Vault Associate Certification Part 3 Configuration Notes. This will be series of documents which will go through all components to achieve the certification.
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Hashicorp Vault Associate Certification Configuration Part 3
1.
2.
3.
4. OVERVIEW
These notes follow HashiCorp specific structure found here:
http://www.vaultproject.io/docs/configuration
I have created these notes as part of my personal learning and
hope to be able to help and inspire others.
I would recommend viewing the official vault docs to gain full
and detailed explanations.
I will be releasing interactive notebooks for all configuration
detailed in these guides .
Follow my instagram @adnans_techie_studies for updates
5. VAULT CONFIGURATION
FORMAT HCL OR JSON
EXAMPLE
RAWSTORAGE ENDPOINT
Allows ENCRYPTION
DEFAULT MAY REQUEST DURATION DECRYPTIONOFRAW
HOWLONGBEFORE DATA INANDOUT
VAULTCANCELS
DEFAULTLEASETTL
JALNA
NfqBzE Request
OFSECURITYBARRIER
DURATIONFORTOKENSSECRETS THAN
r THIS HIGHLYPRIVILEGED
LOGFORMAT
r V
STANDARD JSON MAYLEASE TTL
STORAGE
TTL CONFIGUREWHEREVAULTLOGLEVEL or
TRACEDEBUG Data is STORED
errorwarm
INFO LOG
HA STORAGE
TELEMETRY c PARAMETERS MUSTBEHASUPPORTINGBACKEND
LISTENER
PLUGIN DIRECTORY CLUSTERNAME HOWVAULTLISTENSFORAPI
REQUESTS
CACHE SEAL
DISABLEMLock AUTO UNSEALING AND SEAL
PREVENTSMEMORY WRAPPING
FROMBEINGSWAPPED
TODISK L v EXTRALAYEROF
CACHESIZE
DISABLECACHE ENCRYPTION
READCACHEUSEDBY
PHYSICALSTORAGE
WILLIMPACT
RECOMMENDED PERFORMANCE
IFUSINGINTEGRATED
STORAGE
MLOCK S MEMORY MAPPED FILES LOADED INTO MEMORY
CAUSES VAULT ENTIRE DATASET TO BE LOADED INTO MEMORY
CAUSE 00M ERRORS IFLARGERTHANRAM
6. VAULT CONFIGURATION
DISABLE CLUSTERING HA PARAMETERS API ADDR
SETTINGTOONENODE FULLURL ToADVERTISETo
WILLONLYDISABLEWHEN OTHERVAULTSERVERS IN
THATNODEISTHEACTIVENODE CLUSTERFORCLIENTREDIRECTION
PLUGIN BACKENDS
CLUSTER ADDR
ADDRESSTOADVERTISE TO
OTHERVAULTSERVERSINTHE
CLUSTERFORREQUESTFORWARDING
SIMILARTOAPIADDRBUT
VAULT IGNORES SCHEME
CLUSTERMEMBERS
ALWAYSUSETLS
7. LISTENER STANZA
CONFIGURES THE ADDRESSES ANDPORTS ON WHICH VAULT WILL RESPOND
TO REQUESTS TCPONLY
TCP LISTENER sCONFIGURESVAULTTO LISTENONTCPADDRIPORT
SPECIFYMORETHANONCETOMAKEVAULTLISTENON
MULTIPLE INTERFACES
TRUSTEDSOURCEIPS MUSTSPECIFY APIADDRANDCLUSTERADDR
OFADDRESS SKIPPED
AUTHORIZEDAfDRS HOPSKIPS sREJECTNotAUTHORIZED
n
X FORWARDED FOR I REJECTNOTPRESENT
r
ADDRESS
BIND10FORLISTENING
TCPLISTENER CLUSTER ADDRESS
DISABLECLIENTCERTS
PARAMETERS SERVERTOSERVERREQUESTSCLIENTCAFILE r
REQUIREANDVERIFYCLIENTCERI
PREFERSERVER CIPHERSUITES HTTP IDLETIMEOUT
CIPHERSUITES L MAYTIMETOWAIT
TLS FORNEXTREQUEST
DISABLE MAX
INSECURECOMMUNICATION READHEADERTIMEOUT
REQUESTburation REQUESTSIZE TIMEALLOWEDToREAD
CERT FILE KEYFILE DEFAULT 32mB REQUESTHEADERS
0 TURNOFFLIMIT
READWRITETIMEOUT
C
MINVERSION PROXY MAYDURATIONTOREAD
17510,1112,13 REQUEST
ORWRITE
RESPONSE
u
PROTOCOL BEHAVIOUR PROTOCOLAUTHORIZED ADDRS
PROXYv1 LIST of ALLOWEDSOURCEIPADDRESSES
8. SEAL STANZA
CONFIGURES THE SEAL TYPE TO USE ADDITIONAL DATAPROTECTION
s
HSM CLOUDHSM
OR SHAMIR
ALGORITHM
ENCRYPT
DECRYPT
MASTER
KEY
USE VAULTS TRANSL
COFIGURETOUSEHSM VAULTTRANSIT
SECRET ENGINE AS Tt
9 AUTOSEAL MECHANISM
PKCSIIr
AllCLOUD
OCI KMS s
ORACLE
SEAL AWSKMS SUPPORTS
KEYROTATION OFTHE
MASTERKEY
i
AUTOMATIC MANUAL
GCPCLOUDKMS AZUREKEYVAULT
SUPPORTSKEYROTATION
SUPPORTS KEY ROTATION
KEYMETADATASTORED WITHDATA
VAULTHOSTEDON USECORRECT KEYSCHEDULED MANUAL
AZURE MANAGED
SERVICE 2ACCESS
IDENTITIES VAULT
9. STORAGE STANZA
CONFIGURES THE STORAGE BACKEND LOCATION FOR VAULTS
INFORMATION
EACH BACKEND HAS DIFFERENT TRADE OFFS BETTER FOR HA
BETTERFOR BACKUP
RESTORE
AWS53 CASSANDRA
GOOGLECLOUDSPANNER POSTGRESQL
ZOOKEEPER MANTAGOOGLECLOUDSTORAGE MYSQL
RAFT FOUNDATIONDB COCKROACHDB SWIFT
OCI OBJECT ETCD COUCHDB 14550,2
HA
SUPPORTED a STORAGE NO HA
SUPPORT
FILESYSTEM IN MEMORY
u d AZUREBLOBS
DYNAMODB CONSUL
USES TIME ONVAULTNODE TO
DURABLESTORAGE
IMPLEMENTTHESESSIONLIFETIMES REGISTERVAULT IN
ON ITSLocks
5CLOCKSKEWAcrossNODES
CONSUL BACKEND
COULDCAUSECONTENTION
FORHEALTHCHECKS
ONLocks
u
customSTORAGE
PATH
UNIX CUSTOMADDRESS CUSTOMTLSSOCKETS
ANDACLTOKEN
SERVICE REGISTRATION STANZA
CONFIGURES VAULT'S MECHANISM FOR SERVICE REGISTRATION
DESIGNED FORUSECASES WHERE USE CONSUL FOR
SERVICEDISCOVERY BUT DIFFERENT STORAGE BACKEND
10. TELEMETRY STANZA
SPECIFIES VARIOUS CONFIGURATIONS FOR VAULT
TO PUSH METRICS TO UPSTREAM SYSTEMS
STATSITE
METRICAGGREGATIONSERVER
BASEDHEAVILYONETSY'sSTATSD
STACKDRIVER IELEMETRY
GOOGLECLOUD STATSD
ANETWORKDAEMONTHATRUNSONNODE
ANDLISTENS Forstatistics
COUNTERS
Timers
SENDSAGGREGATESToservicesLIKEGRAPHITE
1
L CIRCONUS
PROMETHEUS MACHINEDATAINTELLIGENCEPLATFORM
OPENsourceMONITORING SOLUTION
DOCTSTATSD
DATADOGSERVICEBASEDONSTATSD
VAULT VI
WEB VI TO CREATE READ UPDATEAND DELETE SECRETS
AS WELL AS AUTHENTICATE UNSEALAND MORE
ENTROPY AUGMENTATION
ALLOWS VAULT TO SAMPLE ENTROPY FROM EXTERNAL CRYPTOGRAPHIC MODULES
CONFIGURE A SUPPORTED
SEAL
plus 11
AWSKms
VAULTTRANSIT