Auto-unseal Vault using AWS KMS
When a Vault server is started, it starts in a sealed state and it does not know how to decrypt data. Before any operation can be performed on the Vault, it must be unsealed. Unsealing is the process of constructing the master key necessary to decrypt the data encryption key.
This tutorial demonstrates an example of how to use Terraform to provision a Vault server that can use an encryption key from AWS Key Management Services (KMS) to automatically unseal.
Challenge
Vault unseal operation requires a quorum of existing unseal keys split by Shamir's Secret sharing algorithm. This is done so that the "keys to the kingdom" won't fall into one person's hand. However, this process is manual and can become painful when you have many Vault clusters as there are now many different key holders with many different keys.
Solution
Vault supports opt-in automatic unsealing via cloud technologies: AliCloud KMS, AWS KMS, Azure Key Vault, Google Cloud KMS, and OCI KMS. This feature enables operators to delegate the unsealing process to trusted cloud providers to ease operations in the event of partial failure and to aid in the creation of new or ephemeral clusters.
This tutorial demonstrates Vault Auto Unseal using AWS KMS.
Prerequisites
This tutorial assumes the following:
- AWS account for provisioning cloud resources
- Terraform installed and basic understanding of its usage
Note
Seal migration from Auto Unseal to Auto Unseal of the same type is supported since Vault 1.6.0. However, there is a current limitation that prevents migrating from AWS KMS to AWS KMS; all other seal migrations of the same type are supported. Seal migration from one Auto Unseal type (AWS KMS) to another Auto Unseal type (HSM, Azure KMS, etc.) is also supported on older versions as well.
Step 1: Provision the cloud resources
Clone the demo assets from the hashicorp/vault-guides GitHub repository to perform the steps described in this tutorial.
This repository contains supporting content for all of the Vault learn tutorials. The content specific to this tutorial can be found within a sub-directory.
Be sure to set your working directory to where the
/operations/aws-kms-unseal/terraform-aws
folder is located.The working directory should contain the provided Terraform configuration files:
Set your AWS Access Key ID value in an environment variable named AWS_ACCESS_KEY_ID.
Set your AWS Secret Access Key value in an environment variable named AWS_SECRET_ACCESS_KEY.
Tip
The above example uses IAM user authentication. You can use any authentication method described in the AWS provider documentation.
By default, AWS resources will be provisioned in the
us-east-1
region. If you wish to use another AWS region, create a file namedterraform.tfvars
and set the appropriateaws_region
andaws_zone
. (Reference the providedterraform.tfvars.example
.)Example:
terraform.tfvarsInitialize the Terraform workspace, and pull down the necessary provider resources.
Example truncated output:
Plan the changes and review resources which will be changed by Terraform.
Example truncated output:
Apply the plan by specifying the plan filename,
learn-vault-aws-kms.plan
. The plan will run without prompting.Example truncated output:
When the
apply
command completes, the Terraform output will display the public IP address in examples for either SSH access, or to access the Vault web UI.
Step 2: Test the auto-unseal feature
Access the EC2 instance and test the auto-unseal feature.
SSH into the provisioned EC2 instance.
Example truncated output:
When you are prompted, enter
yes
to continue.Note
The prompt will change to one like
ubuntu@ip-192-168-100-22:~$
when you are using the EC2 instance.Set the
VAULT_ADDR
environment variable to address the local server.Check the Vault server status.
Example output:
Notice that the Initialized value is
false
.Initialize Vault.
Example output:
The initialization generates Recovery Keys (instead of unseal keys) when using auto-unseal. Some of the Vault operations still require Shamir keys. For example, to regenerate a root token, each key holder must enter their recovery key. Similar to unseal keys, you can specify the number of recovery keys and the threshold using the
-recovery-shares
and-recovery-threshold
flags. It is strongly recommended to initialize Vault with PGP.Once you initialize the Vault server, it is operationally ready; check the Vault status again to verify that it has been initialized and unsealed.
Example output:
Notice that the Vault server is already unsealed (Sealed is
false
).Restart the Vault server to ensure that Vault server gets automatically unsealed:
Verify the Vault status.
Example output:
Log into Vault.
Provide the generated Initial Root Token value from the initialization output when prompted.
Example output:
Review the Vault configuration file (
/etc/vault.d/vault.hcl
).Example output:
Notice the Vault configuration file defines the
awskms
stanza which sets the AWS KMS key ID to use for encryption and decryption.
Warning
Although the listener stanza disables TLS (tls_disable = "true"
) for this
tutorial, Vault should always be used with
TLS
in production to provide secure communication between clients and the Vault
server. It requires a certificate file and key file on each Vault host.
At this point, you should be able to launch the Vault Enterprise UI by entering
the address provided in the terraform apply
outputs (e.g. http://35.91.217.103:8200/ui)
and log in with your initial root token.
Step 3: Clean up
You can follow these steps to clean up resources from this hands on lab scenario.
Exit the EC2 SSH session by typing
exit
and pressingreturn
.Example output:
Clean up the AWS cloud resources provisioned by the Terraform configuration in Step 1 without additional approval.
Example output:
Delete the state files and SSH key generated by Terraform.
Unset your AWS Access Key ID and Secret Access Key environment variable values.
This command is expected to produce no output.