HashiCorp Vault is a powerful and versatile tool for managing secrets and encryption within an organization. It provides a centralized platform for storing, managing, and securely distributing sensitive information like passwords, API keys, certificates, and other confidential data.
Key Features:
- Centralized Secrets Management: Vault acts as a single source of truth for all your secrets, making it easier to control and manage them.
- Secure Storage: It encrypts secrets using robust encryption algorithms, ensuring their confidentiality and integrity.
- Fine-Grained Access Control: You can define granular access policies to control who can access specific secrets, minimizing the risk of unauthorized access.
- Dynamic Secrets: Vault can generate temporary secrets with limited lifespans, enhancing security by reducing the exposure of sensitive information.
- Auditing and Logging: It maintains detailed logs of all secret access events, enabling you to track and audit usage.
- Integration with Various Technologies: Vault integrates seamlessly with various technologies like Kubernetes, Docker, and cloud platforms, making it flexible and adaptable.
Benefits:
- Enhanced Security: Vault helps mitigate the risks associated with hardcoding secrets in applications or storing them in insecure locations.
- Improved Efficiency: Centralized management of secrets streamlines operations and reduces the time spent on manual tasks.
- Reduced Risk of Breaches: By limiting access to secrets and rotating them regularly, Vault helps minimize the impact of potential security breaches.
- Compliance: Vault aids in complying with security and compliance standards by providing a robust audit trail and access controls.
How it Works:
- Secret Storage: Secrets are encrypted and stored securely within Vault.
- Authentication: Users or applications authenticate themselves to Vault using various methods like tokens, certificates, or external identity providers.
- Authorization: Once authenticated, users or applications are granted specific permissions to access certain secrets based on defined policies.
- Secret Retrieval: Authorized entities can retrieve secrets from Vault for use in their applications or processes.
- Secret Rotation: Vault can automatically rotate secrets, reducing the risk of compromise.
By leveraging HashiCorp Vault, organizations can significantly improve their security posture, streamline operations, and meet compliance requirements.
Step By Step Set Up HashiCorp Vault in Windows OS :
Step 1 : search for “hashicorp vault”
Step 2 : click on first link as shown in image or you can visit directly here https://www.hashicorp.com/products/vault
it will open website as show below :
Step 3 : click on Developers option
Step 4 : when you click on Developers it will open below page :
Step 5 : click on install option from left panel as shown in above image and then select Windows –> click on Download –> it will start downloading vault for windows automatically :
Step 6 : Extract zip file and rename extracted folder with some name here i am giving name to folder as crtrvault
here is how my folder contents looks like :
open folder in command prompt :
Step 7: and execute command as “vault server -dev”
it will start DEV instance of vault as below :
Step 8 : As shown in console you can visit VAULT USER INTERFACE
http://127.0.0.1:8200
You can copy token from console :
you can insert Root Token : hvs.HLWnPObKDwqlRUsRXF3qjEow for login :
Vault login successful :
Now Lets Create Our Secret Values In Vault :
click on secret as shown below :
click on create secret :
Enter test details as below , you can add any information : click on Add and Save :
click on Add and Save , it will show secret added as below :
You can see added secret values as below :
If you want to change password you can click on create new version option add new password and save , and you can see version history also in Version History option as shown above:
Now Lets Create Spring Boot Application Step By Step
Step 1 : create new spring boot project :
click next and add dependencies :
click finish :
you can check my pom.xml file here :(please check spring boot version too – some different version may expect some extra properties)
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.4.0</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.crtr4u</groupId>
<artifactId>hashicorpdemo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>crtr4uHashiCorpDemos</name>
<description>Demo project for Spring Boot using hashicorp</description>
<url/>
<licenses>
<license/>
</licenses>
<developers>
<developer/>
</developers>
<scm>
<connection/>
<developerConnection/>
<tag/>
<url/>
</scm>
<properties>
<java.version>21</java.version>
<spring-cloud.version>2024.0.0</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
here is my application.properties
in properties file Root Token (hvs.HLWnPObKDwqlRUsRXF3qjEow) is encoded to base64 using online base64 encoder , you can use any online base64 encoder tool and adding encoded value here as :
spring.cloud.vault.gcp-iam.credentials.encoded-key=aHZzLkhMV25QT2JLRHdxbFJVc1JYRjNxakVvdw==
spring.application.name=crtrhashicorpapp spring.cloud.vault.scheme=http spring.config.import= vault:// spring.cloud.vault.gcp-iam.credentials.encoded-key=aHZzLkhMV25QT2JLRHdxbFJVc1JYRjNxakVvdw==
created sample class as :
package com.crtr4u;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import jakarta.annotation.PostConstruct;
@Service
public class DbDetailsConfig {
@Value("${crtr.db.username}")
private String dbUserName;
@Value("${crtr.db.password}")
private String dbPassword;
@PostConstruct
public void getDbDetails() {
System.out.println(dbUserName +" "+dbPassword);
}
}
here is my main class
package com.crtr4u;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class Crtr4uHashiCorpDemosApplication {
public static void main(String[] args) {
SpringApplication.run(Crtr4uHashiCorpDemosApplication.class, args);
}
}
When you run the application it will show you your usename and password in console : you can check below log crtrappun crtrpwdnew is displayed in log
crtrappun crtrpwdnew 2024-12-07T01:54:14.904+05:30 INFO 12604 --- [crtrhashicorpapp] [ restartedMain] o.s.b.d.a.OptionalLiveReloadServer : LiveReload server is running on port 35729 2024-12-07T01:54:15.923+05:30 INFO 12604 --- [crtrhashicorpapp] [ restartedMain] o.s.cloud.commons.util.InetUtils : Cannot determine local hostname 2024-12-07T01:54:15.968+05:30 INFO 12604 --- [crtrhashicorpapp] [ restartedMain] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port 8080 (http) with context path '/' 2024-12-07T01:54:16.983+05:30 INFO 12604 --- [crtrhashicorpapp] [ restartedMain] o.s.cloud.commons.util.InetUtils : Cannot determine local hostname 2024-12-07T01:54:16.997+05:30 INFO 12604 --- [crtrhashicorpapp] [ restartedMain] c.c.Crtr4uHashiCorpDemosApplication : Started Crtr4uHashiCorpDemosApplication in 5.055 seconds (process running for 5.557)
Happy Learning…