Day: November 29, 2021

Enable SSL for Hashicorp Vault

Enable SSL for Hashicorp Vault

Update configuration

vault.json

cat vault.json
{
  "backend": {
    "file": {
      "path": "/vault/file"
    }
  },
  "listener": {
    "tcp":{
      "address": "0.0.0.0:8200",
      "tls_enable": 1,
      "tls_cert_file": "/vault/config/cert.pem",
      "tls_key_file": "/vault/config/privkey.pem"
    }
  },
  "ui": true
}

Copy certificate files

Copy into /vault/config folder

Restart vault container

Unseal

References

Hashicorp - SSL/TLS Question #212

Admin Token for AppRole in Hashicorp Vault

Admin Token for AppRole in Hashicorp Vault

As suggested, root token should not be used, and it should be revoked immediately after used.

Root token

Follow the steps in page below to create a new root token and revoke it after used.

Generate a new root token for Hashicorp Vault

Admin token

For example, SSH secret engine, following admin policy can be created

vault policy write ssh-admin-policy - << EOF
# SSH secret engine
path "ssh-client-signer/sign/*" {
  capabilities = ["create", "read", "update", "delete", "sudo", "list" ]
}

# Mount the AppRole auth method
path "sys/auth/approle" {
  capabilities = [ "create", "read", "update", "delete", "sudo" ]
}

# Configure the AppRole auth method
path "sys/auth/approle/*" {
  capabilities = [ "create", "read", "update", "delete" ]
}

# Create and manage roles
path "auth/approle/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Write ACL policies
path "sys/policies/acl/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

##### Add other requirement if required. For example
# Write test data
# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
path "secret/mysql/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}
EOF

Then create token under this policy

vault token create -field token -policy=ssh-admin-policy

The using this token follow the steps in page below:

Signed SSH Certificates using Hashicorp Vault in Practice

  • Generate role_id and secret_id
  • Login using role_id and secret_id
  • Generate SSH policy token
  • Use SSH policy token to generate signed public key
  • Use the signed public key and private key to login to remote system

Renew token itself

To get renew token before expired, run following command

vault token renew

The expire time can be view using following command

vault token lookup

References

Tokens
AppRole Pull Authentication

Macbook Pro unable to reinstall from Time Machine

Macbook Pro unable to reinstall from Time Machine

The reinstallation was hung with following message:

Preparing to restore "Machintosh HD"...

After a few hours, still the same. Hard reboot later found that no modification in old OS, even requested erasing the disk.

Actions taken

Formatted disk before retry, got same issue.

Possible issue

The possible issue could be that the Mac can not reach Time Machine backup, because there is no blinking of the backup USB disk.

Solution

Install fresh OS, then start performing OS transfer from Time Machine backup.