Login
    Contents x
    Install HashiCorp Vault on Windows
    • 13 Aug 2024
    • 4 Minutes to read
    • Print
    • PDF
    Contents

    Install HashiCorp Vault on Windows

    • Updated on 13 Aug 2024
    • 4 Minutes to read
    • Print
    • PDF
    Article summary

    The robust solution HashiCorp Vault for Windows Server 2019 is intended to handle and safeguard sensitive data. Secrets like API keys, passwords, and certificates can be safely stored, accessed, and managed by administrators with its help. Vault allows you to audit secret usage, enforce access controls, and manage access to secrets through a single interface. Strong security for your infrastructure is provided by its seamless integration with a range of systems and applications and support for high availability.

    Install HashiCorp Vault

    To install HashiCorp Vault (Version 1.15.0), perform the following steps:

    1. Go to the HashiCorp Vault website (https://developer.hashicorp.com/vault/install) and download the latest version of HashiCorp Vault binary form. 

    2. Create a folder with the vault name in any drive on the computer.  Copy the downloaded library to the created folder.

    3. First, create a New Blank Database and pass the Database (DB) details in the code below. It will fetch the server, password, and database details in the below code. The table vault will be automatically created.

    4. Create the vault configuration in the file config.hcl with the below data. 

      storage "mssql" {

        server = "XXXXXXXX"

        port = 1433

        username = "vaultuser"

        password = "XXXXX"

        database = "XXXXX"

        table = "Vault"

        appname = "vault"

        schema = "dbo"

        connectionTimeout = 30

        logLevel = 0

      listener "tcp" {

        address     = "0.0.0.0:8200"

        tls_disable = 1

      }

      api_addr = "http://0.0.0.0:8200"

      ui            = true


    5. Create a directory ./vault/data in the vault folder earlier created.

    6. Open Command Prompt, navigate to the vault folder and start the vault Server using this command: vault server -config=config.hcl

    7. Open Google Chrome browser and navigate to http://127.0.0.1:8200The vault will be initialized now.

    8. On the following screen, enter 5 in the Key shares and 3 in the Key threshold fields and click Initialize. Refer the screenshot below.
      Figure: Root keys

    9. On the unseal keys page, scroll to the bottom and select Download Key. Save the generated unseal keys file to your vault folder. 
      Figure: Unseal keys

      The unseal process requires these keys and the access requires the root token.
    10.  Click Continue to Unseal.

    11.  Open the download file.

    12.  Copy any one of the keys (not keys_base64) and enter it in the Unseal Key Portion field. Click Unseal to proceed.
      Figure: Unseal vault
      The Unseal status shows 1/3 keys provided.

    13. Enter another key and click Unseal. The Unseal status shows 2/3 keys provided.

    14. Enter another key and click Unseal. After 3 out of 5 unseal keys are entered, the Vault is unsealed and is ready to operate.

    15. Copy the root_token and enter the value in the Token field. Click Sign In.
      Figure: Sign in to vault

    16.  The Dashboard displays basic information about the current server settings.
      Figure: Vault dashboard

    Create Secret Engine KV and Transit

    After the vault is installed, secret engine KV and transit must be created on the Hashicorp Vault. 

    To create the secret engine KV, perform the following steps:

    1.  Log into the vault website http://192.168.X.X:8200/ with the vault token.
      Figure: Hashicorp website
    2.  After logging in, click Secrets and then click Enable New Engine.
      Figure: Secrets
    3.  Select KV in Generic option. Click Next. 
    4.  Click Enable Engine.
      Figure: KV
    5.  The created KV engine is displayed below.
      Figure: KV engine
    6.  Again, click Secrets > Enable New Engine > Generic. Select Transit and click Next.
      Figure: Transit
    7.  The created Transit is displayed below.
      Figure: Transit
    8.  To configure KV for customer, click the create KV. Select Secrets and click Create Secret.
      Figure: Create KV
    9.  To create KV in vault, copy the below JSON code and update the DB connection string, private key, public key and database type as per the customer.

      {

                    "AUTH_PRIVATE_KEY": "",

                    "AUTH_PUBLIC_KEY": "",

                    "SUMMIT_AUTH_JWT_SECRET_KEY": "[SECRET USED TO SIGN AND VERIFY JWT TOKENS, IT CAN BE ANY STRING]",

                    "SUMMIT_DATA_MASTER_KEY": "SUMMIT_DATA_MASTER_VALUE",

                    "SUMMIT_DATABASE_MSSQL_CONNECTION_STRING": "Data Source=;initial Catalog=;User Id=;Password=;TrustServerCertificate=True",

                    "SUMMIT_DATABASE_MYSQL_CONNECTION_STRING": "Host=;Port=3306;User=;Password=;Database=;SslMode=Required;",

                    "SUMMIT_DATABASE_TYPE": "mssql"

      }

      Note
      In the above JSON, the DB string needs to be changed for respective instance. 

    10.  The below screen is displayed when you click Create Secret.
       Figure: Create secret
      In the above screen, the JSON toggle is deactivated by default. Enable the toggle button to activate JSON.
      Enter a Path for this secret. Pass the same name as KV name in DB while executing Vault script. After activating JSON and entering the Path for the secret, paste the copied JSON with all the details for public key, private key, DB connection string etc.

    11.  After creating the KV vault, the Transit Secret must be configured.
    12.  To configure Transit, click Transit under Secrets on the home screen. Click Create Encryption Key.
      Figure: Create encryption key
    13.  Enter SUMMIT_DATA_MASTER_VALUE as the name. Click Create Encryption Key. The Transit is configured. 

    Run the below command, to Run Vault as a Service. 

    sc.exe create VaultServer binPath="C:\Hashicorp_Vault\vault.exe server -config=C:\Hashicorp_Vault\vault_mssql_prod.hcl" displayName="Vault Server" start=auto

    Note
    The command provided above is a sample command. Provide the correct path along with the correct names as saved on your system. 


    To Auto Unseal vault, whenever the server gets rebooted save the below power shell script by modifying the unseal keys. 

    $VaultAddress = "http://localhost:8200"

    $UnsealKey = "PZP632GDx6x7t86jAkWtDONS9xn1gNrcbMY3Exvn1w2d"

    $UnsealKey2 = "csP790sZx6B3zTzWDvJNO0fDDofu25V4X6kwxW0KbKp+"

    # Send Unseal Request

    Invoke-RestMethod -Method Post -Uri "$VaultAddress/v1/sys/unseal" -Body "{""key"":""$UnsealKey""}" -ContentType "application/json"

    Invoke-RestMethod -Method Post -Uri "$VaultAddress/v1/sys/unseal" -Body "{""key"":""$UnsealKey2""}" -ContentType "application/json"

    Create a Task Scheduler to run the above power shell script. 

    The below XML file can be used to create the required Task Scheduler. 

    Note
    Modify the name of the Author and the Path of the XML file. Import this XML file to the Task Scheduler to create a task that will run to unseal the vault whenever the server is rebooted. 


    <Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task" version="1.2">

    <RegistrationInfo>

    <Date>2024-01-23T11:59:24.9078753</Date>

    <Author>apexcippdwin02\uzma</Author>

    <Description>Unseal_vault</Description>

    <URI>\Unseal_vault</URI>

    </RegistrationInfo>

    <Triggers>

    <BootTrigger>

    <Enabled>true</Enabled>

    </BootTrigger>

    </Triggers>

    <Principals>

    <Principal id="Author">

    <UserId>S-1-5-21-373391952-1929313110-2839405437-500</UserId>

    <LogonType>Password</LogonType>

    <RunLevel>HighestAvailable</RunLevel>

    </Principal>

    </Principals>

    <Settings>

    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>

    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>

    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>

    <AllowHardTerminate>true</AllowHardTerminate>

    <StartWhenAvailable>false</StartWhenAvailable>

    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>

    <IdleSettings>

    <StopOnIdleEnd>true</StopOnIdleEnd>

    <RestartOnIdle>false</RestartOnIdle>

    </IdleSettings>

    <AllowStartOnDemand>true</AllowStartOnDemand>

    <Enabled>true</Enabled>

    <Hidden>false</Hidden>

    <RunOnlyIfIdle>false</RunOnlyIfIdle>

    <WakeToRun>false</WakeToRun>

    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>

    <Priority>7</Priority>

    </Settings>

    <Actions Context="Author">

    <Exec>

    <Command>powershell.exe</Command>

    <Arguments>C:\Hashicorp_Vault\Unsealvault.ps1</Arguments>

    </Exec>

    </Actions>

    </Task>

    For reference, below are the screenshots of the Task scheduler.

    Figure: Task scheduler job

    Figure: General tab


    Figure: Trigger tab


    Figure: Actions tab



    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout