What Is HashiCorp Vault?
HashiCorp Vault is a free tool (formerly open source) designed for securing, storing, and tightly controlling access to tokens, passwords, certificates, API keys, and other secrets. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network-based secrets.
Vault is built on the principle of infrastructure as code (IaC) and provides a secure space for static and dynamic secrets, as well as the ability to encrypt their content. It enables fine-grained authorization of who can access what secrets, under what conditions, and provides a detailed audit log of all accesses.
Vault provides an official Docker image that lets you run the software in a container. You can get the Docker image here.
In this article:
What Is Docker?
Docker is an open-source platform that automates the deployment of applications inside lightweight, portable containers. It simplifies the process of developing, shipping, and running applications regardless of the environment. Docker containers encapsulate an application with all of its dependencies into a single package, allowing it to run consistently on any infrastructure.
Docker uses OS-level virtualization to deliver software in packages called containers. Containers are isolated from each other and the host system, but they share the same OS kernel, start instantly, and use less computing resources than traditional virtual machines (VMs). They support a microservices architecture, based on small, modular services.
Docker containers provide a convenient way to run Hashicorp Vault in practically any environment.
Tips From the Expert
In my experience, here are tips that can help you better run HashiCorp Vault with Docker:
-
Use Docker Compose for multi-container setups
If your environment requires multiple services (like Consul or PostgreSQL) along with Vault, leverage Docker Compose. This simplifies orchestration, allowing you to define and run multi-container Vault setups with minimal configuration. -
Mount persistent volumes for storage
Always mount a persistent volume for Vault’s storage backend in production environments to prevent data loss. Use Docker volumes or bind mounts for/vault/fileto store secrets and configuration data securely outside the container. -
Leverage secrets in Docker Swarm
If deploying Vault in a Docker Swarm, use Docker secrets to pass sensitive configuration values (like the root token) into the container securely, avoiding hardcoding them in yourdocker runcommands or environment variables. -
Enable auto-unseal with cloud KMS
Use the auto-unseal feature with cloud-based Key Management Services (KMS), like AWS KMS or Google Cloud KMSMS, to automatically unseal Vault upon startup in Docker. This avoids the manual process of unsealing Vault after every restart. -
Set up health checks for high availability
Define health check policies in your Docker deployment to monitor the Vault service. Use thevault statuscommand in health checks to ensure the container is healthy and restart it if issues are detected, ensuring high availability.
Benefits of Running Vault on Docker
There are several reasons to run HashiCorp Vault on Docker.
Lightweight Deployment
Deploying Vault on Docker simplifies the provisioning and scaling of Vault instances. Containers encapsulate everything needed to run Vault, reducing dependency conflicts and streamlining the setup process. Docker’s portability ensures that Vault can be deployed consistently across different environments, including development, testing, and production.
Process Management
Running Vault in Docker containers improves process isolation, enhancing security by limiting the potential impact of a compromised container. Docker’s restart policies ensure that Vault services are automatically restarted in case of failure, increasing the availability of the Vault service without manual intervention.
Extensibility and Configurability
The use of Vault in Docker enables integrating additional security tools and plugins without heavily modifying the existing infrastructure. Vault on Docker simplifies configuration through Docker’s environment variables and mounted volumes.
Quick Tutorial: Setup HashiCorp Vault on Docker
Setup
In this example, we’ll use Alpine as the base image, due to its lightweight nature and minimal security risk surface. Vault operates under dumb-init within the Docker container. The dumb-init binary is HashiCorp-signed, ensuring its integrity.
For a basic Vault server in development mode, it’s enough to run the Vault container without arguments. The entry script provided within the container recognizes Vault subcommands, enabling commands like docker run vault status to execute in the container. To apply special configurations, run the server subcommand.
The Vault container designates two optional volumes for audit logs (/vault/logs) and persistent storage (/vault/file), though they require manual enabling. Configuration is streamlined through the /vault/config directory or via the VAULT_LOCAL_CONFIG environment variable for passing JSON configurations.
Run Vault in Development Mode
To run a Vault server for development, use the following Docker command, ensuring you add the IPC_LOCK capability to prevent sensitive information from being swapped to disk:
docker run --cap-add=IPC_LOCK -d --name=dev-vault hashicorp/vaultThis command initiates an in-memory Vault server, which is useful for development scenarios, but it’s not suited for production environments. You can customize the development server by setting the root token ID and the listener address via environment variables VAULT_DEV_ROOT_TOKEN_ID and VAULT_DEV_LISTEN_ADDRESS, respectively:
docker run --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:1234' hashicorp/vaultRun Vault in Server Mode
For a more advanced setup that mimics a production-like environment, you can run Vault in server mode with file storage backend and TLS disabled (this is not secure and not recommended for actual production use). Use the following command:
docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}' -p 8200:8200 hashicorp/vault serverThis setup initializes a Vault server that is accessible via HTTP, stores data in /vault/file, and features a UI. The memory lock (IPC_LOCK) is essential for security, preventing memory swapping. Configuration files in JSON or HCL format can be added to /vault/config to customize the Vault server further. For enhanced scalability and reliability, consider deploying Vault within an orchestration environment such as Kubernetes or OpenShift.
Secret Management with Configu
Configu is a configuration management platform comprised of two main components:
Configu Orchestrator
As applications become more dynamic and distributed in microservices architectures, configurations are getting more fragmented. They are saved as raw text that is spread across multiple stores, databases, files, git repositories, and third-party tools (a typical company will have five to ten different stores).
The Configu Orchestrator, which is open-source software, is a powerful standalone tool designed to address this challenge by providing configuration orchestration along with Configuration-as-Code (CaC) approach.
Configu Cloud
Configu Cloud is the most innovative store purpose-built for configurations, including environment variables, secrets, and feature flags. It is built based on the Configu configuration-as-code (CaC) approach and can model configurations and wrap them with unique layers, providing collaboration capabilities, visibility into configuration workflows, and security and compliance standardization.
Unlike legacy tools, which treat configurations as unstructured data or key-value pairs, Configu is leading the way with a Configuration-as-Code approach. By modeling configurations, they are treated as first-class citizens in the developers’ code. This makes our solution more robust and reliable and also enables Configu to provide more capabilities, such as visualization, a testing framework, and security abilities.
