콘텐츠로 이동

볼트

종합 HashiCorp 비밀 관리, 암호화 및 민감한 데이터에 대한 보안 액세스를위한 Vault 명령 및 워크플로우.

설치 및 설치

| | Command | Description | | | --- | --- | | | vault version | Show Vault version | | | | vault server -dev | Start development server | | | | vault server -config=config.hcl | Start with configuration file | | | | vault status | Check server status | |

인증 및 로그인

기본 인증

| | Command | Description | | | --- | --- | | | vault auth -method=userpass username=myuser | Login with username/password | | | | vault auth -method=ldap username=myuser | Login with LDAP | | | | vault auth -method=github token=mytoken | Login with GitHub | | | | vault auth -method=aws | Login with AWS IAM | | | | vault auth -method=kubernetes | Login with Kubernetes | |

토큰 관리

| | Command | Description | | | --- | --- | | | vault token create | Create new token | | | | vault token create -ttl=1h | Create token with TTL | | | | vault token lookup | Look up current token | | | | vault token renew | Renew current token | | | | vault token revoke TOKEN | Revoke specific token | |

비밀 관리

열쇠 고리 비밀 (v2)

| | Command | Description | | | --- | --- | | | vault kv put secret/myapp username=admin password=secret | Store secret | | | | vault kv get secret/myapp | Retrieve secret | | | | vault kv get -field=password secret/myapp | Get specific field | | | | vault kv delete secret/myapp | Delete secret | | | | vault kv list secret/ | List secrets | | | | vault kv metadata get secret/myapp | Get metadata | |

비밀 버전

| | Command | Description | | | --- | --- | | | vault kv put secret/myapp @data.json | Store from JSON file | | | | vault kv get -version=2 secret/myapp | Get specific version | | | | vault kv rollback -version=1 secret/myapp | Rollback to version | | | | vault kv destroy -versions=2,3 secret/myapp | Destroy versions | | | | vault kv undelete -versions=2 secret/myapp | Undelete versions | |

데이터베이스 비밀 엔진

Database 구성

| | Command | Description | | | --- | --- | | | vault secrets enable database | Enable database engine | | | | vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="\\{\\{username\\}\\}:\\{\\{password\\}\\}@tcp(localhost:3306)/" allowed_roles="my-role" username="vaultuser" password="vaultpass" | Configure MySQL | | | | vault write database/roles/my-role db_name=my-mysql-database creation_statements="CREATE USER '\\{\\{name\\}\\}'@'%' IDENTIFIED BY '\\{\\{password\\}\\}';GRANT SELECT ON *.* TO '\\{\\{name\\}\\}'@'%';" default_ttl="1h" max_ttl="24h" | Create role | |

동적인 Credentials

| | Command | Description | | | --- | --- | | | vault read database/creds/my-role | Generate database credentials | | | | vault write database/rotate-root/my-mysql-database | Rotate root credentials | |

PKI (Public Key 인프라)

PKI 설정

| | Command | Description | | | --- | --- | | | vault secrets enable pki | Enable PKI engine | | | | vault secrets tune -max-lease-ttl=87600h pki | Set max TTL | | | | vault write pki/root/generate/internal common_name=example.com ttl=87600h | Generate root CA | | | | vault write pki/config/urls issuing_certificates="http://vault.example.com:8200/v1/pki/ca" crl_distribution_points="http://vault.example.com:8200/v1/pki/crl" | Configure URLs | |

인증서 관리

| | Command | Description | | | --- | --- | | | vault write pki/roles/example-dot-com allowed_domains=example.com allow_subdomains=true max_ttl=72h | Create role | | | | vault write pki/issue/example-dot-com common_name=test.example.com | Issue certificate | | | | vault write pki/revoke serial_number=39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58 | Revoke certificate | |

AWS 비밀 엔진

AWS 구성

| | Command | Description | | | --- | --- | | | vault secrets enable aws | Enable AWS engine | | | | vault write aws/config/root access_key=AKIAI... secret_key=R4nm... | Configure root credentials | | | | vault write aws/roles/my-role credential_type=iam_user policy_document=-<<EOF \\{...\\} EOF | Create IAM role | |

AWS 자격

| | Command | Description | | | --- | --- | | | vault read aws/creds/my-role | Generate AWS credentials | | | | vault write aws/sts/my-role ttl=15m | Generate STS credentials | |

교통 비밀 엔진

암호화 설정

| | Command | Description | | | --- | --- | | | vault secrets enable transit | Enable transit engine | | | | vault write transit/keys/my-key type=aes256-gcm96 | Create encryption key | | | | vault write transit/encrypt/my-key plaintext=$(base64 <<< "my secret data") | Encrypt data | | | | vault write transit/decrypt/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w== | Decrypt data | |

핵심 관리

| | Command | Description | | | --- | --- | | | vault write transit/keys/my-key/rotate | Rotate encryption key | | | | vault read transit/keys/my-key | Read key information | | | | vault write transit/rewrap/my-key ciphertext=vault:v1:... | Rewrap with latest key | |

회사연혁

정책 관리

| | Command | Description | | | --- | --- | | | vault policy write my-policy policy.hcl | Create/update policy | | | | vault policy read my-policy | Read policy | | | | vault policy list | List all policies | | | | vault policy delete my-policy | Delete policy | |

예제 정책

카지노사이트

Auth 방법

Auth 방법 활성화

| | Command | Description | | | --- | --- | | | vault auth enable userpass | Enable username/password | | | | vault auth enable ldap | Enable LDAP | | | | vault auth enable github | Enable GitHub | | | | vault auth enable aws | Enable AWS IAM | | | | vault auth enable kubernetes | Enable Kubernetes | |

Auth 방법 구성

| | Command | Description | | | --- | --- | | | vault write auth/userpass/users/myuser password=mypass policies=my-policy | Create user | | | | vault write auth/ldap/config url="ldap://ldap.example.com" userdn="ou=Users,dc=example,dc=com" | Configure LDAP | | | | vault write auth/github/config organization=myorg | Configure GitHub | |

감사 Logging

Enable 감사 장치

| | Command | Description | | | --- | --- | | | vault audit enable file file_path=/vault/logs/audit.log | Enable file audit | | | | vault audit enable syslog | Enable syslog audit | | | | vault audit list | List audit devices | | | | vault audit disable file/ | Disable audit device | |

높은 가용성 및 클러스터링

클러스터 작업

| | Command | Description | | | --- | --- | | | vault operator init | Initialize Vault cluster | | | | vault operator unseal | Unseal Vault | | | | vault operator seal | Seal Vault | | | | vault operator step-down | Step down as leader | | | | vault operator raft list-peers | List Raft peers | |

백업 및 복구

| | Command | Description | | | --- | --- | | | vault operator raft snapshot save backup.snap | Create snapshot | | | | vault operator raft snapshot restore backup.snap | Restore snapshot | |

구성 예제

Server 구성

카지노사이트

AWS KMS로 자동 유출

카지노사이트

환경 변수

| | Variable | Description | | | --- | --- | | | VAULT_ADDR | Vault server address | | | | VAULT_TOKEN | Authentication token | | | | VAULT_NAMESPACE | Vault namespace (Enterprise) | | | | VAULT_CACERT | CA certificate file | | | | VAULT_CLIENT_CERT | Client certificate file | | | | VAULT_CLIENT_KEY | Client private key file | |

최고의 연습

계정 관리

  1. Enable TLS: 항상 생산에 TLS 사용
  2. Least Privilege: 최소 권한 부여
  3. 토큰 TTL: 단기 토큰 사용
  4. 명세 Audit Logging: 포괄적인 감사 로깅
  5. 명세 Seal/Unseal: 적절한 seal/unseal 절차 구현

영업 시간

  1. 높은 가용성 : HA 모드에 배포
  2. ** 백업 전략 **: 일반 스냅 샷 및 백업
  3. Monitoring: Vault 건강 및 성능 모니터링
  4. 명세 Rotation: 일정한 열쇠 및 credential 교체
  5. 명세 Access Patterns: 모니터 및 액세스 패턴 분석

회사연혁

  1. Dev Mode: 개발만 사용
  2. ** 정책 테스트**: 시험 정책 철저히
  3. ** 서버 버전**: rollbacks에 대한 비밀 버전 사용
  4. 명세 ** 통합 **: CI/CD 파이프라인과 통합
  5. 명세 Documentation: 문서 비밀 경로 및 정책