Sensitive Data Storage Made Easy Development 14 Dec 2020 3 min read Kaio Magalhães Passionate about building products, software engineer and team management. More posts by Kaio Magalhães. By Kaio Magalhães Here at Codelitt, our projects range from web applications to robotics to augmented reality. However, inside all of those areas, there is a very important and persistent topic: Security. When you’re thinking about security, there are a lot of factors to think about. Are we talking about server access? Information traffic? Information storage? The list goes on and on and on. Security is always top of mind for us.Today, I’m going to talk about a really great service that we use to store sensitive data on a server. Vault, is an awesome tool to store key/values that we mainly use for our env variables like API keys and passwords. Vault has really good documentation, found here.Let’s learn how to setup a Linux server with Docker and Docker-compose, and utilize Vault.If you are setting up a new server, take a look at our server security practices and remember to not set it up with the root admin.I also strongly recommend you use 2factor authentication. It’s a bit tricky, but it’s very worth it.You will need Docker and Docker-compose installed, so if you don't have it take a look at this great tutorial provided by Digital Ocean.We are going to set it up with the deploy user1 - Before start with the containers let's setup the configuration. Put the following content in /home/deploy/vault/vault.configlistener "tcp" { address = "0.0.0.0:9000" tls_disable = 1}backend "consul" { address = "consul:8500" path = "vault"}2 - As we are using Docker, the initial setup is very simple. We are going to use a Vault image, which you can find the source here. Put the following content in your docker-compose.ymlversion: '2'services: # Vault consul: container_name: consul image: progrium/consul restart: always hostname: consul ports: - 8500:8500 command: "-server -bootstrap"vault: container_name: vault image: cgswong/vault restart: always volumes: - '/home/deploy/vault/vault.config:/root/vault.config' ports: - 8200:9000 environment: VAULT_ADDR: 'http://0.0.0.0:9000' cap_add: - IPC_LOCK depends_on: - consul command: "server -config /root/vault.config"We are going to use Consul as our secret back-end, you can find more info about it in the Vault Docs.3 - Let's run the containers now. run: docker-compose up -dCongratulations! now you have Vault working! Now to enable it you need to follow the steps below:enter the container with the commanddocker exec -it vault bashrunvault initThe response should be something like this:bash-4.3# vault initUnseal Key 1: 6d64855dfbcd93654a191aca77e2863a568a0a6444556958837fd526511f7d5b01Unseal Key 2: 615ec3594ad1446ed84712d6ff570df0ead89c9a38c13a93f9b0a1286e50ed9c02Unseal Key 3: 5c2a239676337e6ebd36441ba2cae5de949221d49f3fd6571750324ed51a78a403Unseal Key 4: 0522dd3c3f4c3a5f2e2f15e53c0b3e114ff6d2e1407d0bc4093cd636702d328c04Unseal Key 5: 38563df303ae005f4b5e43286196d63f31bc6fafe783e700e7dc4550cb67a7b405Initial Root Token: 33d9d440-202e-6a0c-7cc8-ccc63aa6f66bVault initialized with 5 keys and a key threshold of 3. Please securely distribute the above keys. When the Vault is re-sealed, restarted, or stopped, you must provide at least 3 of these keys to unseal it again.Vault does not store the master key. Without at least 3 keys, your Vault will remain permanently sealed.Now before anything else, you should save the unseal keys that you got during the last step, (as without them you can't store or retrieve any key), and make sure to store it in a safe place where no one can access it and that you won't lose for any reason. If you need to send them to an organizational partner you can use Boveda.At this point you should have Vault up and running. Let’s check it’s status. In your browser make sure to replace for your server: http://yourserver:8200/v1/seal-statusYou should see the response:{ errors: [ "Vault is sealed" ]}Which means that it works but it is sealed, let's unseal it.Enter the container with the commanddocker exec -it vault bashRun vault unsealIt is going to ask for a key, you can pass any of the keys it provided to you before, for each time you need to run vault unseal, you need to do it 3 times.After the third one you will see the response:Sealed: falseKey Shares: 5Key Threshold: 3Unseal Progress: 0Which means that now you can store and retrieve keys with safety!If you already have a secured server you can start saving your keys, otherwise you should go to this post where we teach about how to setup Nginx with free SSL and Docker.A good security practice for this kind of application is to limit the access to the Vault port to be open to the application that will store/fetch the keys only. In order to do this, you can either user your server application firewall (like aws) or you can run:iptables -I PREROUTING 1 -t mangle ! -s your_application_ip -p tcp --dport 9000 -j DROPSince most of the data that you plan to store in Vault is probably sensitive, bear in mind that a chain is only as strong as its weakest link. Even with Vault, if your server isn't properly set up then your information isn't safe. Stay up to date! Get all the latest & greatest information delivered straight to your inbox Subscribe