<img align=right src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=150>
<img src=images/acme.jpeg width=100 align="left">

# Vault Enterprise
<img src=images/vault-enterprise1.png width="500">

Find the full list of Enterprise features at https://www.hashicorp.com/products/vault/pricing/

Prereq: 
You need to have Vault Enterprise binary and appropriate License file

## Setup

In [6]:
/bin/rm -rf $HOME/demos/vault_cluster/vrd/data/*

In [7]:
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_SKIP_VERIFY=true

In [2]:
which vaulte
vaulte --version


/usr/local/bin/vaulte
[0mVault v1.6.1+ent (cd597c7bd822180253e59347ebde60a58187e120)[0m


### Populate Vault server configuration file (hcl or json format)
Configures:
* storage
* listener
* ui
* telemetry
* seal
* etc

In [8]:
mkdir -p $HOME/demo/vault_cluster/vrd/data/raft
cat <<EOF > $HOME/demos/vault_cluster/vrd/vrd_config.hcl
storage "raft" {
  path = "$HOME/demos/vault_cluster/vrd/data"
  node_id = "demo"
}
listener "tcp" {
  address = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_disable = "true"
}
api_addr = "https://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
disable_mlock="false"
disable_cache="false"
ui = "true"
max_lease_ttl="24h"
default_lease_ttl="1h"
raw_storage_endpoint=true
cluster_name="hashi-vault"
insecure_tls="true"
plugin_directory="$HOME/demos/vault_cluster/vrd/data/plugins"
EOF

\
**EXECUTE the following command in SEPARATE window**

```
vaulte server -config=$HOME/demos/vault_cluster/vrd/vrd_config.hcl
```

In [9]:
vault status

[0mKey                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            1.6.1+ent
Storage Type       raft
HA Enabled         true[0m


##### Notice Initialized and Sealed status
When a Vault server is started, it starts in a **sealed** state and it does not know how to decrypt data.  Before any operation can be performed on the Vault, it must be unsealed.  

## Initialize Vault

Initialization is the process of configuring the Vault:
* Encryption key gets generated 
* Unseal keys are created
* Initial root token is setup

Note: the initialization takes few seconds to complete.

<img src=images/shamir_secret_sharing.png width=500>



In [10]:
curl --request POST --data '{"secret_shares": 1, "secret_threshold": 1}' $VAULT_ADDR/v1/sys/init > ~/demos/vault_cluster/vrd/vault_init_output

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   226  100   183  100    43     20      4  0:00:10  0:00:09  0:00:01    47


**The above command is the same as**  
```
vault operator init -key-shares=1 -key-threshold=1 |tee  ~/demos/vault_cluster/vrd/vault_init_output
```


##### Parse output to variables (for demo use)

In [11]:
export VAULT_ROOT_TOKEN=$(cat ~/demos/vault_cluster/vrd/vault_init_output | jq -r '.root_token')
export VAULT_KEY_BASE64=$(cat ~/demos/vault_cluster/vrd/vault_init_output | jq -r '.keys_base64[0]' )
echo $VAULT_ROOT_TOKEN
echo $VAULT_KEY_BASE64

s.iC1lLVY3JNQhExuFgXelmSkg
lz3Oeqla8sh/Nsyz+63XAPVsWyxvr+i5vBtiD2n7Kh8=


---
## Unseal Vault
Unsealing  is the process of constructing the master key necessary to decrypt the data encryption keys and read the data.  It requires a threshold of unseal keys (see the Intialize Vault above). Unsealing is a manual process and can become tedious when you have multiple Vault clusters! Hint: explore/use Auto-Unseal feature.

Seal the Vault is an ultimate **break glass** procedure.  For example, you suspect that someone has unauthorized access to Vault with wrong intention.

In [12]:
curl \
    --insecure \
    --header "X-Vault-Token: $VAULT_ROOT_TOKEN" \
    --request PUT \
    --data '{ "key": "'$VAULT_KEY_BASE64'" }' \
    $VAULT_ADDR/v1/sys/unseal

{"type":"shamir","initialized":true,"sealed":false,"t":1,"n":1,"progress":0,"nonce":"","version":"1.6.1+ent","migration":false,"cluster_name":"hashi-vault","cluster_id":"00efff5b-010a-c47d-c845-b4e7c3d94118","recovery_seal":false,"storage_type":"raft"}


## Apply License to Vault

In [15]:
sleep 5
curl \
    --insecure \
    --header "X-Vault-Token: $VAULT_ROOT_TOKEN" \
    --request PUT \
    --data @/Users/tio/Documents/vault_license.json \
    $VAULT_ADDR/v1/sys/license

### Vault Auto Unseal
Vault supports opt-in automatic unsealing via cloud technologies: AliCloud KMS, Amazon KMS, Azure Key Vault and Google Cloud KMS.  This feature delegates the unsealing process to trusted cloud providers to ease operation.

In [18]:
echo $VAULT_ADDR

http://127.0.0.1:8200


## Interacting with Vault

Vault **HTTP API**
* Full access to Vault via HTTP
* Every aspect of Vault can be controlled via API


Vault **CLI**
* uses HTTP API to access Vault
* it is a thin wrapper around the HTTP API
* outputs are formatted

**Note**: You should remember **-output-curl-string** CLI flag to find out the `curl` equivalent of CLI.

In [7]:
vault secrets list -output-curl-string

curl -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" http://127.0.0.1:8200/v1/sys/mounts


### Getting help

In [None]:
vault server -h

### View Vault via a browser
Open a web browser and visit http://127.0.0.1:8200/ui/vault
Use **TOKEN** and **Sign in**

&nbsp;

---
#### Thank you.
<img src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=100 align="left">