Merge pull request #2731 from wwy-hust/master

[Translated] 20150506 How to Securely Store Passwords and Api Keys Using Vault.md
2025-03-03 01:10:13 +08:00 · 2015-05-09 13:05:32 +08:00 · 2015-05-09 13:05:32 +08:00 · 564cec9a05
commit 564cec9a05
parent 21680e660d 6f1fd088d9
2 changed files with 161 additions and 170 deletions
--- a/sources/tech/20150506
+++ b/sources/tech/20150506
@ -1,170 +0,0 @@
 Translating by wwy-hust
 How to Securely Store Passwords and Api Keys Using Vault
 ================================================================================
 Vault is a tool that is used to access secret information securely, it may be password, API key, certificate or anything else. Vault provides a unified interface to secret information through strong access control mechanism and extensive logging of events.
 Granting access to critical information is quite a difficult problem when we have multiple roles and individuals across different roles requiring various critical information like, login details to databases with different privileges, API keys for external services, credentials for service oriented architecture communication etc. Situation gets even worse when access to secret information is managed across different platforms with custom settings, so rolling, secure storage and managing the audit logs is almost impossible. But Vault provides a solution to such a complex situation.
 ### Salient Features ###
 Data Encryption: Vault can encrypt and decrypt data with no requirement to store it. Developers can now store encrypted data without developing their own encryption techniques and it allows security teams to define security parameters.
 **Secure Secret Storage**: Vault encrypts the secret information (API keys, passwords or certificates) before storing it on to the persistent (secondary) storage. So even if somebody gets access to the stored information by chance, it will be of no use until it is decrypted.
 **Dynamic Secrets**: On demand secrets are generated for systems like AWS and SQL databases. If an application needs to access S3 bucket, for instance, it requests AWS keypair from Vault, which grants the required secret information along with a lease time. The secret information won’t work once the lease time is expired.
 **Leasing and Renewal**: Vault grants secrets with a lease limit, it revokes the secrets as soon as lease expires which can further be renewed through APIs if required.
 **Revocation**: Upon expiring the lease period Vault can revoke a single secret or a tree of secrets.
 ### Installing Vault ###
 There are two ways to use Vault.
 **1. Pre-compiled Vault Binary** can be downloaded for all Linux flavors from the following source, once done, unzip it and place it on a system PATH where other binaries are kept so that it can be accessed/invoked easily.
 - [Download Precompiled Vault Binary (32-bit)][1]
 - [Download Precompiled Vault Binary (64-bit)][2]
 - [Download Precompiled Vault Binary (ARM)][3]
 Download the desired precompiled Vault binary.
 ![wget binary](http://blog.linoxide.com/wp-content/uploads/2015/04/wget-binary.png)
 Unzip the downloaded binary.
 ![vault](http://blog.linoxide.com/wp-content/uploads/2015/04/unzip.png)
 unzipCongratulations! Vault is ready to be used.
 ![](http://blog.linoxide.com/wp-content/uploads/2015/04/vault.png)
 **2. Compiling from source** is another way of installing Vault on the system. GO and GIT are required to be installed and configured properly on the system before we start the installation process.
 To **install GO on Redhat systems** use the following command.
    sudo yum install go
 To **install GO on Debian systems** use the following commands.
    sudo apt-get install golang
 OR
    sudo add-apt-repository ppa:gophers/go
    sudo apt-get update
    sudo apt-get install golang-stable
 To **install GIT on Redhat systems** use the following command.
    sudo yum install git
 To **install GIT on Debian systems** use the following commands.
    sudo apt-get install git
 Once both GO and GIT are installed we start the Vault installation process by compiling from the source.
 > Clone following Vault repository into the GOPATH
    https://github.com/hashicorp/vault
 > Verify if the following clone file exist, if it doesn’t then Vault wasn’t cloned to the proper path.
    $GOPATH/src/github.com/hashicorp/vault/main.go
 > Run following command to build Vault in the current system and put binary in the bin directory.
    make dev
 ![path](http://blog.linoxide.com/wp-content/uploads/2015/04/installation4.png)
 ### An introductory tutorial of Vault ###
 We have compiled Vault’s official interactive tutorial along with its output on SSH.
 **Overview**
 This tutorial will cover the following steps:
 - Initializing and unsealing your Vault
 - Authorizing your requests to Vault
 - Reading and writing secrets
 - Sealing your Vault
 **Initialize your Vault**
 To get started, we need to initialize an instance of Vault for you to work with.
 While initializing, you can configure the seal behavior of Vault.
 Initialize Vault now, with 1 unseal key for simplicity, using the command:
    vault init -key-shares=1 -key-threshold=1
 You'll notice Vault prints out several keys here. Don't clear your terminal, as these are needed in the next few steps.
 ![Initializing SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Initializing-SSH.png)
 **Unsealing your Vault**
 When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn't know how to decrypt any of it.
 Vault encrypts data with an encryption key. This key is encrypted with the "master key", which isn't stored. Decrypting the master key requires a threshold of shards. In this example, we use one shard to decrypt this master key.
    vault unseal <key 1>
 ![Unsealing SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Unsealing-SSH.png)
 **Authorize your requests**
 Before performing any operation with Vault, the connecting client must be authenticated. Authentication is the process of verifying a person or machine is who they say they are and assigning an identity to them. This identity is then used when making requests with Vault.
 For simplicity, we'll use the root token we generated on init in Step 2. This output should be available in the scrollback.
 Authorize with a client token:
    vault auth <root token>
 ![Authorize SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Authorize-SSH.png)
 **Read and write secrets**
 Now that Vault has been set-up, we can start reading and writing secrets with the default mounted secret backend. Secrets written to Vault are encrypted and then written to the backend storage. The backend storage mechanism never sees the unencrypted value and doesn't have the means necessary to decrypt it without Vault.
    vault write secret/hello value=world
 Of course, you can then read this data too:
    vault read secret/hello
 ![RW_SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/RW_SSH.png)
 **Seal your Vault**
 There is also an API to seal the Vault. This will throw away the encryption key and require another unseal process to restore it. Sealing only requires a single operator with root privileges. This is typically part of a rare "break glass procedure".
 This way, if there is a detected intrusion, the Vault data can be locked quickly to try to minimize damages. It can't be accessed again without access to the master key shards.
    vault seal
 ![Seal Vault SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Seal-Vault-SSH.png)
 That is the end of introductory tutorial.
 ### Summary ###
 Vault is a very useful application mainly because of providing a reliable and secure way of storing critical information. Furthermore it encrypts the critical information before storing, maintains audit logs, grants secret information for limited lease time and revokes it once lease is expired. It is platform independent and freely available to download and install. To discover more about Vault, readers are encouraged to visit the official website.
 --------------------------------------------------------------------------------
 via: http://linoxide.com/how-tos/secure-secret-store-vault/
 作者：[Aun Raza][a]
 译者：[译者ID](https://github.com/译者ID)
 校对：[校对者ID](https://github.com/校对者ID)
 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译，[Linux中国](https://linux.cn/) 荣誉推出
 [a]:http://linoxide.com/author/arunrz/
 [1]:https://dl.bintray.com/mitchellh/vault/vault_0.1.0_linux_386.zip
 [2]:https://dl.bintray.com/mitchellh/vault/vault_0.1.0_linux_amd64.zip
 [3]:https://dl.bintray.com/mitchellh/vault/vault_0.1.0_linux_arm.zip
--- a/translated/tech/20150506
+++ b/translated/tech/20150506
@ -0,0 +1,161 @@
 如何使用Vault安全的存储密码和API密钥
 =======================================================================
 Vault是用来安全的获取秘密信息的工具。他可以保存密码、API密钥、证书等信息。Vault通过强访问控制机制和高扩展性的事件日志提供了一个统一的接口来访问秘密信息。
 对关键信息的授权访问是一个困难的问题，尤其是当有许多用户角色和用户请求不同的关键信息，例如用不同权限登录数据库的细节，对外服务的API密钥，面向服务架构通信的证书等。当保密信息由不同的平台进行管理，并使用一些自定义的配置时，情况变得更糟，因此，安全的存储、管理审计日志几乎是不可能的。但Vault为这种复杂情况提供了一个解决方案。
 ### 突出特点 ###
 数据加密：Vault能够在不存储数据的情况下对数据进行加密、解密。开发者们便可以存储加密后的数据而无需开发自己的加密技术，Vault还允许安全团队自定义安全参数。
 **安全密码存储**：Vault在将秘密信息（API密钥、密码、证书）存储到持久化存储之前对数据进行加密。因此，如果有人偶尔拿到了获取存储的数据的权限，这也没有任何意义，除非加密后的信息被解密。
 **动态密码**：Vault为AWS、SQL数据库类似的系统按需产生密码。如果应用需要获得AWS S3的桶，比如，它向Vault请求AWS密钥对，Vault将授予需要的秘密信息一段租用期时间。一旦租用期过期，这个秘密信息将变得不可用。
 **租赁和更新**：Vault以租用期为限制授予秘密信息，一旦租用期过期，它便立刻收回保密信息，如果应用仍需要保密信息，则可以通过API更新租用期。
 **撤销**：在租用期到期之前，Vault可以撤销一个秘密信息或者一个秘密信息树。
 ### 安装Vault ###
 有两种方式来安装使用Vault。
 **1. 预编译的Vault二进制** 能用于所有的Linux发行版，下载地址如下，一旦下载完成，解压并将它放在系统PATH路径下，以方便调用。
 - [Download Precompiled Vault Binary (32-bit)][1]
 - [Download Precompiled Vault Binary (64-bit)][2]
 - [Download Precompiled Vault Binary (ARM)][3]
 下载相应的预编译的Vault二进制版本。
 ![wget binary](http://blog.linoxide.com/wp-content/uploads/2015/04/wget-binary.png)
 解压下载到本地的二进制版本。
 ![vault](http://blog.linoxide.com/wp-content/uploads/2015/04/unzip.png)
 祝贺！您现在可以使用Vault了。
 ![](http://blog.linoxide.com/wp-content/uploads/2015/04/vault.png)
 **2. 从源代码编译** 是另一种在系统中安装Vault的方式。在安装Vault之前需要安装GO和GIT。
 在 **Redhat系统中安装GO** 使用下面的指令。
    sudo yum install go
 在 **Debin系统中安装GO** 使用下面的指令。
    sudo apt-get install golang
 或者
    sudo add-apt-repository ppa:gophers/go
    sudo apt-get update
    sudo apt-get install golang-stable
 在 **Redhat系统中安装GIT** 使用下面的命令。
    sudo yum install git
 在 **Debian系统中安装GIT** 使用下面的命令。
    sudo apt-get install git
 一旦GO和GIT都已被安装好，我们便可以开始从源码编译安装Vault。
 > 将下列的Vault仓库拷贝至GOPATH
    https://github.com/hashicorp/vault
 > 测试下面的文件是否存在，如果它不存在，那么Vault没有被克隆到合适的路径。
    $GOPATH/src/github.com/hashicorp/vault/main.go
 > 执行下面的指令来编译Vault，并将二进制文件放到系统bin目录下。
    make dev
 ![path](http://blog.linoxide.com/wp-content/uploads/2015/04/installation4.png)
 ### 一份Vault入门教程 ###
 我们已经编译了Vault的官方交互式教程，并将它输出到SSH。
 **概述**
 这份教程包括下列步骤：
 - 初始化，开启您的Vault
 - 在Vault中对您的请求授权
 - 读写秘密信息
 - 密封您的Vault
 **初始化您的Vault**
 首先，我们需要为您初始化一个Vault的工作实例。在初始化过程中，您可以配置Vault的密封行为。简单起见，现在使用一个非密封密钥来初始化Vault。
    vault init -key-shares=1 -key-threshold=1
 您会注意到Vault在这里打印出了许多的密钥。不要清除您的终端，这些密钥在后面的步骤中会使用到。
 ![Initializing SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Initializing-SSH.png)
 **开启您的Vault**
 当一个Vault服务器启动时，它是密封的状态。在这种状态下，Vault被配置为知道在哪里和如何存取物理存储，但不知道如何对其进行解密。Vault使用加密密钥来加密数据。这个密钥由"主密钥"加密，主密钥不保存。解密主密钥需要一个碎片的阈值。在这个例子中，我们使用一个碎片来解密这个主密钥。
    vault unseal <key 1>
 ![Unsealing SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Unsealing-SSH.png)
 **为您的请求授权**
 在执行任何操作之前，连接的客户端应该被授权。授权的过程是检验一个人或者机器是不是像他们描述的那样，被赋予了身份。这个身份在向Vault发送请求时被使用。为简单起见，我们将使用在步骤2中生成的root令牌。这个输出会以滚动模式出现。使用一个客户端令牌进行授权：
    vault auth <root token>
 ![Authorize SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Authorize-SSH.png)
 **读写保密信息**
 现在Vault已经被设置妥当，我们可以开始使用默认的密码后端读写秘密信息了。写在Vault中的秘密信息首先被加密，然后被写入后端的存储。后端存储机制不会查看未加密的值，并且没有无需Vault即可解密的方法。
    vault write secret/hello value=world
 当然，您接下来便可以读这个保密信息了：
    vault read secret/hello
 ![RW_SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/RW_SSH.png)
 **密封您的Vault**
 有一个API来密封Vault。它将丢掉加密密钥并需要其他未密封的过程来恢复它。密封仅需要一个拥有root权限的操作者。这通常是一种罕见的"打破玻璃过程"的一部分。这种方式中，如果有一个检测到的入侵，Vault数据将会立刻被锁住，以便最小化损失。如果没有获取到主密钥碎片，数据不会被再次获取。
    vault seal
 ![Seal Vault SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Seal-Vault-SSH.png)
 这便是入门教程的结尾。
 ### 总结 ###
 Vault是一个非常有用的应用，它提供了一个可靠且安全的存储关键信息的方式。另外，它在存储前加密关键信息，维护他的审计日志，并以租用期的方式获取秘密信息，且一旦租用期过期，它将立刻收回秘密信息。Vault是平台独立的，并且可以免费下载和安装。要发掘Vault的更多信息，请访问官方网站。
 --------------------------------------------------------------------------------
 via: http://linoxide.com/how-tos/secure-secret-store-vault/
 作者：[Aun Raza][a]
 译者：[wwy-hust](https://github.com/wwy-hust)
 校对：[校对者ID](https://github.com/校对者ID)
 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译，[Linux中国](https://linux.cn/) 荣誉推出
 [a]:http://linoxide.com/author/arunrz/
 [1]:https://dl.bintray.com/mitchellh/vault/vault_0.1.0_linux_386.zip
 [2]:https://dl.bintray.com/mitchellh/vault/vault_0.1.0_linux_amd64.zip
 [3]:https://dl.bintray.com/mitchellh/vault/vault_0.1.0_linux_arm.zip