Using Fortanix Confidential Computing Manager to Build and Run Hashicorp Enterprise Vault

Introduction

This article describes how to integrate Fortanix Confidential Computing Manager (CCM) to build and run Hashicorp Enterprise Vault.

Steps

Fetch a Bearer Token

Using the credentials used for signing up a new user, fetch the bearer token.

BEARER_TOKEN=$(curl -s -u $username:$password -X POST https://em.fortanix.com/v1/sys/auth | jq -r .access_token)

Get All Accounts

After fetching the bearer token, select the account using the bearer token. To select an account, use the GET command to get all the accounts and select the account using the account_id.

curl -H 'Authorization: Bearer <Bearer Token>' -X GET https://em.fortanix.com/v1/accounts

Select the Account

Note the account_id of the account you want to select.

curl -H 'Authorization: Bearer <Bearer Token>' -X POST https://em.fortanix.com/v1/accounts/select_account/<account-id>

Create an Application

Create an Enterprise vault application using the configuration provided in the app.json file below.

Create Application

Create an application using the following command:

curl -s -H 'Content-Type: application/json' -d @app.json -H "Authorization: Bearer <Bearer token>" -X POST https://em.fortanix.com/v1/apps

Create App.json Config file

Create the app.json config file that contains the application details:

{
"name": "enterprise-vault-ccm",
"description": "This is enterprise vault test",
"input_image_name": "hashicorp/vault-enterprise",
"output_image_name": "/enterprise-vault-converted",
"isvprodid": 1,
"isvsvn": 1,
"mem_size": 2048,
"threads": 16,
"advanced_settings": {
"rw_dirs":["/etc","/var/lib/_mysql","/var/lib/mysql", "/tmp", "/run/mysqld"]
}
}

Create an Image

Create an image of the application:

curl -s -H 'Content-Type: application/json' -d @build.json -H "Authorization: Bearer <Bearer token>" -X POST https://em.fortanix.com/v1/builds/convert-app

The build.json is as below:

{
"app_id": <app_id>,
"docker_version": <tag>,
"inputAuthConfig":
{"username": <username>,
"password": <password>
},
"outputAuthConfig":
{"username": <username>,
"password": <password>
}
}

Fetch all the Image Whitelisting Tasks

curl -s -H "Authorization: Bearer <Bearer token>" -X GET https://em.fortanix.com/v1/tasks?task_type=BUILD_WHITELIST > all_build_tasks.json

All the image whitelist tasks will be stored in all_build_tasks.json file. Select the image whitelist task ID to approve the image in the next step.

Approve the Image Whitelist Task

curl -s -H 'Content-Type: application/json' -d '{"status":"APPROVED"}' -H "Authorization: Bearer <Bearer token>" -X PATCH https://em.fortanix.com/v1/tasks/<task_id>

The image is created and whitelisted.
Next, run the following command on a machine running the node agent to run the application.

Run the Application

docker run -d -it --device /dev/isgx:/dev/isgx --device /dev/gsgx:/dev/gsgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e 'VAULT_API_ADDR=http://<URL-VAULT>' -e ENCLAVEOS_LOG_LEVEL=debug -e 'VAULT_LOCAL_CONFIG={"listener": { "tcp": {"address": "<URL-VAULT-SERVER>","cluster_address":"<URL-VAULT-SERVER>","tls_disable": true}} , "default_lease_ttl": "168h", "max_lease_ttl": "720h", "disable_mlock": true}' -e ENCLAVEOS_LOG_LEVEL=debug -e SKIP_SETCAP=1 -e SKIP_CHOWN=1 -e NODE_AGENT_BASE_URL=http://<node agent ip>:9092/v1/ --network=host <converted enterprise vault image>

Where,

  • <URL-VAULT>: is the URL of the vault.
  • <node-agent-ip>: is the IP address of the compute node registered on Fortanix CCM.
  • 9092 is the port on which Node Agent listens up.
  • converted-image-id is the converted app that can be found in the Images tab under the Image Name column in the Images table.
  • SKIP_SETCAP environment variable: Skip the setcap call. Vault does this so it can use mlock for pages that contain secret information, so they do not get swapped to disk (where it is easier for an attacker to get them than memory). We skip these for multiple reasons: setcap probably will not work in enclave OS, mlock for this purpose is irrelevant in an enclave OS app (since all memory is protected, even when swapped out of EPC), and the additional forks are slow on SGX.
  • Use "disable_mlock": true in the VAULT_LOCAL_CONFIG and do not use --cap-add=IPC_LOCK.
NOTE
Please use your own inputs for Node IP, Port, and Converted Image in the above format. The information in the example above is just a sample.

Once the Enterprise vault server is running, you can do the following sample operations on the vault server URL to see that the vault is running as expected.

Obtain “ROOT-TOKEN” from the output of the above command.

  1. Enter license.
    curl  --header "X-Vault-TOKEN:<ROOT-TOKEN>" --request PUT --data '{"text": "<LICENCE-TEXT>"}' http://<VAULT-URL>/v1/sys/license
  2. Verify that the license is incorporated.
    curl  --header "X-Vault-TOKEN:<ROOT-TOKEN>" http://<VAULT-URL>/v1/sys/license
  3. List the auth plugins that are available.
    curl --request LIST  --header "X-Vault-Token:<ROOT-TOKEN>" http://<VAULT-URL>/v1/sys/plugins/catalog/auth
  4. Enable auth plugin (enabling and using userpass here):
    Get the container id of the vault application running and execute with environment variables into it.
    sudo docker exec -it -e  VAULT_ADDR=http://<VAULT-ADDR> -e VAULT_TOKEN=<VAULT-TOKEN> <Container-ID> sh
  5. Enable the user pass plugin and use it inside the docker container.
    vault auth enable userpass
    vault write auth/userpass/users/mitchellh password=foo policies=admins
    vault login -method=userpass username=mitchellh username=mitchellh
Was this article helpful?
0 out of 0 found this helpful