[NEW] HashiCorp Vault for the Absolute Beginner (with Labs)

In this module, you’ll learn what HashiCorp Vault is, its key benefits, and how it manages sensitive data securely. We’ll cover Vault’s features, real-world use cases, and the differences between the Community, Enterprise, and Managed Service versions. Finally, you'll be guided through the installation process to get Vault up and running in your environment.

In this lecture, you'll learn how HashiCorp Vault helps secure and manage sensitive data like passwords, API keys, and certificates. Vault provides encrypted storage, strict access control, and comprehensive audit logging. Key features include:

• Dynamic credentials for cloud platforms and databases.

• PKI automation for TLS certificate management.

• Encryption as a service for centralized key management.

• Kubernetes integration for secure secret injection.

• Identity-based access control for granular security.

• Robust API support for automation workflows.

Vault simplifies secrets management, enhances security, and ensures compliance.

This lecture covers the key challenges that HashiCorp Vault addresses in secrets management. Vault eliminates the risks of hard-coded secrets by securely storing passwords, API keys, and tokens outside of code. It centralizes secrets to prevent secret sprawl and improves visibility and control. Vault enforces governance through access policies, following the principle of least privilege. By generating dynamic, time-bound credentials, Vault reduces the risk of credential theft. Finally, detailed audit logging ensures compliance, providing a transparent record of who accessed secrets and when.

This lecture covers the different versions of HashiCorp Vault. The Community version is free, offering core secrets management for small teams. Vault Enterprise adds advanced features like replication, governance, and premium support for larger organizations. HCP Vault is a fully managed cloud service with automatic scaling and updates. Vault Secrets provides simple cloud-based credential storage, while Vault Radar scans codebases for exposed secrets. This course focuses on self-hosted Vault to help you understand its deployment and management.

In this lecture, you’ll learn how to interact with HashiCorp Vault using three primary interfaces: the HTTP API, CLI, and UI. The API offers the most comprehensive access to Vault’s features, ideal for automation and integrations. The CLI is perfect for managing secrets, policies, and daily tasks from the terminal. The UI provides a user-friendly, visual interface for managing secrets, though it lacks some advanced features. Choose the interface based on your needs — users typically prefer the CLI or UI, while applications and orchestration layers often use the API.

In this lecture, you'll learn how to install HashiCorp Vault on a host machine for development or production use. Vault’s installation process is simple, thanks to its single binary distribution. You'll cover the use of package managers for platforms like Ubuntu, CentOS, Windows, and macOS, as well as using Helm charts for Kubernetes deployments. After installation, you'll explore the basics of configuring Vault, including storage backends, encryption settings, and network interfaces.

In this demonstration, we install HashiCorp Vault on a brand-new EC2 instance using a package manager for Amazon Linux. The demo walks through downloading the Vault binary, configuring Vault with a basic Raft storage backend, and setting up network interfaces for accessibility. You’ll learn how to edit the Vault configuration file, disable TLS for testing (not recommended for production), and use systemd to start the Vault service. The demo concludes with verifying the installation using the vault status command.

In this lab, you will go beyond basic Vault commands and focus on how to use the CLI efficiently. You will explore the most important Vault environment variables, control output formatting, extract values for use in scripts, interact with Vault using raw API paths, and work with advanced KV operations including patch updates, versioning, and metadata management.

This lab introduces you to basic Vault operations using the CLI, including authenticating, enabling secrets engines, and managing secrets using key-value storage.

In this section, you'll gain a solid understanding of HashiCorp Vault's architecture and how its components work together to secure secrets. You'll explore the core concepts of Vault, how it encrypts secrets at rest, and manages access control. You'll also learn to choose the best unseal method for your organization and understand the steps to initialize a Vault cluster. By the end, you'll be equipped with the foundational knowledge needed to deploy and manage Vault in real-world environments.

In this lecture, you'll explore the core components of HashiCorp Vault and how they interact. The HTTP API serves as the primary interface, while the storage backend securely stores encrypted data. The Vault core manages policies and access control. Secrets engines handle secrets, and auth methods manage authentication. The audit system logs actions for compliance, and the barrier encrypts data before storage. Vault’s path-based structure organizes secrets and configurations.

By the end of this lecture, you’ll be able to:

• Understand Vault's architecture and key components.

• Explain how secrets are stored, managed, and accessed.

• Navigate Vault’s path-based system to interact with different features.

In this lecture, you'll learn about the storage backend in HashiCorp Vault, a critical component that determines where and how sensitive data is stored. The storage backend is defined in Vault’s configuration file and supports various options, including cloud storage (AWS S3) and databases (Postgres). The recommended choice for most deployments is Integrated Storage due to its simplicity, high availability, and performance.

Vault ensures end-to-end security by encrypting data in transit (TLS) and at rest (AES-256). Data protection relies on two keys: the encryption key (stored in memory) and the root key (never stored in plaintext). Vault also supports encryption key rotation to meet compliance needs without downtime.

By the end of this lecture, you’ll be able to:

• Understand the role of the storage backend in Vault.

• Explain how Vault encrypts and protects data.

• Identify when to use Integrated Storage.

In this lecture, you'll learn about the Vault initialization process, a crucial step to prepare HashiCorp Vault for storing secrets. During initialization, Vault generates the root key, the encryption key, key shares for unsealing, and the initial root token for administrative access. You'll decide on the key threshold, which is the minimum number of key shares needed to reconstruct the root key and unseal Vault. Initialization is performed once per cluster and can be done via the CLI, API, or UI. The lecture concludes with a CLI demo of initializing a new Vault cluster.

By the end of this lecture, you’ll be able to:

• Understand the importance of Vault initialization.

• Explain key components like the root key, encryption key, and key shares.

• Perform Vault initialization using the CLI.

In this demonstration, we initialize a HashiCorp Vault node. Starting with the vault status command, we verify that Vault is uninitialized and sealed. Using vault operator init, we initialize the node, generating unseal keys and the initial root token for administrative access. After initialization, the status confirms Vault is ready but remains sealed until the unseal process is completed. The demo highlights key details like the default key shares (5) and threshold (3) needed for unsealing. Remember, initialization is a one-time process per Vault cluster, performed on a single node.

In this lecture, you'll learn about the seal and unseal process in HashiCorp Vault. When Vault starts, it is in a sealed state and cannot read or write data until unsealed. During the unseal process, Vault reconstructs the root key, which decrypts the encryption key needed to access the storage backend.

There are three unseal methods:

1. Key Sharing (Shamir): The default method, where the root key is split into key shares (unseal keys), requiring a threshold to unseal.

2. Auto Unseal: Automates unsealing using a KMS service or HSM for encryption.

3. Transit Auto Unseal: Uses another Vault cluster’s Transit Secrets Engine to securely manage unsealing, ideal for air-gapped environments.

In this lecture, you'll learn how to unseal HashiCorp Vault using the default key-sharing mechanism (Shamir). During initialization, Vault generates a root key that is split into key shares (unseal keys), which are distributed to trusted employees. To unseal Vault, a threshold number of key shares must be provided. This ensures no single person can unseal Vault alone, enhancing security.

For added protection, PGP encryption can secure unseal keys during initialization, ensuring only holders of private PGP keys can decrypt them. The vault operator rekey command helps rotate these keys, mitigating the risk of compromise or accommodating staff changes.

By the end of this lecture, you’ll be able to:

• Explain how Vault's default unseal process works.

• Understand the importance of key shares and distributing them securely.

• Utilize PGP encryption for additional key protection.

In this demo, we unseal a HashiCorp Vault node using unseal keys generated during initialization. First, we verify the node’s status with vault status, confirming it’s sealed and requires three of five key shares to unseal. We use the vault operator unseal command to provide three unseal keys in any order. After the third key, the node becomes unsealed (sealed status changes to false), allowing interaction with Vault. We then use the root token to authenticate with vault login and run commands like vault secrets list and vault auth list to begin configuring Vault.

In this lecture, students will learn how Auto Unseal automates Vault’s unseal process using a cloud KMS (AWS, Azure, GCP) or an on-premises HSM. Instead of manually entering unseal keys, Vault retrieves the encrypted root key on startup, reducing downtime and eliminating manual steps. During initialization, Vault generates recovery keys for administrative tasks instead of unseal keys.

By the end of this lecture, you’ll be able to:

• Explain how Auto Unseal works.

• Understand the difference between recovery keys and unseal keys.

• Identify when Auto Unseal is beneficial for your environment.

In this demo, we configure Auto Unseal in HashiCorp Vault using AWS KMS. After stopping the Vault service and deleting existing Raft data, we modify the configuration file to add a seal stanza specifying the AWS region and KMS key ID. Upon restarting the service and running vault operator init, Vault uses Auto Unseal to automatically decrypt the root key via AWS KMS. Unlike manual unseal, Vault returns recovery keys instead of unseal keys. After a service restart, Vault automatically unseals, improving uptime and simplifying maintenance.

In this lecture, students will learn about Transit Auto Unseal, a method that uses the Transit Secrets Engine of another Vault cluster to automate unsealing. This approach is ideal for environments where cloud services or HSMs aren’t allowed, such as financial or government sectors. Transit Auto Unseal supports key rotation, enhancing security by reducing the risk of key compromise over time. It is available in both Community and Enterprise versions of Vault.

By the end of this lecture, you’ll be able to:

• Explain how Transit Auto Unseal works.

• Identify use cases where Transit Auto Unseal is beneficial.

• Understand how Transit Auto Unseal supports key rotation and enhances security.

In this lab, you will learn how to initialize and unseal a Vault server using Shamir's Secret Sharing. You will create 5 unseal keys with a threshold of 3, demonstrate the threshold requirement, rekey the unseal configuration, rotate the encryption key, generate a new root token, and practice revoking the root token as a security best practice.

In this section, students will explore the core components that make HashiCorp Vault a powerful tool for managing secrets. You’ll learn about Vault tokens for authentication and access control, how to select and configure the appropriate authentication method, and how to log interactions using an audit device for security and compliance. Additionally, you’ll understand how secrets engines are used to securely store and access sensitive data like passwords, API keys, and certificates.

By the end of this lecture, you’ll be able to:

• Understand Vault tokens and their role in authentication.

• Select and configure the correct authentication method.

• Implement audit devices to log interactions for security and compliance.

• Use secrets engines to manage and access sensitive data securely.

In this lecture, students will learn how Vault tokens enable authentication and access control in HashiCorp Vault. Tokens act as credentials for accessing secrets and performing operations, and they are tied to policies to enforce permissions. You’ll explore the differences between service tokens (default) and batch tokens (lightweight), as well as key attributes like TTL, use limits, and network restrictions. Understanding token hierarchies helps manage security by ensuring child tokens are revoked with parent tokens.

By the end of this lecture, you’ll be able to:

• Explain the role of Vault tokens in authentication.

• Differentiate between service tokens and batch tokens.

• Manage token attributes like TTL, use limits, and network restrictions.

In this demo, we explore how to create, manage, and revoke Vault tokens using the CLI. We start by inspecting the root token and then create new tokens, demonstrating the concept of token hierarchy (parent and child tokens). We also cover how to create orphan tokens, which are independent of parent tokens, and add attributes like TTL and policies. The demo highlights important commands such as vault token lookup, vault token create, and vault token revoke.

Key Points Covered:

• Creating and inspecting service tokens.

• Understanding parent-child token relationships.

• Creating orphan tokens with a TTL.

• Revoking and renewing tokens.

• The importance of avoiding unnecessary root tokens.

In this lab, you will learn about the different Vault token types and how to manage them. You will create and compare service tokens, batch tokens, periodic tokens, and orphan tokens, and practice working with token roles.

In this lecture, students will learn how Vault authentication methods allow users and systems to securely access Vault. Auth methods verify identities and assign policies to control what clients can do within Vault.

By the end of this lecture, students will be able to:

• Identify different types of Vault auth methods for both humans and machines.

• Enable and configure auth methods in Vault.

• Understand the difference between human-based and machine-based authentication.

• Define roles to manage client permissions within Vault.

In this demo, we’ll enable and configure authentication methods in Vault, create users and roles, and observe how tokens are generated and governed by policies.

By the end of this demo, students will be able to:

• List enabled auth methods in Vault.

• Enable new auth methods, such as userpass and approle.

• Create and manage users and roles with associated policies.

• Log in with different auth methods and verify the resulting tokens.

• Revoke tokens and understand token-based access control.

In this lab, you will configure and test Vault's username and password authentication method. You will enable the auth method, create users with different policies, and verify that each user's permissions are enforced correctly.

In this lab, you will configure and use Vault's AppRole authentication method to enable machine-to-machine authentication. AppRole is designed for applications and automated workflows that need to authenticate with Vault without human interaction. You will create an AppRole role, retrieve its RoleID and SecretID credentials, log in using those credentials, and verify that the resulting token enforces the permissions defined in your policy.

In this lab, you will configure and test Vault's Kubernetes authentication method using a mock setup. You will generate mock credentials to simulate a Kubernetes cluster, enable and configure the auth method, create a policy and role for an application, and simulate a Kubernetes service account login. Note that this lab does not have a REAL Kubernetes cluster to connect to.

In this lecture, students will learn how Vault’s audit devices provide critical visibility into all actions within the system, ensuring security and compliance. Audit devices track interactions, log activities, and protect sensitive data in logs.

By the end of this lecture, students will be able to:

• Understand what audit devices are and their role in security and compliance.

• Identify the different types of audit devices: File, Syslog, and Socket.

• Recognize the advantages and challenges of each audit device type.

• Understand the importance of redundancy by enabling multiple audit devices.

• Explain how Vault halts operations if it cannot write to an audit log.

In this demo, students will learn how to enable and use the file audit device in Vault to track and review client interactions. The demonstration covers configuring the audit log, understanding the output, and using the audit log to troubleshoot and ensure security compliance.

• How to enable the file audit device in Vault.

• How to specify the file path for audit logs.

• How to view and interpret audit logs formatted in JSON.

• The importance of permissions for writing audit logs.

• How to troubleshoot using audit logs to track operations and errors.

In this lab, you will enable and configure a file audit device in Vault, generate audit log entries through a series of Vault operations, and analyze the resulting log output. You will also practice common audit device management tasks such as disabling and re-enabling audit devices at different paths.

In this lecture, students will learn about Vault secrets engines and how they handle the secure storage, access, and lifecycle of secrets. We will explore the difference between static and dynamic secrets, the types of secrets engines available, and the role of configurations and policies in managing secrets effectively.

• What secrets engines are and their role in Vault.

• Types of secrets Vault manages, including static and dynamic secrets.

• Common secrets engines, such as key-value, database, cloud providers (AWS, Azure, GCP), and PKI.

• How to enable and configure secrets engines for different use cases.

• The importance of roles in secrets engines for defining access permissions.

In this demo, students will learn how to enable, configure, and use the a secrets engine to dynamically generate dynamic credentials. This process ensures secure, short-lived access to AWS services, improving security and reducing the risk of credential misuse.

• Enable the AWS secrets engine in Vault.

• Configure root credentials to allow Vault to interact with the AWS account.

• Create roles in the AWS secrets engine to define permission sets.

• Generate dynamic AWS credentials based on the roles.

• Understand role-based permissions and how to restrict access to specific AWS services

In this lecture, students will learn about the Key-Value (K/V) Secrets Engine in Vault and how it manages static secrets like API keys, passwords, and configuration data. They will explore the differences between K/V Version 1 and K/V Version 2, including the benefits of versioning, metadata, and rollback capabilities. The lecture also covers best practices for organizing secrets and enforcing access control through policies.

• Understand the differences between K/V Version 1 and K/V Version 2.

• Enable the K/V Secrets Engine at different paths for various use cases.

• Store and retrieve static secrets as key-value pairs.

• Organize secrets using meaningful paths and directory structures.

• Manage access control with policies to secure secrets.

• Use versioning and metadata features in K/V Version 2 to track changes and roll back secrets.

In this demo, students will enable, configure, and use the K/V Secrets Engine in Vault. They will explore the differences between K/V Version 1 and Version 2 by writing, reading, updating, and deleting secrets, with a focus on versioning features in K/V 2.

Learning Outcomes:

• Enable K/V Secrets Engine (Version 1 and 2).

• Store and retrieve secrets using key-value pairs.

• Update secrets and understand overwrites in K/V 1.

• Use versioning in K/V 2:

  • Read specific versions.

  • Roll back and undelete secrets.

  • Permanently destroy secrets.

• List and identify K/V engine versions.

In this lab, you will learn the differences between KV v1 and KV v2 secrets engines through hands-on practice. You will perform basic read and write operations on both versions, then explore KV v2 specific features including versioning, soft delete, rollback, and metadata management.

In this lecture, students will learn how the Database Secrets Engine in Vault dynamically generates short-lived database credentials. They will explore configuring database connections, defining roles, and managing access securely.

Key Points:

• Database Secrets Engine generates temporary credentials for databases.

• Configuration includes specifying the target database and admin credentials.

• Roles define permissions for generated credentials.

• Dynamic Credentials are created on request and automatically revoked.

• Access Control enforces policies for secure credential management.

In this demo, students will learn how to enable and use the Database Secrets Engine in Vault to generate dynamic credentials for a MySQL database hosted on AWS RDS.

They will see how to configure Vault to connect to the database, create roles with specific permissions, and dynamically generate short-lived credentials. The demo also covers how to revoke credentials manually and how Vault ensures credentials are automatically revoked when their lease expires.

Learning Outcomes:

• Enable the Database Secrets Engine in Vault.

• Configure Vault to connect to a MySQL database.

• Create roles to define database permissions.

• Generate and revoke dynamic database credentials.

• Understand the importance of short-lived credentials for security.

In this lab, you will use Vault's Transit secrets engine to perform encryption operations. You will create and manage encryption keys, encrypt and decrypt data, rotate keys, configure key management settings, and generate data keys.

In this lab, you will use Vault's PKI secrets engine to create and manage a Public Key Infrastructure. You will set up a root CA, create an intermediate CA, and generate certificates for services using both direct CLI output and file-based methods. You will also create a Vault policy to authorize an application to request certificates.

In this lab, you will learn how to create and use response wrapping tokens to securely share Vault secrets. Response wrapping allows you to pass a secret to another party without exposing the secret itself, using a single-use token that expires after a configurable TTL.

In this lecture, students will learn about Vault policies and their role in controlling access to secrets and resources.

Policies are fundamental to enforcing security and compliance by defining what actions users, applications, or services can perform in Vault. This module covers writing policies, understanding their syntax, and applying them to users and tokens.

Learning Outcomes:

• Understand how policies enable role-based access control (RBAC).

• Learn the structure and syntax of a Vault policy.

• Write policies to define client permissions.

• Apply policies to users and tokens for secure access control.

In this lecture, students will learn how Vault policies enforce access control through role-based access control (RBAC). We’ll break down the structure of policies, including paths and capabilities, and explain concepts like deny-by-default and cumulative permissions. You’ll also see how wildcards simplify managing multiple paths.

By the end of this lecture, you’ll be able to:

• Explain the role of Vault policies in securing secrets.

• Identify key components: paths and capabilities.

• Apply the principles of deny-by-default and least privilege.

• Use wildcards to simplify policy management.

In this lecture, students will learn how to manage policies in Vault using the vault policy command. They’ll explore key subcommands like write, delete, list, read, and fmt to create, update, and maintain policies. The lecture also covers built-in policies such as root and default, and how policies are attached to tokens and roles to enforce access control.

By the end of this lecture, you’ll be able to:

• Use the vault policy command to manage policies.

• Understand built-in policies and their roles.

• Assign policies to tokens and roles for controlled access.

In this demo, we create and manage Vault policies using the vault policy command. We start by writing a policy in HCL that allows read and list access to a specific KV v2 path, then upload it to Vault using vault policy write. We test the policy by creating a token with the policy attached and verifying its permissions. We also demonstrate how to update policies and create them directly on the command line.

By the end of this demo, you’ll be able to:

• Create and upload policies to Vault.

• Assign policies to tokens and test their permissions.

• Update existing policies in Vault.

• Create policies using heredoc syntax for automation.

In this lab, you will learn how to create and manage HashiCorp Vault policies. Policies are used to define what actions users and entities can perform within Vault. You will create different types of policies and test their effectiveness using the Vault CLI.

In this section, we explore how Vault integrates with various platforms to enhance your organization's security posture. Vault works seamlessly with cloud providers, databases, CI/CD pipelines, and more, allowing you to automate secrets management, credential handling, and encryption. This automation helps reduce the risk of exposure and human error. We’ll review popular integration options and how they secure your infrastructure.

By the end of this lecture, you’ll be able to:

• Understand how Vault integrates with different platforms.

• Identify ways to automate secrets management.

• Enhance your organization’s security posture through integrations.

In this lecture, students will learn how Vault enhances organizational security by centralizing secrets, adopting dynamic secrets, enforcing access control, and providing audit trails. By integrating Vault with critical areas like Terraform and CI/CD pipelines, security practices can be streamlined and exposure risks minimized.

By the end of this lecture, you’ll be able to:

• Explain how centralized secrets reduce sprawl.

• Describe the benefits of dynamic secrets for security.

• Understand the role of access control policies and audit trails.

• Identify key steps to integrate Vault into existing infrastructure.

In this lecture, students will learn how Vault integrates with Terraform to improve the security of infrastructure provisioning. Instead of using long-lived static credentials, Vault provides dynamic, short-lived credentials to Terraform, reducing the risk of exposure. This integration ensures credentials are generated securely and automatically revoked after use, enhancing security and accountability.

By the end of this lecture, you’ll be able to:

• Explain the risks of using static credentials with Terraform.

• Describe how Vault generates dynamic credentials for Terraform.

• Configure Terraform to authenticate with Vault and use dynamic credentials.

• Understand how Vault's lease mechanism minimizes credential exposure.

In this lecture, students will learn how to integrate HashiCorp Vault with CI/CD pipelines to enhance security. By using Vault, you can avoid static secrets in your pipelines and centralize secret management, reducing the risk of exposure and improving compliance. Vault can dynamically provide short-lived credentials to tools like Jenkins and Kubernetes, ensuring secure deployments.

By the end of this lecture, you’ll be able to:

• Explain the challenges of managing secrets in CI/CD pipelines.

• Understand how Vault provides dynamic credentials to CI/CD tools.

• Identify methods to integrate Vault with Jenkins and Kubernetes.

• Enhance CI/CD security by reducing reliance on static secrets.

Configure Vault Agent to authenticate automatically using AppRole, write a managed token to a file sink, and render a KV secret into a plain configuration file using Consul Template syntax. Update the secret in Vault and observe the agent re-render the file without restarting.