Setup Hashicorp Vault KMS service

Hashicorp Vault (Vault) is a clusterable secure secret storage and management service.

Vault dev server

You can test embedded with a local vault dev server (in-memory setup and storage).

brew tap hashicorp/tap
brew install hashicorp/tap/vault

vault server -dev -dev-root-token-id root

export VAULT_ADDR=http://127.0.0.1:8200

Enter http://127.0.0.1:8200/ui in the browser address bar. (Use above dev-root-token-id)

Vault KMS deployment

Use the Vault cloud or setup and deploy a persistent Vault service. See: Hashicorp Vault Deployment We recommend setting up HTTPS/TLS certificates in addition to this base configuration. See: Medium enable vault HTTPS

echo 'storage "raft" {
  path    = "./vault/data"
  node_id = "node1"
}

listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = "true"
}

disable_mlock = true

api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
ui = true' > vault_config.hcl

# start server
vault server -config=vault_config.hcl

# init server (e.g.: 1 replica)
vault operator init -n 1 -t 1

# unseal
vault operator unseal

# logon once to start server
vault logon

# enable transit
vault secrets enable transit

Run embedded service

Add these KMS parameters to embedded service

embedded --kms-vault-address="http://127.0.0.1:8200" --kms-vault-token="hvs.gCNPmjbs..." --kms-vault-mount="transit/" --kms-type=vault ...