Différences

Ci-dessous, les différences entre deux révisions de la page.

--- securite:vault [2020/01/14 19:10] – [Audit] sgariepy
+++ securite:vault [2022/04/10 22:32] – [Persistance des données] sgariepy
@@ Ligne 87: / Ligne 87: @@
 Les données sont persistées et si le serveur redémarre, un init ne sera pas nécessaire.
+===== Installation de Vault avec systemctl =====
+  sudo useradd -r -d /var/lib/vault -s /bin/nologin vault
+  sudo install -o vault -g vault -m 750 -d /var/lib/vault
+  sudo mkdir /etc/vault
+  sudo nano /etc/vault.file.hcl
+<code>
+storage "file" {
+  path = "/var/lib/vault/data"
+}
+listener "tcp" {
+  address = "127.0.0.1:8200"
+  tls_disable = 0
+  tls_cert_file = "/var/lib/vault/vault.crt"
+  tls_key_file = "/var/lib/vault/vault.key"
+}
+</code>
+  sudo chown vault:vault /etc/vault/vault.file.hcl
+  sudo chmod 640 /etc/vault/vault.file.hcl
+  sudo nano /etc/systemd/system/vault.service
+<code>
+[Unit]
+Description=a tool for managing secrets
+Documentation=https://vaultproject.io/docs/
+After=network.target
+ConditionFileNotEmpty=/etc/vault/vault.file.hcl
+[Service]
+User=vault
+Group=vault
+ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault.file.hcl
+ExecReload=/usr/local/bin/kill --signal HUP $MAINPID
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+AmbientCapabilities=CAP_IPC_LOCK
+Capabilities=CAP_IPC_LOCK+ep
+SecureBits=keep-caps
+NoNewPrivileges=yes
+KillSignal=SIGINT
+[Install]
+WantedBy=multi-user.target
+</code>
+Create a group for key access:
+  sudo groupadd pki
+  sudo chgrp pki /etc/vault/pki
+  sudo chmod g+rx /etc/vault/pki
+  sudo gpasswd -a vault pki
+===== Démarrage =====
+  $ sudo systemctl start vault
+  $ sudo systemctl status vault
+[[https://www.digitalocean.com/community/tutorials/how-to-securely-manage-secrets-with-hashicorp-vault-on-ubuntu-16-04|Source]]
 ====== Gestion des secrets ======