['foo'])
woorld