Zum Inhalt

Vault

generieren

Umfassende HashiCorp Vault-Befehle und Workflows für Secrets Management, Verschlüsselung und sicheren Zugriff auf sensible Daten.

Installation und Inbetriebnahme

| | Command | Description | | | --- | --- | | | vault version | Show Vault version | | | | vault server -dev | Start development server | | | | vault server -config=config.hcl | Start with configuration file | | | | vault status | Check server status | |

Authentication & Login

Grundlegende Authentifizierung

| | Command | Description | | | --- | --- | | | vault auth -method=userpass username=myuser | Login with username/password | | | | vault auth -method=ldap username=myuser | Login with LDAP | | | | vault auth -method=github token=mytoken | Login with GitHub | | | | vault auth -method=aws | Login with AWS IAM | | | | vault auth -method=kubernetes | Login with Kubernetes | |

Token Management

| | Command | Description | | | --- | --- | | | vault token create | Create new token | | | | vault token create -ttl=1h | Create token with TTL | | | | vault token lookup | Look up current token | | | | vault token renew | Renew current token | | | | vault token revoke TOKEN | Revoke specific token | |

Secrets Management

Schlüsselwörterbücher (v2)

| | Command | Description | | | --- | --- | | | vault kv put secret/myapp username=admin password=secret | Store secret | | | | vault kv get secret/myapp | Retrieve secret | | | | vault kv get -field=password secret/myapp | Get specific field | | | | vault kv delete secret/myapp | Delete secret | | | | vault kv list secret/ | List secrets | | | | vault kv metadata get secret/myapp | Get metadata | |

Geheime Versionen

| | Command | Description | | | --- | --- | | | vault kv put secret/myapp @data.json | Store from JSON file | | | | vault kv get -version=2 secret/myapp | Get specific version | | | | vault kv rollback -version=1 secret/myapp | Rollback to version | | | | vault kv destroy -versions=2,3 secret/myapp | Destroy versions | | | | vault kv undelete -versions=2 secret/myapp | Undelete versions | |

Datenbank Secrets Engine

Datenbankkonfiguration

| | Command | Description | | | --- | --- | | | vault secrets enable database | Enable database engine | | | | vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="\\{\\{username\\}\\}:\\{\\{password\\}\\}@tcp(localhost:3306)/" allowed_roles="my-role" username="vaultuser" password="vaultpass" | Configure MySQL | | | | vault write database/roles/my-role db_name=my-mysql-database creation_statements="CREATE USER '\\{\\{name\\}\\}'@'%' IDENTIFIED BY '\\{\\{password\\}\\}';GRANT SELECT ON *.* TO '\\{\\{name\\}\\}'@'%';" default_ttl="1h" max_ttl="24h" | Create role | |

Dynamic Credentials

| | Command | Description | | | --- | --- | | | vault read database/creds/my-role | Generate database credentials | | | | vault write database/rotate-root/my-mysql-database | Rotate root credentials | |

PKI (Public Key Infrastructure)

PKI Setup

| | Command | Description | | | --- | --- | | | vault secrets enable pki | Enable PKI engine | | | | vault secrets tune -max-lease-ttl=87600h pki | Set max TTL | | | | vault write pki/root/generate/internal common_name=example.com ttl=87600h | Generate root CA | | | | vault write pki/config/urls issuing_certificates="http://vault.example.com:8200/v1/pki/ca" crl_distribution_points="http://vault.example.com:8200/v1/pki/crl" | Configure URLs | |

Zertifikat Management

| | Command | Description | | | --- | --- | | | vault write pki/roles/example-dot-com allowed_domains=example.com allow_subdomains=true max_ttl=72h | Create role | | | | vault write pki/issue/example-dot-com common_name=test.example.com | Issue certificate | | | | vault write pki/revoke serial_number=39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58 | Revoke certificate | |

AWS Secrets Engine

AWS Konfiguration

| | Command | Description | | | --- | --- | | | vault secrets enable aws | Enable AWS engine | | | | vault write aws/config/root access_key=AKIAI... secret_key=R4nm... | Configure root credentials | | | | vault write aws/roles/my-role credential_type=iam_user policy_document=-<<EOF \\{...\\} EOF | Create IAM role | |

AWS Credentials

| | Command | Description | | | --- | --- | | | vault read aws/creds/my-role | Generate AWS credentials | | | | vault write aws/sts/my-role ttl=15m | Generate STS credentials | |

Transit Secrets Motor

Verschlüsselung Setup

| | Command | Description | | | --- | --- | | | vault secrets enable transit | Enable transit engine | | | | vault write transit/keys/my-key type=aes256-gcm96 | Create encryption key | | | | vault write transit/encrypt/my-key plaintext=$(base64 <<< "my secret data") | Encrypt data | | | | vault write transit/decrypt/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w== | Decrypt data | |

Schlüsselverwaltung

| | Command | Description | | | --- | --- | | | vault write transit/keys/my-key/rotate | Rotate encryption key | | | | vault read transit/keys/my-key | Read key information | | | | vault write transit/rewrap/my-key ciphertext=vault:v1:... | Rewrap with latest key | |

Politik

Politikmanagement

| | Command | Description | | | --- | --- | | | vault policy write my-policy policy.hcl | Create/update policy | | | | vault policy read my-policy | Read policy | | | | vault policy list | List all policies | | | | vault policy delete my-policy | Delete policy | |

Beispielrichtlinie

```hcl

Read operation on the k/v secrets

path "secret/data/*" \\{ capabilities = ["read"] \\}

Write operation on the k/v secrets

path "secret/data/myapp/*" \\{ capabilities = ["create", "update"] \\}

Deny all access to secret/admin

path "secret/data/admin" \\{ capabilities = ["deny"] \\} ```_

Auth-Methoden

Authentisierungsmethoden aktivieren

| | Command | Description | | | --- | --- | | | vault auth enable userpass | Enable username/password | | | | vault auth enable ldap | Enable LDAP | | | | vault auth enable github | Enable GitHub | | | | vault auth enable aws | Enable AWS IAM | | | | vault auth enable kubernetes | Enable Kubernetes | |

Auth-Methoden konfigurieren

| | Command | Description | | | --- | --- | | | vault write auth/userpass/users/myuser password=mypass policies=my-policy | Create user | | | | vault write auth/ldap/config url="ldap://ldap.example.com" userdn="ou=Users,dc=example,dc=com" | Configure LDAP | | | | vault write auth/github/config organization=myorg | Configure GitHub | |

Audit Logging

Audit-Geräte aktivieren

| | Command | Description | | | --- | --- | | | vault audit enable file file_path=/vault/logs/audit.log | Enable file audit | | | | vault audit enable syslog | Enable syslog audit | | | | vault audit list | List audit devices | | | | vault audit disable file/ | Disable audit device | |

Hohe Verfügbarkeit und Clustering

Cluster Operationen

| | Command | Description | | | --- | --- | | | vault operator init | Initialize Vault cluster | | | | vault operator unseal | Unseal Vault | | | | vault operator seal | Seal Vault | | | | vault operator step-down | Step down as leader | | | | vault operator raft list-peers | List Raft peers | |

Backup & Recovery

| | Command | Description | | | --- | --- | | | vault operator raft snapshot save backup.snap | Create snapshot | | | | vault operator raft snapshot restore backup.snap | Restore snapshot | |

Konfigurationsbeispiele

Serverkonfiguration

```hcl storage "consul" \\{ address = "127.0.0.1:8500" path = "vault/" \\}

listener "tcp" \\{ address = "0.0.0.0:8200" tls_disable = 1 \\}

api_addr = "http://127.0.0.1:8200" cluster_addr = "https://127.0.0.1:8201" ui = true ```_

Autounseal mit AWS KMS

hcl seal "awskms" \\\\{ region = "us-east-1" kms_key_id = "12345678-1234-1234-1234-123456789012" \\\\}_

Umweltvariablen

| | Variable | Description | | | --- | --- | | | VAULT_ADDR | Vault server address | | | | VAULT_TOKEN | Authentication token | | | | VAULT_NAMESPACE | Vault namespace (Enterprise) | | | | VAULT_CACERT | CA certificate file | | | | VAULT_CLIENT_CERT | Client certificate file | | | | VAULT_CLIENT_KEY | Client private key file | |

Best Practices

Sicherheit

  1. fähige TLS: Verwenden Sie immer TLS in der Produktion
  2. Least Privilege: Mindestberechtigungen gewähren
  3. *Token TTL: Verwenden Sie kurzlebige Token
  4. Audit Logging: Vollständiges Auditprotokoll aktivieren
  5. *Selbst/Unseal: Durchführung ordnungsgemäßer Siegel/Unsealverfahren

Operationen

  1. ** Hohe Verfügbarkeit**: Einsatz im HA-Modus für die Produktion
  2. *Backup-Strategie: Regelmäßige Snapshots und Backups
  3. Monitoring: Vault Gesundheit und Leistung überwachen
  4. Rotation: Regelmäßige Schlüssel- und Anmeldedrehung
  5. *Access Patterns: Zugriffsmuster überwachen und analysieren

Entwicklung

  1. Dev Mode: Nur für die Entwicklung verwenden
  2. *Policy Testing: Prüfverfahren gründlich
  3. *Secret Versioning: Verwenden Sie geheime Versionierung für Rollbacks
  4. *Integration: Integration mit CI/CD-Pipelines
  5. Dokumentation*: Dokumente geheime Pfade und Richtlinien