Install Vault

Follow these steps to install and configure Vault with a single HSM:

System preparation
Create Vault user and group
Install Vault
Install the Vault license
Create a configuration file
Create and configure Vault directories
Enable Vault

System preparation

Open the appropriate firewall port for incoming Vault connections:

# sudo firewall-cmd --permanent --add-port=8200/tcp
# sudo firewall-cmd --permanent --add-port=8201/tcp
# sudo firewall-cmd --reload

Install open-vm-tools:

# sudo yum install open-vm-tools unzip opensc

Create Vault user and group

Create the Vault group:
```
# sudo groupadd --system vault
```

Create the Vault user:

# sudo useradd --system --shell /sbin/nologin --gid vault vault

Add the Vault user to the nShield nfast group:

# sudo usermod --append --groups nfast vault

Install Vault

Download the Vault package from HashiCorp at https://releases.hashicorp.com/vault/, ensuring that it is the binary file for Enterprise with HSM support:

# cd Downloads

# wget https://releases.hashicorp.com/vault/1.15.0+ent.hsm/vault_1.15.0+ent.hsm_linux_amd64.zip
--2023-10-16 16:28:25--  https://releases.hashicorp.com/vault/1.15.0+ent.hsm/vault_1.15.0+ent.hsm_linux_amd64.zip
Resolving releases.hashicorp.com (releases.hashicorp.com)... 18.160.181.25, 18.160.181.50, 18.160.181.55, ...
Connecting to releases.hashicorp.com (releases.hashicorp.com)|18.160.181.25|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 132555901 (126M) [application/zip]
Saving to: ‘vault_1.15.0+ent.hsm_linux_amd64.zip’

vault_1.15.0+ent.hsm_linux 100%[======================================>] 126.42M  10.1MB/s    in 12s

2023-10-16 16:28:38 (10.6 MB/s) - ‘vault_1.15.0+ent.hsm_linux_amd64.zip’ saved [132555901/132555901]

Unzip the binary file and extract it to the working directory on the host machine, for example /usr/local/bin. There should only be a single binary file named vault.

# unzip vault_1.15.0+ent.hsm_linux_amd64.zip -d /usr/local/bin
Archive:  vault_1.15.0+ent.hsm_linux_amd64.zip
replace /usr/local/bin/TermsOfEvaluation.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: /usr/local/bin/TermsOfEvaluation.txt
replace /usr/local/bin/vault? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: /usr/local/bin/vault
replace /usr/local/bin/EULA.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: /usr/local/bin/EULA.txt

Set Vault permissions:

# sudo chmod 755 /usr/local/bin/vault
# sudo setcap cap_ipc_lock=+ep /usr/local/bin/vault
# ls -la /usr/local/bin/vault
-rwxr-xr-x. 1 root root 397524552 Sep 22 17:22 /usr/local/bin/vault

Add the Vault binary file to the path:

# sudo vi /etc/profile.d/vault.sh

Add the following information to vault.sh and save it:

# HashiCorp Vault Enterprise path variable
export PATH="$PATH:/usr/local/bin"
export VAULT_ADDR=http://127.0.0.1:8200

Create the Vault data directories:

# sudo mkdir --parents /opt/vault/data
# sudo mkdir --parents /opt/vault/logs
# sudo chmod --recursive 750 /opt/vault
# sudo chown --recursive vault:vault /opt/vault

Reboot the server.
```
# reboot
```

Confirm that the binary file is available:

# vault version
Vault v1.15.0+ent.hsm (d3729711f875a9dedea802079cd7f0e4b1d6e8d5), built 2023-09-22T21:04:53Z (cgo)

Install the Vault license

Open a new terminal and create a directory for the Vault license and configuration files:
```
# sudo mkdir /etc/vault
```
Three options are given in the Install a HashiCorp Enterprise License page of the online documentation for enabling an enterprise license, as well as a procedure to request a trail license. For this guide, create a file containing the enterprise license key:
```
# cat /etc/vault/license.hclic
02MV4UU43B...
```

Create a configuration file

Set up a /etc/vault/config.hcl configuration file to enable Vault to be run as a service. See also Vault commands.

An example configuration file for using Vault with OCS protection is shown below. The pin is the passphrase entered when the OCS was created.

# PKCS#11 Seal, Entrust nShield Integration
seal "pkcs11" {
lib = "/opt/nfast/toolkits/pkcs11/libcknfast.so"
slot = "761406615"
pin = "ncipher"
key_label = "vault_v1_ocs"
hmac_key_label = "vault_hmac_v1_ocs"
# Vault is commanding HSM to generate keys if these don't already exists
generate_key = true
}

# Vault listener with TLS disabled
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}

# Storage
storage "file" {
path = "/opt/vault/data/hsm"
}

ui = true

# License file
license_path = "/etc/vault/license.hclic"

disable_mlock = true
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"

# Managed Key Library
kms_library "pkcs11" {
name = "hsm1" # This can be re-named to anything you like
library = "/opt/nfast/toolkits/pkcs11/libcknfast.so" #PKCS11 Library Location
}

In this example:

The slot and pin parameters will change according to the protection selected. See section create-vault-encryption-keys.adoc#find-slot-value.
The entropy seal mode is set to augmentation. This leverages the HSM for augmenting system entropy via the PKCS#11 protocol.
The seal wrap is enabled. By enabling seal wrap, Vault wraps your secrets with an extra layer of encryption leveraging the HSM encryption and decryption.
Notice the path to the license file.

Create and configure Vault directories

Create a vault file in sysconfig:
```
# sudo touch /etc/sysconfig/vault
```
Create a service file:
```
# vi /etc/systemd/system/vault.service
```

Add the following information to the file:

If deploying on a server with more than two CPUs, you may increase the value of Environment=GOMAXPROCS accordingly.

[Unit]
Description="HashiCorp Vault"
Requires=network-online.target
After=network-online.target nc_hardserver.service
ConditionFileNotEmpty=/etc/vault/config.hcl
[Service]
User=vault
Group=vault
EnvironmentFile=/etc/sysconfig/vault
ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.hcl
StandardOutput=/opt/vault/logs/output.log
StandardError=/opt/vault/logs/error.log
ExecReload=/bin/kill --signal -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitBurst=3
AmbientCapabilities=CAP_IPC_LOCK
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target

If you are setting paths different from the default, you must edit the following lines as well in the configuration file:

ConditionFileNotEmpty=/etc/vault/config.hcl
EnvironmentFile=-/etc/sysconfig/vault
ExecStart=/opt/vault/bin/vault server -config=/etc/vault/config.hcl
StandardOutput=/opt/vault/logs/output.log
StandardError=/opt/vault/logs/error.log

Enable Vault

Set the following environment variable to allow Vault to be accessed from a web browser via the web user interface (web UI). Append the following line to the /etc/profile.d/vault.sh file created above, and restart the system:
```
export VAULT_ADDR=http://127.0.0.1:8200
```
Enable Vault:
```
# systemctl enable vault.service
```