Vault¶
_
Umfassende HashiCorp Vault-Befehle und Workflows für Secrets Management, Verschlüsselung und sicheren Zugriff auf sensible Daten.
Installation und Inbetriebnahme
| Command | Description |
|---|---|
| INLINE_CODE_3 | Show Vault version |
| INLINE_CODE_4 | Start development server |
| INLINE_CODE_5 | Start with configuration file |
| INLINE_CODE_6 | Check server status |
| _ | |
| Authentication & Login |
Grundlegende Authentifizierung¶
| Command | Description |
|---|---|
| INLINE_CODE_7 | Login with username/password |
| INLINE_CODE_8 | Login with LDAP |
| INLINE_CODE_9 | Login with GitHub |
| INLINE_CODE_10 | Login with AWS IAM |
| INLINE_CODE_11 | Login with Kubernetes |
Token Management_TABLE_90__¶
Geheimverwaltung
Schlüsselworte (v2)¶
| Command | Description |
|---|---|
| INLINE_CODE_17 | Store secret |
| INLINE_CODE_18 | Retrieve secret |
| INLINE_CODE_19 | Get specific field |
| INLINE_CODE_20 | Delete secret |
| INLINE_CODE_21 | List secrets |
| INLINE_CODE_22 | Get metadata |
Geheime Versionen¶
| Command | Description |
|---|---|
| INLINE_CODE_23 | Store from JSON file |
| INLINE_CODE_24 | Get specific version |
| INLINE_CODE_25 | Rollback to version |
| INLINE_CODE_26 | Destroy versions |
| INLINE_CODE_27 | Undelete versions |
/ Datenbank Secrets Engine
Datenbankkonfiguration¶
| Command | Description |
|---|---|
| INLINE_CODE_28 | Enable database engine |
| INLINE_CODE_29 | Configure MySQL |
| INLINE_CODE_30 | Create role |
Dynamische Credentials¶
| Command | Description |
|---|---|
| INLINE_CODE_31 | Generate database credentials |
| INLINE_CODE_32 | Rotate root credentials |
PKI (Public Key Infrastructure)
PKI Setup¶
| Command | Description |
|---|---|
| INLINE_CODE_33 | Enable PKI engine |
| INLINE_CODE_34 | Set max TTL |
| INLINE_CODE_35 | Generate root CA |
| INLINE_CODE_36 | Configure URLs |
Zertifikat Management¶
| Command | Description |
|---|---|
| INLINE_CODE_37 | Create role |
| INLINE_CODE_38 | Issue certificate |
| INLINE_CODE_39 | Revoke certificate |
| _ | |
| AWS Secrets Engine |
AWS Configuration¶
| Command | Description |
|---|---|
| INLINE_CODE_40 | Enable AWS engine |
| INLINE_CODE_41 | Configure root credentials |
| INLINE_CODE_42 | Create IAM role |
AWS Credentials¶
| Command | Description |
|---|---|
| INLINE_CODE_43 | Generate AWS credentials |
| INLINE_CODE_44 | Generate STS credentials |
 Transit Secrets Engine
Encryptup¶
| Command | Description |
|---|---|
| INLINE_CODE_45 | Enable transit engine |
| INLINE_CODE_46 | Create encryption key |
| INLINE_CODE_47 | Encrypt data |
| INLINE_CODE_48 | Decrypt data |
Schlüsselverwaltung¶
| Command | Description |
|---|---|
| INLINE_CODE_49 | Rotate encryption key |
| INLINE_CODE_50 | Read key information |
| INLINE_CODE_51 | Rewrap with latest key |
| _ | |
| Policies |
Politikmanagement¶
| Command | Description |
|---|---|
| INLINE_CODE_52 | Create/update policy |
| INLINE_CODE_53 | Read policy |
| INLINE_CODE_54 | List all policies |
| INLINE_CODE_55 | Delete policy |
| _ | |
| ### Beispielrichtlinie | |
| ```hcl | |
| # Read operation on the k/v secrets | |
| path "secret/data/*" \\{ | |
| capabilities = ["read"] | |
| \\} |
Write operation on the k/v secrets¶
path "secret/data/myapp/*" \\{ capabilities = ["create", "update"] \\}
Deny all access to secret/admin¶
path "secret/data/admin" \\{ capabilities = ["deny"] \\} ```_
Auth-Methoden
Auth Methods aktivieren¶
| Command | Description |
|---|---|
| INLINE_CODE_56 | Enable username/password |
| INLINE_CODE_57 | Enable LDAP |
| INLINE_CODE_58 | Enable GitHub |
| INLINE_CODE_59 | Enable AWS IAM |
| INLINE_CODE_60 | Enable Kubernetes |
Auth-Methoden konfigurieren¶
| Command | Description |
|---|---|
| INLINE_CODE_61 | Create user |
| INLINE_CODE_62 | Configure LDAP |
| INLINE_CODE_63 | Configure GitHub |
/ Audit Logging
Audit Devices aktivieren¶
| Command | Description |
|---|---|
| INLINE_CODE_64 | Enable file audit |
| INLINE_CODE_65 | Enable syslog audit |
| INLINE_CODE_66 | List audit devices |
| INLINE_CODE_67 | Disable audit device |
Verfügbarkeit und Clustering
Cluster Operations¶
| Command | Description |
|---|---|
| INLINE_CODE_68 | Initialize Vault cluster |
| INLINE_CODE_69 | Unseal Vault |
| INLINE_CODE_70 | Seal Vault |
| INLINE_CODE_71 | Step down as leader |
| INLINE_CODE_72 | List Raft peers |
Backup & Recovery¶
| Command | Description |
|---|---|
| INLINE_CODE_73 | Create snapshot |
| INLINE_CODE_74 | Restore snapshot |
Beispiele für die Konfiguration
Server Konfiguration¶
```hcl storage "consul" \\{ address = "127.0.0.1:8500" path = "vault/" \\}
listener "tcp" \\{ address = "0.0.0.0:8200" tls_disable = 1 \\}
api_addr = "http://127.0.0.1:8200" cluster_addr = "https://127.0.0.1:8201" ui = true ```_
Autounseal mit AWS KMS¶
hcl
seal "awskms" \\\\{
region = "us-east-1"
kms_key_id = "12345678-1234-1234-1234-123456789012"
\\\\}_
Umweltvariablen
| Variable | Description |
|---|---|
| INLINE_CODE_75 | Vault server address |
| INLINE_CODE_76 | Authentication token |
| INLINE_CODE_77 | Vault namespace (Enterprise) |
| INLINE_CODE_78 | CA certificate file |
| INLINE_CODE_79 | Client certificate file |
| INLINE_CODE_80 | Client private key file |
oder Best Practices
Sicherheit¶
ANHANG fähige TLS: Verwenden Sie immer TLS in der Produktion 2. Least Privilege: Mindestberechtigungen gewähren 3. Token TTL*: Verwenden Sie kurzlebige Token 4. **Audit Logging: Vollständiges Auditprotokoll aktivieren 5. **Selbst/Unseal*: Durchführung ordnungsgemäßer Siegel/Unsealverfahren
Operationen¶
ANHANG ** Hohe Verfügbarkeit**: Einsatz im HA-Modus für die Produktion 2. Backup-Strategie*: Regelmäßige Snapshots und Backups 3. **Monitoring: Vault Gesundheit und Leistung überwachen 4. Rotation: Regelmäßige Schlüssel- und Anmeldedrehung 5. **Access Patterns*: Zugriffsmuster überwachen und analysieren
Entwicklung¶
ANHANG Dev Mode: Nur für die Entwicklung verwenden 2. Policy Testing*: Prüfverfahren gründlich 3. **Secret Versioning*: Verwenden Sie geheime Versionierung für Rollbacks 4. **Integration*: Integration mit CI/CD-Pipelines 5. **Dokumentation*: Dokumente geheime Pfade und Richtlinien