Day 1: Deploying Your First Vault Cluster

Day 1 Introduction

Before you start managing your secrets using Vault, the first step is to deploy a Vault cluster. Day 1: Deploying Your First Vault Cluster track is designed to help you navigate through the Day 1 operations.

Learning Path

» Vault Deployment Reference Architecture

Vault Reference Architecture helps you make decisions about how to design your Vault cluster(s):

  • How many virtual machines are needed
  • The sizing of those host machines
  • Load balancer in front of the Vault servers
  • Single datacenter vs. multiple datacenters (Vault OSS vs. Vault Enterprise)
    • Disaster Recovery Replication
    • Performance Replication

» Vault Deployment guide

Vault Deployment Guide walks you through the steps to install and configure a single Vault cluster based on the recommended reference architecture. The following steps are described:

  • Download Vault binary
  • Install Vault
  • Configure systemd
  • Configure Consul agent
  • Configure Vault server
  • Starting Vault

» Vault High Availability with Consul

Vault High Availability with Consul covers similar topics as the deployment guide; however, this guide explains the Consul in greater detail.

» Auth-unseal Vault

Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault. By default, Vault uses Shamir's Secret Sharing algorithm to split the master key into shards. This requires a configured number of shared key holders to be present to unseal the Vault server.

Auto-unseal was developed to aid in reducing this operational complexity of keeping the master key secure. The following guides demonstrate the auto-unseal using your trusted cloud provider's key:

Refer to the Vault documentation for more details.

» Disaster Recovery Replication Setup

It is inevitable for organizations to have a disaster recovery (DR) strategy to protect their Vault deployment against catastrophic failure of an entire cluster. Disaster Recovery Replication Setup guide walks you through the steps to set up the DR replication.

» Performance Replication with Mount Filter

When you have multiple datacenters, data replication across the datacenters can improve the overall performance. However, there may be some constraints against replication data from one region to another (e.g. GDPR compliance prohibits EU privacy data to ever leave the EU).

Performance Replication with Mount Filters demonstrates the following:

  • Enable performance replication with mount filter
  • Secondary cluster re-authentication
  • Mount filter verification
    • Enabling a local secrets engine

» HSM Integration - Seal Wrap

If your organization cares about Federal Information Processing Standard (FIPS) to encrypt your data for security, integrate Vault with FIPS 140-2 certified HSM and enable the Seal Wrap feature to protect your data. By enabling seal wrap, Vault wraps your secrets with an extra layer of encryption leveraging the HSM encryption and decryption.

HSM Integration - Seal Wrap walks you through the following steps:

  • Configure HSM auto-unseal
  • Enable seal wrap
  • Test the seal wrap feature