> For the complete documentation index, see [llms.txt](https://thorstenkramm.gitbook.io/saltstack/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://thorstenkramm.gitbook.io/saltstack/pillars/vault.md).

# Vault

[Hashicorp Vault ](https://www.hashicorp.com/products/vault/)ist ein flexibler verschlüsselter Speicher mit einem umfangreichen Rechte-Management.

{% hint style="danger" %}
**HTTP ohne SSL!** Die nachfolgende Anleitung ist nicht für den produktiven Einsatz geeignet, weil die Vault-HTTP-Kommunikation unverschlüsselt erfolgt. Im produktiven Betrieb sollte Vault HTTPS verwenden.&#x20;
{% endhint %}

### Vault installieren

```bash
VERSION="1.10.0"
cd /tmp
curl -LOs https://releases.hashicorp.com/vault/${VERSION}/vault_${VERSION}_linux_amd64.zip
unzip vault_${VERSION}_linux_amd64.zip -d /usr/local/bin/

useradd -r -m -U -s /bin/false -b /var/lib vault
mkdir /etc/vault
cat > /etc/vault/vault.hcl << EOF
ui = false
listener "tcp" {
 address     = "0.0.0.0:8200"
 tls_disable = 1
 #tls_key_file = "/etc/vault/vault.local-key.pem"
 #tls_cert_file = "/etc/vault/vault.local-crt.pem"
}
api_addr = "http://127.0.0.1:8200"
storage "file" {
  path = "/var/lib/vault/data"
}
EOF


cat >/etc/systemd/system/vault.service << EOF
[Unit]
Description=Vault Manage Secrets and Protect Sensitive Data
Requires=network.target

[Service]
User=vault
Group=vault
WorkingDirectory=/var/lib/vault
ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault.hcl
Restart=on-failure
RestartSec=5
StandardOutput=null
AmbientCapabilities=CAP_IPC_LOCK

[Install]
WantedBy=multi-user.target
EOF
```

### Vault Initialisieren

```
service vault start
export VAULT_ADDR='http://127.0.0.1:8200'
vault operator init -address=http://127.0.0.1:8200
vault operator unseal # Use unseal key 1
vault operator unseal # Use unseal key 2
vault operator unseal # Use unseal key 3
```

> 🔑 Die Unseal-Keys werden i.d.R. an fünf Personen im Unternehmen vergeben. Drei von fünf Personen müssen dann den Unseal-Prozess mit ihren Schlüsseln durchführen, damit der Vault entsperrt wird.

![Initialisierung des Vualts](/files/LiBJj0JdaYCstrgA87wd)

{% hint style="info" %}
Speichern Sie alle generierten Token an einem sicheren Ort. Ohne diese Tokens können Sie die Datenbank nicht entschlüsseln. **Ein Wiederherstellen verlorener Tokens ist nicht möglich.**
{% endhint %}

### KV Secret-Storage anlegen

```
# Login with initial root token
root@master:~# vault login
Token (will be hidden): *****
root@master:~# vault secrets enable -path=secret kv
root@master:~# vault secrets list
```

### Vault Policies anlegen

```bash
# Policy for reading and writing manually to the vault
vault policy write secret-rw -<<EOF
path "secret/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
EOF

# Policy for the salt master
vault policy write salt-master -<<EOF
path "*" {
  capabilities = ["read","list"]
}
path "auth/*" {
  capabilities = ["read", "list", "sudo", "create", "update", "delete"]
}
EOF

# Policy for the minions
vault policy write saltstack/minions -<<EOF
path "secret/*" {
  capabilities = ["read", "list"]
}
EOF
vault policy list
```

### In den Vault schreiben und daraus lesen

User-Token generieren

```
root@master:~# vault token create -policy=secret-rw
# Log in with the create token
root@master:~# vault login
Token (will be hidden): *****
root@master:~# vault kv put secret/upstream-api user=susanne password=pwd__12345
Success! Data written to: secret/upstream-api
root@master:~# vault kv get secret/upstream-api
====== Data ======
Key         Value
---         -----
password    pwd__12345
user        susanne
```

### Salt-Master mit Vault verbinden

#### Token für den Salt-Master erzeugen

```
vault token create -policy=salt-master
```

#### Master Config erweitern

{% code title="/etc/salt/master.d/vault.conf" %}

```yaml
vault:
  url: http://192.168.3.136:8200
  auth:
    method: token
    token: *****
```

{% endcode %}

{% code title="/etc/salt/master.d/peer\_run.conf" %}

```yaml
peer_run:
  .*:
    - vault.generate_token
```

{% endcode %}

{% hint style="info" %}
Nach Änderungen an der Master-Konfig den Salt-Master neu starten.
{% endhint %}

### Aus dem Vault lesen

```bash
root@master:~# salt master vault.read_secret "secret/upstream-api"
master:
    ----------
    password:
        pwd__12345
    user:
        susanne
```

{% code title="/srv/salt/examples/vault.sls" %}

```yaml
#
# Read from vault
#
{% set credentials = salt['vault.read_secret']("secret/upstream-api") %}
/tmp/credentials.txt:
  file.managed:
    - contents: |
        user = {{ credentials['user'] }}
        pass = {{ credentials['password'] }}
```

{% endcode %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://thorstenkramm.gitbook.io/saltstack/pillars/vault.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
