Step 2: Configure KMIP Secrets Engine

Explains how to setup the KMIP secrets engine.

This guide uses CLI commands but these steps can be accomplished through the Web UI as outlined in HashiCorp’s Vault Deployment Guide.

  1. Create and set policies to allow the Secrets engine to work. The following permissions are needed to successfully perform all the steps in this guide:
    # Work with kmip secrets engine
    path "kmip/*" {
      capabilities = [ "create", "read", "update", "delete", "list" ]
    }
    
    # Enable secrets engine
    path "sys/mounts/*" {
      capabilities = [ "create", "read", "update", "delete", "list" ]
    }
    
    # List enabled secrets engine
    path "sys/mounts" {
      capabilities = [ "read", "list" ]
    } 
  2. Write these permissions to a new file called kmip-policy.hcl:
    $ tee kmip-policy.hcl <<EOF
    # Work with kmip secrets engine
    path "kmip/*" {
      capabilities = [ "create", "read", "update", "delete", "list" ]
    }
    
    # Enable secrets engine
    path "sys/mounts/*" {
      capabilities = [ "create", "read", "update", "delete", "list" ]
    }
    
    # List enabled secrets engine
    path "sys/mounts" {
      capabilities = [ "read", "list" ]
    }
    EOF
  3. Load this policy into the active configuration:
    $ vault policy write kmip kmip-policy.hcl
    Success! Uploaded policy: kmip
  4. Now that the correct policies are enabled, start to set up the KMIP secrets engine. First enable the engine using the command:
    vault secrets enable kmip
  5. Set up the configuration. Find out the machine’s IP address as well as the port that you want to use for KMIP. This guide assumes the port used for the KMIP server is 5696. To configure Vault’s KMIP, run:
    $ vault write kmip/config listen_addrs=<Host's IP Address>:5696 
    The KMIP configuration should be similar to the following:
    $ vault read kmip/config
    Key                            Value
    ---                            -----
    default_tls_client_key_bits    256
    default_tls_client_key_type    ec
    default_tls_client_ttl         336h
    listen_addrs                   [0.0.0.0:5696]
    server_hostnames               [localhost]
    server_ips                     [127.0.0.1 ::1]
    tls_ca_key_bits                256
    tls_ca_key_type                ec
    tls_min_version                tls12         

    The KMIP secrets engine is now properly configured.