Vault¶

generieren

Umfassende HashiCorp Vault-Befehle und Workflows für Secrets Management, Verschlüsselung und sicheren Zugriff auf sensible Daten.

Installation und Inbetriebnahme¶

Command	Description
`vault version`	Show Vault version
`vault server -dev`	Start development server
`vault server -config=config.hcl`	Start with configuration file
`vault status`	Check server status

Grundlegende Authentifizierung¶

Command	Description
`vault auth -method=userpass username=myuser`	Login with username/password
`vault auth -method=ldap username=myuser`	Login with LDAP
`vault auth -method=github token=mytoken`	Login with GitHub
`vault auth -method=aws`	Login with AWS IAM
`vault auth -method=kubernetes`	Login with Kubernetes

Token Management¶

Command	Description
`vault token create`	Create new token
`vault token create -ttl=1h`	Create token with TTL
`vault token lookup`	Look up current token
`vault token renew`	Renew current token
`vault token revoke TOKEN`	Revoke specific token

Secrets Management¶

Schlüsselwörterbücher (v2)¶

Command	Description
`vault kv put secret/myapp username=admin password=secret`	Store secret
`vault kv get secret/myapp`	Retrieve secret
`vault kv get -field=password secret/myapp`	Get specific field
`vault kv delete secret/myapp`	Delete secret
`vault kv list secret/`	List secrets
`vault kv metadata get secret/myapp`	Get metadata

Geheime Versionen¶

Command	Description
`vault kv put secret/myapp @data.json`	Store from JSON file
`vault kv get -version=2 secret/myapp`	Get specific version
`vault kv rollback -version=1 secret/myapp`	Rollback to version
`vault kv destroy -versions=2,3 secret/myapp`	Destroy versions
`vault kv undelete -versions=2 secret/myapp`	Undelete versions

Datenbank Secrets Engine¶

Datenbankkonfiguration¶

Command	Description
`vault secrets enable database`	Enable database engine
`vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="\\{\\{username\\}\\}:\\{\\{password\\}\\}@tcp(localhost:3306)/" allowed_roles="my-role" username="vaultuser" password="vaultpass"`	Configure MySQL
`vault write database/roles/my-role db_name=my-mysql-database creation_statements="CREATE USER '\\{\\{name\\}\\}'@'%' IDENTIFIED BY '\\{\\{password\\}\\}';GRANT SELECT ON . TO '\\{\\{name\\}\\}'@'%';" default_ttl="1h" max_ttl="24h"`	Create role

Dynamic Credentials¶

Command	Description
`vault read database/creds/my-role`	Generate database credentials
`vault write database/rotate-root/my-mysql-database`	Rotate root credentials

PKI (Public Key Infrastructure)¶

PKI Setup¶

Command	Description
`vault secrets enable pki`	Enable PKI engine
`vault secrets tune -max-lease-ttl=87600h pki`	Set max TTL
`vault write pki/root/generate/internal common_name=example.com ttl=87600h`	Generate root CA
`vault write pki/config/urls issuing_certificates="http://vault.example.com:8200/v1/pki/ca" crl_distribution_points="http://vault.example.com:8200/v1/pki/crl"`	Configure URLs

Zertifikat Management¶

Command	Description
`vault write pki/roles/example-dot-com allowed_domains=example.com allow_subdomains=true max_ttl=72h`	Create role
`vault write pki/issue/example-dot-com common_name=test.example.com`	Issue certificate
`vault write pki/revoke serial_number=39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58`	Revoke certificate

AWS Secrets Engine¶

AWS Konfiguration¶

Command	Description
`vault secrets enable aws`	Enable AWS engine
`vault write aws/config/root access_key=AKIAI... secret_key=R4nm...`	Configure root credentials
`vault write aws/roles/my-role credential_type=iam_user policy_document=-<<EOF \\{...\\} EOF`	Create IAM role

AWS Credentials¶

Command	Description
`vault read aws/creds/my-role`	Generate AWS credentials
`vault write aws/sts/my-role ttl=15m`	Generate STS credentials

Transit Secrets Motor¶

Verschlüsselung Setup¶

Command	Description
`vault secrets enable transit`	Enable transit engine
`vault write transit/keys/my-key type=aes256-gcm96`	Create encryption key
`vault write transit/encrypt/my-key plaintext=$(base64 <<< "my secret data")`	Encrypt data
`vault write transit/decrypt/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==`	Decrypt data

Schlüsselverwaltung¶

Command	Description
`vault write transit/keys/my-key/rotate`	Rotate encryption key
`vault read transit/keys/my-key`	Read key information
`vault write transit/rewrap/my-key ciphertext=vault:v1:...`	Rewrap with latest key

Politik¶

Politikmanagement¶

Command	Description
`vault policy write my-policy policy.hcl`	Create/update policy
`vault policy read my-policy`	Read policy
`vault policy list`	List all policies
`vault policy delete my-policy`	Delete policy

Beispielrichtlinie¶

```hcl

Read operation on the k/v secrets¶

path "secret/data/*" \\{ capabilities = ["read"] \\}

Write operation on the k/v secrets¶

path "secret/data/myapp/*" \\{ capabilities = ["create", "update"] \\}

Deny all access to secret/admin¶

path "secret/data/admin" \\{ capabilities = ["deny"] \\} ```_

Auth-Methoden¶

Authentisierungsmethoden aktivieren¶

Command	Description
`vault auth enable userpass`	Enable username/password
`vault auth enable ldap`	Enable LDAP
`vault auth enable github`	Enable GitHub
`vault auth enable aws`	Enable AWS IAM
`vault auth enable kubernetes`	Enable Kubernetes

Auth-Methoden konfigurieren¶

Command	Description
`vault write auth/userpass/users/myuser password=mypass policies=my-policy`	Create user
`vault write auth/ldap/config url="ldap://ldap.example.com" userdn="ou=Users,dc=example,dc=com"`	Configure LDAP
`vault write auth/github/config organization=myorg`	Configure GitHub

Audit Logging¶

Audit-Geräte aktivieren¶

Command	Description
`vault audit enable file file_path=/vault/logs/audit.log`	Enable file audit
`vault audit enable syslog`	Enable syslog audit
`vault audit list`	List audit devices
`vault audit disable file/`	Disable audit device

Hohe Verfügbarkeit und Clustering¶

Cluster Operationen¶

Command	Description
`vault operator init`	Initialize Vault cluster
`vault operator unseal`	Unseal Vault
`vault operator seal`	Seal Vault
`vault operator step-down`	Step down as leader
`vault operator raft list-peers`	List Raft peers

Backup & Recovery¶

Command	Description
`vault operator raft snapshot save backup.snap`	Create snapshot
`vault operator raft snapshot restore backup.snap`	Restore snapshot

Konfigurationsbeispiele¶

Serverkonfiguration¶

```hcl storage "consul" \\{ address = "127.0.0.1:8500" path = "vault/" \\}

listener "tcp" \\{ address = "0.0.0.0:8200" tls_disable = 1 \\}

api_addr = "http://127.0.0.1:8200" cluster_addr = "https://127.0.0.1:8201" ui = true ```_

Autounseal mit AWS KMS¶

hcl seal "awskms" \\\\{ region = "us-east-1" kms_key_id = "12345678-1234-1234-1234-123456789012" \\\\}_

Umweltvariablen¶

Variable	Description
`VAULT_ADDR`	Vault server address
`VAULT_TOKEN`	Authentication token
`VAULT_NAMESPACE`	Vault namespace (Enterprise)
`VAULT_CACERT`	CA certificate file
`VAULT_CLIENT_CERT`	Client certificate file
`VAULT_CLIENT_KEY`	Client private key file

Best Practices¶

Sicherheit¶

fähige TLS: Verwenden Sie immer TLS in der Produktion
Least Privilege: Mindestberechtigungen gewähren
**Token TTL*: Verwenden Sie kurzlebige Token
Audit Logging: Vollständiges Auditprotokoll aktivieren
**Selbst/Unseal*: Durchführung ordnungsgemäßer Siegel/Unsealverfahren

Operationen¶

** Hohe Verfügbarkeit**: Einsatz im HA-Modus für die Produktion
**Backup-Strategie*: Regelmäßige Snapshots und Backups
Monitoring: Vault Gesundheit und Leistung überwachen
Rotation: Regelmäßige Schlüssel- und Anmeldedrehung
**Access Patterns*: Zugriffsmuster überwachen und analysieren

Entwicklung¶

Dev Mode: Nur für die Entwicklung verwenden
**Policy Testing*: Prüfverfahren gründlich
**Secret Versioning*: Verwenden Sie geheime Versionierung für Rollbacks
**Integration*: Integration mit CI/CD-Pipelines
Dokumentation*: Dokumente geheime Pfade und Richtlinien