Virtual Event
Join us for the next HashiConf Digital October 12-15, 2020 Register for Free

Day 1: Deploying Your First Vault Cluster

Day 1 Introduction

Before you start managing your secrets using Vault, the first step is to deploy a Vault cluster. Day 1: Deploying Your First Vault Cluster track is designed to help you navigate through the Day 1 operations.

Learning Path

»Reference Architecture

»Vault Deployment Reference Architecture

Vault Reference Architecture helps you make decisions about how to design your Vault cluster(s) using Consul as storage backend.

»Vault with Integrated Storage Reference Architecture

This guide provides guidance in the best practices of Vault implementations using the integrated storage (raft) as its persistent storage.

The fundamental difference between Vault's integrated storage and Consul is that the integrated storage stores everything on disk while Consul KV stores everything in its memory which impacts the host's RAM.

»Production Hardening

Read Production Hardening guide to learn about the best practices for hardening the Vault deployment in production. Let this guide help you make decisions about your Vault deployment and apply when possible.

»Vault Deployment guide

Vault Deployment Guide walks you through the steps to install and configure a single Vault cluster based on the recommended reference architecture. The following steps are described:

  • Download Vault binary
  • Install Vault
  • Configure systemd
  • Configure Consul agent
  • Configure Vault server
  • Starting Vault

»Vault High Availability with Consul

Vault High Availability with Consul covers similar topics as the deployment guide; however, this guide explains the Consul in greater detail, and provides step-by-step instructions.

»Auto-unseal Vault

Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault. By default, Vault uses Shamir's Secret Sharing algorithm to split the master key into shards. This requires a configured number of shared key holders to be present to unseal the Vault server.

Auto-unseal was developed to aid in reducing this operational complexity of keeping the master key secure. The following guides demonstrate the auto-unseal using your trusted cloud provider's key:

Refer to the Vault documentation for more details.

»Disaster Recovery Replication Setup

It is inevitable for organizations to have a disaster recovery (DR) strategy to protect their Vault deployment against catastrophic failure of an entire cluster. Disaster Recovery Replication Setup guide walks you through the steps to set up the DR replication.

»Setting up Performance Replication

When you have multiple datacenters, data replication across the datacenters can improve the overall performance.

Setting up Performance Replication guide step through the activation of performance replication as well as Vault performance replication management.

Also, refer to the Monitoring Vault Replication guide.

»HSM Integration - Seal Wrap

If your organization cares about Federal Information Processing Standard (FIPS) to encrypt your data for security, integrate Vault with FIPS 140-2 certified HSM and enable the Seal Wrap feature to protect your data. By enabling seal wrap, Vault wraps your secrets with an extra layer of encryption leveraging the HSM encryption and decryption.

HSM Integration - Seal Wrap walks you through the following steps:

  • Configure HSM auto-unseal
  • Enable seal wrap
  • Test the seal wrap feature