Setup Hashicorp Vault KMS service
Hashicorp Vault (Vault) is a clusterable secure secret storage and management service.
Vault dev server
You can test embedded with a local vault dev server (in-memory setup and storage).
brew tap hashicorp/tap
brew install hashicorp/tap/vault
vault server -dev -dev-root-token-id root
export VAULT_ADDR=http://127.0.0.1:8200
Enter http://127.0.0.1:8200/ui in the browser address bar. (Use above dev-root-token-id)
Vault KMS deployment
Use the Vault cloud or setup and deploy a persistent Vault service. See: Hashicorp Vault Deployment We recommend setting up HTTPS/TLS certificates in addition to this base configuration. See: Medium enable vault HTTPS
echo 'storage "raft" {
path = "./vault/data"
node_id = "node1"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = "true"
}
disable_mlock = true
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
ui = true' > vault_config.hcl
# start server
vault server -config=vault_config.hcl
# init server (e.g.: 1 replica)
vault operator init -n 1 -t 1
# unseal
vault operator unseal
# logon once to start server
vault logon
# enable transit
vault secrets enable transit
Run embedded service
Add these KMS parameters to embedded service
embedded --kms-vault-address="http://127.0.0.1:8200" --kms-vault-token="hvs.gCNPmjbs..." --kms-vault-mount="transit/" --kms-type=vault ...