HashiCorp Vault Enterprise

CORE can be used to provide enhanced key protection to the HashiCorp Vault Enterprise.

More information about the HashiCorp Vault can be found here:

https://www.hashicorp.com/products/vault

Prerequisites

• HashiCorp Vault Enterprise with the Governance & Policy Module

Usage

Use the following steps to prepare CORE for integration with the HashiCorp Vault:

1. In CORE, create a partition for the HashiCorp Vault.
2. Create a customized configuration file for the vault as described in HashiCorp Vault Configuration File.
3. (Optional) If using the HashiCorp Consul service, start it. The -dev option provides more detailed messages.

   consul agent {-dev}

4. Start the HashiCorp Vault using the customized configuration file. The -log-level=trace option provides more detailed messages.

   vault server -config=./vault.hcl {-log-level=trace}

5. If running the vault for the first time, initialize the vault.

   vault operator init -key-shares=1 -stored-shares=1 -key-threshold=1

Note
The values of key-shares, stored-shares, and key-threshold should be customized for your installation.

Your vault is now using CORE.

HashiCorp Vault Configuration File

The HashiCorp Vault uses a configuration file, called vault.hcl, that is in HCL format (which is similar to JSON). This file must be updated with the relevant information in the listener and hsm sections.

For the listener, define the address field with the address of the CORE client.

Note
In production, it is recommended to use TLSTransport Layer Security - a cryptographic protocol that provides communications security over a computer network, which is configured in the listener section with the tls_cert_file and tls_key_file fields. See https://www.vaultproject.io/docs/configuration/listener/tcp.html for more information.

For hsm, define the following fields:

1. lib - the location of the CORE PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 lib file.

2. slot - must be set to 0.

3. pin - the user password. Note that the password cannot be blank.

4. key_label - text label of the key.

5. hmac_key_label - must be set to 'hmac'.

6. generate_key - must be set to "true".

Here are the contents of a sample vault.hcl file. The part that is relevant to CORE is the line that begins with seal.

disable_mlock = true

ui = true

storage "consul" {
  address = "127.0.0.1:8500"
  path = "vault"
}

listener "tcp" {
  address = "{UKC_CLIENT}:8200"
  tls_disable = 1
}

seal "pkcs11" {
  lib="/usr/lib64/libekmpkcs11.so"
  slot=0
  pin="{PASSWORD}"
  key_label="hashicorp"
  hmac_key_label="hmac"
  generate_key="true"
}

Note
For the platform-dependent location of the libekmpkcs11.so, see Path to PKCS#11 Library.

Note
If you are not using the consul, make the following changes:
1. The storage line above should be: storage "file" {
2. Create a directory called vault/data and set the path to it. For example: path = "/home/ec2-user/vault/data"