How to use the Vault command line tool to store your code secrets
Developers must stop saving secrets in code. One way to avoid that is to use HashiCorp’s Vault. Jack Wallen shows you how to install this tool and take your first steps in its usage.
If you’re a developer, you must deal with secrets. Secrets are any kind of password, passphrase, encryption key, or API key you use in your code to connect to other applications or services. The problem is, when you leave secrets in your code, you risk being hacked. This can lead to catastrophic issues, especially when those secrets would allow a hacker entrance into your company network or through the various APIs you use.
Unfortunately, this is a wide-spread problem. In fact, back in 2019, it was discovered that hundreds of thousands of secrets were being left in code on GitHub. This is a failure on the part of developers that can easily be overcome.
One way to avoid that is using a tool like HashiCorp’s Vault, which is a command line tool for managing secrets. Vault provides an API that gives access to secrets based on policies, and encrypts data using 256-bit AES with GCM.
I want to show you how to install and get started with Vault.
SEE: Top 5 programming languages for systems admins to learn (free PDF) (TechRepublic)
What you’ll need
Vault can be installed on Linux, macOS, and Windows. I’m going to demonstrate installing Vault on Ubuntu 20.04. For that, you’ll need a user with sudo privileges.
How to install Vault
In order to install Vault, you must first install the HashiCorp GPG key with the command:
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
Once the key is installed, add the HashiCorp Linux repository with the command:
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
Update apt with the command:
sudo apt-get update
Install Vault by issuing the command:
sudo apt-get install vault -y
How to start the Vault server
Next, we must start the Vault server. For this tutorial, we’ll start the Vault server in development mode, so you can interact with it.
Note: You should not run the Vault server in developer mode on a production machine because it stores all of its data in memory (albeit encrypted) and starts unsealed with a single key. Do this on your development machine, instead of a server.
To run the server in dev mode, issue the command:
vault server -dev
When you run the server in development mode, you’ll be presented with an Unseal key and a Root Token. Make sure to copy both of these values. You will also be presented with a line that begins with export VAULT_ADDR. You’ll need to copy that entire line as well.
Log in from a new window (while leaving the server running) and issue the export VAULT_ADDR command, which will look like:
export VAULT_ADDR='http://127.0.0.1:8200'
In that same window, set the VAULT_TOKEN value with the command:
export VAULT_TOKEN="token_value"
Where token_value is the Root Token you copied earlier.
Verify the server is running with the command:
vault status
You should see output that indicates the Vault server is running (Figure A).
Figure A
How to store a secret in the Vault server
With the Vault server running, we can now store our first secret. We’ll create a secret pair password=P@$$W0RD to the secret/test path. You must start your path with secrets/, otherwise it won’t work. To create this secret, the command would be:
vault kv put secret/test password=P@$$W0RD
Your secret is now stored and Vault will report back the creation time (Figure B).
Figure B
How to retrieve a secret
Now that we’ve stored a secret, how do we retrieve it? Easy, issue the command:
vault kv get secret/test
Vault will display the secret we just added (Figure C).
Figure C
To delete our secret from vault, the command would be:
vault kv delete secret/test
And that’s it: You’ve installed Vault and used it to store, display, and delete your first secret. Next time around, we’ll work with the Vault secrets engine feature, which behaves similarly to a virtual file system and enables Vault to interact with other systems.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.