Auto-unseal using Transit secrets engine

Vault
1

I deployed a vault-prod service on host A through docker.

  docker run -itd --restart=always --name vault \
  -p 50036:8201   \
  -v /etc/ssl/vault/config.hcl:/vault/config/config.hcl  \
  -v /etc/ssl/vault/vault.tech.crt:/certs/webServer.crt  \
  -v /etc/ssl/vault/vault.tech.key:/certs/webServer.key  \
  -v /etc/ssl/vault/webClientCA.pem:/certs/webClientCA.pem  \
hashicorp/vault

Sometimes docker restart will cause the vault to be manually seal. I seal it automatically according to the official documentation

First, start a vault-unseal service through the official script on host A

# Start the Vault 1 server in dev mode
# The system output will be stored in the vault-1.log file
vault server -dev -dev-root-token-id root > vault-1.log 2>&1 &

sleep 1

# Set the environment variables: VAULT_ADDR and VAULT_TOKEN
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root

# Enable audit log
vault audit enable file file_path=audit.log

# Enable and configure transit secrets engine
vault secrets enable transit
vault write -f transit/keys/autounseal

# Create an autounseal policy
vault policy write autounseal -<<EOF
path "transit/encrypt/autounseal" {
   capabilities = [ "update" ]
}

path "transit/decrypt/autounseal" {
   capabilities = [ "update" ]
}
EOF

# Create a token for Vault 2 to use for root key encryption
vault token create -orphan -policy="autounseal" -wrap-ttl=120 -period=24h -field=wrapping_token > wrapping-token.txt

Then modify the configuration file of vault-prod

image
image1296×105 34.8 KB

config.hcl

ui = true
disable_mlock = true
storage "mysql" {
  address = "*****"
  username = "***"
  password = "***"
  database = "***"
}


listener "tcp" {
  address = "[::]:8201"
  tls_cert_file = "/certs/webServer.crt"
  tls_key_file  = "/certs/webServer.key"
  tls_disable = false
  tls_require_and_verify_client_cert = true
  tls_client_ca_file = "/certs/webClientCA.pem"
}

seal "transit" {
  address = "http://127.0.0.1:8200"
  token = "hvs.CAESIKB00DKM-PCrKw1lNVnoZAVEeH9hC8xhbOkC9JgCLzN5Gh4KHGh2cy52ajhaMHc2R3dHNmhxajlMakxHbEtyWE0"
  disable_renewal = "false"
  key_name = "autounseal"
  mount_path = "transit/"
  tls_skip_verify = "true"
}
log_level="Debug"

When restarting vault-prod through docker, an error is reported.

image
image1271×183 40.7 KB

Is there a configuration error somewhere?