Vault

Comprehensive HashiCorp Vault commands and workflows for secrets management, encryption, and secure access to sensitive data.

Installation & Setup

Command	Description
vault version	Show Vault version
vault server -dev	Start development server
vault server -config=config.hcl	Start with configuration file
vault status	Check server status

Authentication & Login

Basic Authentication

Command	Description
vault auth -method=userpass username=myuser	Login with username/password
vault auth -method=ldap username=myuser	Login with LDAP
vault auth -method=github token=mytoken	Login with GitHub
vault auth -method=aws	Login with AWS IAM
vault auth -method=kubernetes	Login with Kubernetes

Token Management

Command	Description
vault token create	Create new token
vault token create -ttl=1h	Create token with TTL
vault token lookup	Look up current token
vault token renew	Renew current token
vault token revoke TOKEN	Revoke specific token

Secrets Management

Key-Value Secrets (v2)

Command	Description
vault kv put secret/myapp username=admin password=secret	Store secret
vault kv get secret/myapp	Retrieve secret
vault kv get -field=password secret/myapp	Get specific field
vault kv delete secret/myapp	Delete secret
vault kv list secret/	List secrets
vault kv metadata get secret/myapp	Get metadata

Secret Versions

Command	Description
vault kv put secret/myapp @data.json	Store from JSON file
vault kv get -version=2 secret/myapp	Get specific version
vault kv rollback -version=1 secret/myapp	Rollback to version
vault kv destroy -versions=2,3 secret/myapp	Destroy versions
vault kv undelete -versions=2 secret/myapp	Undelete versions

Database Secrets Engine

Database Configuration

Command	Description
vault secrets enable database	Enable database engine
vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url=":@tcp(localhost:3306)/" allowed_roles="my-role" username="vaultuser" password="vaultpass"	Configure MySQL
vault write database/roles/my-role db_name=my-mysql-database creation_statements="CREATE USER ''@'%' IDENTIFIED BY '';GRANT SELECT ON *.* TO ''@'%';" default_ttl="1h" max_ttl="24h"	Create role

Dynamic Credentials

Command	Description
vault read database/creds/my-role	Generate database credentials
vault write database/rotate-root/my-mysql-database	Rotate root credentials

PKI (Public Key Infrastructure)

PKI Setup

Command	Description
vault secrets enable pki	Enable PKI engine
vault secrets tune -max-lease-ttl=87600h pki	Set max TTL
vault write pki/root/generate/internal common_name=example.com ttl=87600h	Generate root CA
vault write pki/config/urls issuing_certificates="http://vault.example.com:8200/v1/pki/ca" crl_distribution_points="http://vault.example.com:8200/v1/pki/crl"	Configure URLs

Certificate Management

Command	Description
vault write pki/roles/example-dot-com allowed_domains=example.com allow_subdomains=true max_ttl=72h	Create role
vault write pki/issue/example-dot-com common_name=test.example.com	Issue certificate
vault write pki/revoke serial_number=39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58	Revoke certificate

AWS Secrets Engine

AWS Configuration

Command	Description
vault secrets enable aws	Enable AWS engine
vault write aws/config/root access_key=AKIAI... secret_key=R4nm...	Configure root credentials
vault write aws/roles/my-role credential_type=iam_user policy_document=-<<EOF {...} EOF	Create IAM role

AWS Credentials

Command	Description
vault read aws/creds/my-role	Generate AWS credentials
vault write aws/sts/my-role ttl=15m	Generate STS credentials

Transit Secrets Engine

Encryption Setup

Command	Description
vault secrets enable transit	Enable transit engine
vault write transit/keys/my-key type=aes256-gcm96	Create encryption key
vault write transit/encrypt/my-key plaintext=$(base64 <<< "my secret data")	Encrypt data
vault write transit/decrypt/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==	Decrypt data

Key Management

Command	Description
vault write transit/keys/my-key/rotate	Rotate encryption key
vault read transit/keys/my-key	Read key information
vault write transit/rewrap/my-key ciphertext=vault:v1:...	Rewrap with latest key

Policies

Policy Management

Command	Description
vault policy write my-policy policy.hcl	Create/update policy
vault policy read my-policy	Read policy
vault policy list	List all policies
vault policy delete my-policy	Delete policy

Example Policy

# Read operation on the k/v secrets
path "secret/data/*" {
  capabilities = ["read"]
}

# Write operation on the k/v secrets
path "secret/data/myapp/*" {
  capabilities = ["create", "update"]
}

# Deny all access to secret/admin
path "secret/data/admin" {
  capabilities = ["deny"]
}

Auth Methods

Enable Auth Methods

Command	Description
vault auth enable userpass	Enable username/password
vault auth enable ldap	Enable LDAP
vault auth enable github	Enable GitHub
vault auth enable aws	Enable AWS IAM
vault auth enable kubernetes	Enable Kubernetes

Configure Auth Methods

Command	Description
vault write auth/userpass/users/myuser password=mypass policies=my-policy	Create user
vault write auth/ldap/config url="ldap://ldap.example.com" userdn="ou=Users,dc=example,dc=com"	Configure LDAP
vault write auth/github/config organization=myorg	Configure GitHub

Audit Logging

Enable Audit Devices

Command	Description
vault audit enable file file_path=/vault/logs/audit.log	Enable file audit
vault audit enable syslog	Enable syslog audit
vault audit list	List audit devices
vault audit disable file/	Disable audit device

High Availability & Clustering

Cluster Operations

Command	Description
vault operator init	Initialize Vault cluster
vault operator unseal	Unseal Vault
vault operator seal	Seal Vault
vault operator step-down	Step down as leader
vault operator raft list-peers	List Raft peers

Backup & Recovery

Command	Description
vault operator raft snapshot save backup.snap	Create snapshot
vault operator raft snapshot restore backup.snap	Restore snapshot

Configuration Examples

Server Configuration

storage "consul" {
  address = "127.0.0.1:8500"
  path    = "vault/"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
ui = true

Auto-unseal with AWS KMS

seal "awskms" {
  region     = "us-east-1"
  kms_key_id = "12345678-1234-1234-1234-123456789012"
}

Environment Variables

Variable	Description
VAULT_ADDR	Vault server address
VAULT_TOKEN	Authentication token
VAULT_NAMESPACE	Vault namespace (Enterprise)
VAULT_CACERT	CA certificate file
VAULT_CLIENT_CERT	Client certificate file
VAULT_CLIENT_KEY	Client private key file

Best Practices

Security

1. Enable TLS: Always use TLS in production
2. Least Privilege: Grant minimal required permissions
3. Token TTL: Use short-lived tokens
4. Audit Logging: Enable comprehensive audit logging
5. Seal/Unseal: Implement proper seal/unseal procedures

Operations

1. High Availability: Deploy in HA mode for production
2. Backup Strategy: Regular snapshots and backups
3. Monitoring: Monitor Vault health and performance
4. Rotation: Regular key and credential rotation
5. Access Patterns: Monitor and analyze access patterns

Development

1. Dev Mode: Use dev mode only for development
2. Policy Testing: Test policies thoroughly
3. Secret Versioning: Use secret versioning for rollbacks
4. Integration: Integrate with CI/CD pipelines
5. Documentation: Document secret paths and policies