HashiTalks 2021 demo
IMPORTANT
This is a demo for learning purposes only, and as a hands-on lab for my HashiTalks 2021 presentation.
- Do NOT do this in production or on any environment you can’t afford to lose.
- Do NOT rely on this.
- This is NOT an official HashiCorp tool.
- There is NO support for this.
Prerequisites
- A Raspberry Pi running Raspberry Pi OS. Other compatible Linux operating systems or 40-pin GPIO boards might work as well. The demo during the talk was done using a Raspberry Pi 3B.
- For the fingerprint demo:
- For the RFID demo:
- Install Vault on the Pi. (Note: depending on your Pi and operating system, you may need to get either the 32-bit or 64-bit version. If you're not sure, it's most likely the 32-bit one.)
- Install
python3
on the Pi.
Steps
- This tutorial assumes you're running with the default
pi
user. - Run
sudo adduser pi gpio
so you can run the scripts without requiringsudo
. - Clone this repo at the home directory for the
pi
user (/home/pi
). andcd
into it, i.e.cd /home/pi/vault-fingerprint
. - Run
make install-vault-svc
to install a Systemd unit file for Vault. - Run
export VAULT_ADDR=http://127.0.0.1:8200/
. - Run
make install-requirements
.
Fingerprint demo
- Run
make start
. - Run
./vfp.py enroll
and follow the prompts to enroll a new fingerprint.- This is the fingerprint that will be allowed to initialize, and unseal Vault. You can enroll as many as 300 fingerprints.
- Run
./vfp.py init
and follow the instructions. Use the finger you enrolled in the previous step. - After initializing successfully, you'll see the root token being printed on screen, as well as the two files holding the unseal keys. Copy the root token and set it to the
VAULT_TOKEN
environment variable. - Run
vault status
and confirm that Vault is now initialized, but not yet unsealed. - Run
./vfp.py unseal
and follow the instructions, using again the same fingerprint. - Try the following to validate that Vault is working as expected (assuming
VAULT_TOKEN
is set to the root token shown earlier):vault secrets enable -path=secret kv
vault kv put secret/foo bar=baz
vault kv get secret/foo
- Run
make restart
to force Vault to get sealed. Runvault status
to confirm. - Run
./vfp.py unseal
to go through the unseal process again, using the same finger as before. - Run
vault kv get secret/foo
to validate that Vault is working as expected.
RFID demo
- Run
make wipe
to clean the data from the previous demo. Confirm withvault status
that Vault is uninitialized and unsealed. Also, rununset VAULT_TOKEN
to clean out the previous token. - Run
./vrfid.py init
to initialize Vault and start the process of storing the unseal keys on the RFID cards.- Note: by default, the script expects 5 cards, but you can change that by adding
-key-shares 3
or-key-shares 1
if you have less than 5 cards.
- Note: by default, the script expects 5 cards, but you can change that by adding
- After initializing successfully, you'll see the root token being printed on screen, as well as the two files holding the unseal keys. Copy the root token and set it to the
VAULT_TOKEN
environment variable. - Run
./vrfid.py unseal
, and follow the prompts on the screen. You'll be asked to scan the number of-key-shares
you specified on the previous step (or the default of 5), one at a time. Note that the order doesn't matter, you can scan the cards in a different order than you use to initialize. - Try the following to validate that Vault is working as expected (assuming
VAULT_TOKEN
is set to the root token shown earlier):vault secrets enable -path=secret kv
vault kv put secret/foo bar=baz
vault kv get secret/foo
- Run
make restart
to force Vault to get sealed. Runvault status
to confirm. - Run
./vrfid.py unseal
to go through the unseal process again, using the same finger as before. - Run
vault kv get secret/foo
to validate that Vault is working as expected.