Step 2: Configure KMIP Secrets Engine
Explains how to setup the KMIP secrets engine.
This guide uses CLI commands but these steps can be accomplished through the Web UI as outlined in HashiCorp’s Vault Deployment Guide.
- Create and set policies to allow the Secrets engine to work. The following permissions are
needed to successfully perform all the steps in this guide:
# Work with kmip secrets engine path "kmip/*" { capabilities = [ "create", "read", "update", "delete", "list" ] } # Enable secrets engine path "sys/mounts/*" { capabilities = [ "create", "read", "update", "delete", "list" ] } # List enabled secrets engine path "sys/mounts" { capabilities = [ "read", "list" ] }
- Write these permissions to a new file called
kmip-policy.hcl
:$ tee kmip-policy.hcl <<EOF # Work with kmip secrets engine path "kmip/*" { capabilities = [ "create", "read", "update", "delete", "list" ] } # Enable secrets engine path "sys/mounts/*" { capabilities = [ "create", "read", "update", "delete", "list" ] } # List enabled secrets engine path "sys/mounts" { capabilities = [ "read", "list" ] } EOF
- Load this policy into the active configuration:
$ vault policy write kmip kmip-policy.hcl Success! Uploaded policy: kmip
- Now that the correct policies are enabled, start to set up the KMIP secrets engine. First enable the engine using
the command:
vault secrets enable kmip
- Set up the configuration. Find out the machine’s IP address as well as the port that you want to
use for KMIP. This guide assumes the port used for the KMIP server is 5696. To configure Vault’s KMIP, run:
$ vault write kmip/config listen_addrs=<Host's IP Address>:5696
The KMIP configuration should be similar to the following:$ vault read kmip/config Key Value --- ----- default_tls_client_key_bits 256 default_tls_client_key_type ec default_tls_client_ttl 336h listen_addrs [0.0.0.0:5696] server_hostnames [localhost] server_ips [127.0.0.1 ::1] tls_ca_key_bits 256 tls_ca_key_type ec tls_min_version tls12
The KMIP secrets engine is now properly configured.