Time
4 hours 53 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:01
and this lesson, we're gonna continue looking at the crowd operations for key value. However, we're going to do it. So using Jason as the data exchange format as it's much more applicable to re a world scenarios, let's jump straight to the command line. Hopefully, you had a chance to clone the git repository associated with this training
00:20
as that has a lot of associated artifacts that were going to use in this particular
00:24
training session and in subsequent training sessions from the command line. I'm gonna go ahead and I'm gonna change into that directory particularly. I'm going into the subdirectory for this module off the training on, and we can see we have a few things in here. At this point, what I would like to do is start
00:42
doing some more advanced interactions with vault,
00:46
where the key value data is a little more exotic. So by that, I mean, instead of just simply specifying the key with it with a simple string value and doing that through the command line interface or doing that through the Web interface, we're going to use a jace on file that will depict
01:06
ah variety of key values
01:07
in the file itself, and then we're gonna pass that value to vault
01:12
and vault will process that information. And that's how it's going to determine the key values. In a practical sense, when you're creating key values in a production type environment or any of those kind of more real world scenarios, this is the method you are more apt to use because you're
01:32
secrets are going to be a little more exotic than hello world.
01:34
So let's go ahead and explore one of these to Jason files. We're gonna look at the data, got Jason file.
01:41
And rather than opening it in in a real fancy editor, I'm just gonna actually pipe it over to Jake You, which gives me a nice enough formatting for the purposes of this tutorial, and we can see Yes, indeed. The key value pairs are very simplistic. But if you could imagine the key value pairs could be much, much longer strings. In fact,
02:00
you can even have
02:01
programs that programmatically generate these Jason files and then subsequently you're gonna issue commands much like we're gonna issue right now That takes those Jason files and all the secrets defining those Jason files and pushes them to vault. We've already done our first secret.
02:22
Um,
02:22
in this example, let's train use a different secret. Identify air secret. We'll call it a second.
02:30
And sure enough, there is no value for the second sequence because that secret has not yet been created. However, let's go ahead and create that secret.
02:38
Put a secret second.
02:43
And then, rather than specifying the key values right here on the command line like we did originally, we're gonna pass it the location off the Jason file, and it's gonna use that Jay's on file
02:55
success. Let's hop over to the Web interface
03:00
and take a look at that because it's just nice to see what we made. And sure enough, look, we have a message and source. Let's take a look and the source was from the Jason file. So here's success in creating the secret and the content. Key value pairs off this secret were derived from the contents of a geese on file. Of course,
03:20
we can always retrieve the secret as well, not just through the Web interface
03:23
but through the command line interface. And here we go, running this same, get the second Secret Command this time it returns values because the secret does indeed exist.
03:32
And finally, one thing that that you can interact with is passing. The dash format equals Jason Flag to your vault command. And by doing this, the output of the secret that the key values are going to be in a Jason for Matt and so will the metadata. So
03:53
that allows some of your scripts toe. Maybe do some interpretation. Other programs. Scripts to interpret
03:58
that more structured data format as opposed to the format that we were looking at previously, which is visibly nice. But from a computer programs and scripts perspective not as easy to digest and read into Rounded Out. And to really emphasize that point,
04:13
if we retrieve the script using the Web, a P I
04:18
we will actually see. Here's the curl Command. We will actually see that, um, indeed the response.
04:57
Okay?
05:30
And to bring everything's full circle, let's retrieve this secret using the Web AP I via Curl Command, and we will quickly see that the result is actually Jason in the same exact format as we used. The dash format equals Jason Flag when interacting with
05:49
the vault cli so This is important to know. As you start getting a little more advanced and wanting to script and create some automation around, vault
05:57
the ways to get the Jason type output
06:01
to run out this activity. Let's go ahead and create a true riel world scenario and expand the secret so that some of the key values are actually public and private keys. Now, I'm not going to use riel keys that are out in production for this demo. I'm going to generate some self signed keys myself
06:19
using a utility called Open SSL. We've talked about that in the quiz, in fact,
06:24
to just to generate a self signed key. If you don't have open SSL installed on your machine, that's okay. I've included an example Jason file that actually already has the public and private keys that I'm generating right here and now alongside the get hub.
06:42
So you can just use that yourself. Or you could just walk through and use open SSL to generate a self signed key,
06:47
as I'm about to do here.
06:51
So our it's a right. That's the asymmetric encryption that we were talking about. It's gonna ask me a few questions that are going to be used for this private self signed key. My country. I'm in the United States. I'm actually in California.
07:06
Um, Cities Los Angeles
07:11
Organization Company. Let's go! Sai Buri
07:15
Organizational unit name Just a vault training.
07:20
Um, common name, fully qualified Host name. What's the host name that this key is going to be associated with?
07:27
I'm not too worried about that. Just a vault outside where dot com is a fictitious thing, and then email address will say vault trainer at cyber very dot com.
07:41
And as a result, this process has generated a public certificate certificate that has a public key as well as a variety of metadata that we've provided through the self signing process. And it generated a private key.
07:56
And if we look here at the contents in the directory, cirque dot pem is our public certificate,
08:01
and the private key is self signed. What I want to do is get the contents of both of these files put into a jace on file. So rather than trying to finagle around through the command line interface, I'm gonna hop over to an editor here. I have opened the payload job. Jason, file which I'm gonna put these materials into.
08:18
So first and foremost, we're gonna take these self signed certificate
08:22
and the contents of that and we're going to put that into our payload Jason file, and that's gonna be associated with the key called Key. And then similarly, we're gonna take the self signed private key in the contents of that.
08:37
That's something again we don't want to share with anybody. And we're gonna put that in a key called Private, which is all part of this grander secret that, um, we're going to create
08:50
and returning over to the command line. We're going to run. The Cavey put command again, this time passing it the payload dot Jason file, which has the contents of the public self signed certificate as well as the private key.
09:03
Sure enough, we have success if we hop back just to verify things with the Web interface, we can see. Here's the second secret in the current revision of that secret. And indeed there's a key called Private. There's a key called CERT that's in addition to the keys that we had already
09:22
defined. The hello world right? And the self signed
09:26
is the updated value for the source key. And then here is the actual private key. So now we've actually stored secrets that are not just plain text, but actually representing keys, private keys in our vault implementation. And that wraps up this module on the basics of secrets storage,
09:46
using the key value secret.

Up Next

Vault Fundamentals

Learn how HashiCorp Vault can improve your security posture when it comes to storing sensitive passwords, maintaining confidential keys, implementing encryption, and establishing robust access management.

Instructed By

Instructor Profile Image
James Leone
Cloud, IoT & DevSecOps at Abbott
Instructor