Tuesday, November 11, 2025

HashiCorp Vault Fundamentals

HashiCorp Vault Fundamentals - Complete Beginner's Guide to Secrets Management

HashiCorp Vault Fundamentals - Complete Beginner's Guide to Secrets Management

📚 What You'll Learn:
Complete HashiCorp Vault fundamentals from installation through hands-on API interactions, designed for beginners moving to intermediate level

What is HashiCorp Vault?

At its very core, HashiCorp Vault is a secrets lifecycle manager. Those secrets could be static in nature and stored directly on Vault, or they could be dynamic and simply managed by Vault. Vault can do some other things, but at its core, it's really all about the secrets.

HashiCorp Vault is written in Go language, which means that it can be compiled for multiple operating systems. Each operating system has its own binary that's compiled from the source code. The good news is that binary contains the bits for both:

  • Client side of Vault - Interacting with Vault server
  • Server side of Vault - The portion that actually runs Vault server

It's one binary, and it's actually fairly small (under 100MB), which is pretty impressive considering all the different things it can do.

Vault Architecture & Core Concepts

Understanding Vault's architecture is crucial before diving into hands-on work. Here are the key components:

Authentication Methods

The first thing you need to do with Vault is authenticate. The Vault server has one or more authentication methods that could rely on:

  • Internal systems - Like userpass authentication
  • External systems - Like LDAP integration

Policy System

In tandem with authentication, we have policies that govern what you can do on the Vault system. Policies determine permissions and access controls.

Secrets Engines

Once authenticated with proper policies, you can interact with secrets. These secrets are surfaced through secrets engines (also called plugins) that handle different types of secret data.

Audit System

One thing often overlooked in Vault is its audit system. Because you're interacting with secrets (extremely important and sensitive), you want to audit everything happening with your Vault system. Vault provides a robust auditing system for exactly that.

API-Centric Design

All client types interact with the same API that sits in front of Vault:

  • Direct end users - Interacting with Vault manually
  • Applications - With Vault code written to interact with the API
  • Virtual/Physical machines - Running processes to communicate with Vault

Critical Point: The API is the one and only way to interact with all Vault components - authentication, policies, secrets. Everything goes through the API.

Token-Based Authentication

With the exception of initial authentication, all interaction involves a token granted by Vault. You use this token with each request sent to Vault, whether using:

  • The UI (web interface)
  • The CLI (command line)
  • Direct API calls

The token is always passed to the Vault server in some way.

Installing HashiCorp Vault

The installation process differs by operating system, but you always have the option of downloading directly from the Vault project website. Here are some popular methods:

Windows Installation

Using Chocolatey package manager:

choco install vault

macOS Installation

Using Homebrew:

brew tap hashicorp/tap
brew install hashicorp/tap/vault

Linux Installation (Ubuntu Example)

# Add HashiCorp GPG key
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -

# Add repository
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"

# Update and install
sudo apt-get update && sudo apt-get install vault

Vault Development Mode

Development mode is perfect for learning and testing. Here's what you need to know:

Development Mode Characteristics

  • Localhost binding - Runs on your loopback address
  • HTTP (not HTTPS) - No SSL/TLS certificates required
  • In-memory storage - Data disappears when you shut down Vault
  • Unsealed and initialized - Ready to use immediately
  • UI enabled by default - Web interface automatically available
  • Pre-configured secrets engine - Key/value store ready to use

Starting Vault in Development Mode

The command is simple:

vault server -dev

Once started, you'll see output including:

  • Vault server address - Usually http://127.0.0.1:8200
  • Unseal key - For advanced scenarios
  • Root token - Your initial authentication token

Three Ways to Interact with Vault

There are three primary ways to interact with HashiCorp Vault:

1. Command Line Interface (CLI)

The CLI follows a consistent structure:

vault [command] [subcommand] [options] [arguments]

Essential CLI Help Commands:

  • vault -help - General help for any command
  • vault path-help [path] - Shows what you can do at specific Vault paths

Example CLI Commands:

# Check Vault version
vault version

# Get server status
vault status

# Login with token
vault login [token]

2. Web User Interface (UI)

The Vault UI is a graphical interface that:

  • Uses the API on the backend (like everything else)
  • Runs on the same port as the API (default: 8200)
  • Provides a basic console for running Vault commands
  • Must be explicitly enabled in production (enabled by default in dev mode)

Accessing the UI:

http://127.0.0.1:8200/ui

3. Direct API Interaction

The Vault API is RESTful and can be accessed using:

  • curl - Most common command-line tool
  • Invoke-WebRequest - PowerShell equivalent
  • Custom applications - Python, Go, or any programming language

API Request Format:

# General format
curl -H "X-Vault-Token: [token]" http://127.0.0.1:8200/v1/[path]

# Example: Get host information
curl -H "X-Vault-Token: $ROOT_TOKEN" $VAULT_ADDR/v1/sys/host-info

Essential Environment Variables

Vault CLI looks for several environment variables that make interaction easier:

VAULT_ADDR

Most important - specifies the Vault server address:

# Linux/macOS
export VAULT_ADDR="http://127.0.0.1:8200"

# Windows PowerShell
$env:VAULT_ADDR="http://127.0.0.1:8200"

VAULT_TOKEN

Overrides stored token (use carefully):

export VAULT_TOKEN="your-token-here"

VAULT_SKIP_VERIFY

Skip TLS certificate verification (development only):

export VAULT_SKIP_VERIFY=true

VAULT_FORMAT

Specify output format (useful for scripting):

export VAULT_FORMAT=json

Hands-On: Complete Setup Walkthrough

Let's walk through a complete setup process:

Step 1: Verify Installation

vault version

Step 2: Start Development Server

vault server -dev

Important: Copy the root token from the output - you'll need it!

Step 3: Set Environment Variable

# In a new terminal
export VAULT_ADDR="http://127.0.0.1:8200"

Step 4: Login with Root Token

vault login [your-root-token]

Step 5: Test Vault Status

vault status

Step 6: Access Web UI

Open your browser to: http://127.0.0.1:8200/ui
Login using the root token from Step 2.

Step 7: Test API Access

curl -H "X-Vault-Token: $ROOT_TOKEN" $VAULT_ADDR/v1/sys/host-info | jq

Understanding the Token Helper

When you login with vault login, Vault stores your token in a token helper. This means:

  • You don't need to specify the token with each command
  • The token is stored for the duration of your session
  • Environment variable VAULT_TOKEN overrides the token helper

Root Token Security Warning

⚠️ Important Security Note:
The root token with root policy can do anything in the Vault server. In production:
  • Never use root tokens for regular operations
  • Set up proper authentication methods (userpass, LDAP, etc.)
  • Create limited-privilege policies for users and applications
  • Revoke root tokens after initial setup

Next Steps in Your Vault Journey

Now that you understand Vault fundamentals and can interact with it via CLI, UI, and API, here are recommended next steps:

  1. Authentication Methods - Set up userpass authentication and move away from root tokens
  2. Policies - Create granular access control policies
  3. Secrets Engines - Explore different types of secrets (KV, database, PKI)
  4. Production Setup - Learn about production deployment with persistent storage
  5. Advanced Features - Explore audit logging, seal/unseal operations, and high availability

Key Takeaways

  • Vault is a secrets lifecycle manager - Its core purpose is managing sensitive data
  • Single binary deployment - Contains both client and server functionality
  • API-centric architecture - Everything goes through the REST API
  • Development mode for learning - Perfect for testing and education
  • Three interaction methods - CLI, UI, and direct API calls
  • Environment variables simplify usage - Especially VAULT_ADDR and VAULT_TOKEN
  • Token-based authentication - Required for almost all operations
🎯 Practice Exercise:
Try creating your first secret using all three methods:
  1. CLI: vault kv put secret/myapp username=admin password=secret123
  2. UI: Navigate to the secret engine and create a new secret
  3. API: Use curl to POST data to /v1/secret/data/myapp

Ready to continue your HashiCorp Vault journey? This foundation prepares you for advanced topics like production deployment, authentication methods, and secrets engine configuration.

By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)