Breadcrumbs

Configuring Vault for Encryption

Use the following guide to initialize and unseal the vault: Initializing and unsealing the vault

Below we're using the pod vault-0 from the cluster as it is usually the active pod in the cluster. Make sure to replace that in the commands with the vault pod that is the active one. To check if the pod is active, use this command:

kubectl exec -it -n vault vault-0 -- vault status

Example output

Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            5
Threshold               3
Version                 1.13.3
Build Date              2023-06-06T18:12:37Z
Storage Type            raft
Cluster Name            vault-integrated-storage
Cluster ID              97a5bd70-2dcb-0457-1bb8-96db310f5c5f
HA Enabled              true
HA Cluster              <https://vault-0.vault-internal:8201>
HA Mode                 active
Active Since            2025-02-11T10:33:48.686231049Z
Raft Committed Index    133
Raft Applied Index      133

Here, HA Mode is active, and if it is standby then that pod is not the active one.

  1. Login into Vault (Using the password as Initial Root Token that you received along with 5 secret keys in the nested guide mentioned above)

kubectl exec -it -n vault vault-0 -- vault login

  1. Enable Transit Secrets Engine

kubectl exec -it -n vault vault-0 -- vault secrets enable transit

  1. Create an Encryption Key

kubectl exec -it -n vault vault-0 -- vault write -f transit/keys/ef-encryption-key exportable=true

  1. Enable AppRole Authentication (if not already enabled)

Check if AppRole already exists
kubectl exec -it vault-0 -n vault -- /bin/sh
vault auth list
You’ll see something like:

Path         Type      Accessor              Description
approle/     approle   auth_approle_xxxxx    n/a
token/       token     auth_token_xxxxx      n/a

kubectl exec -it -n vault vault-0 -- vault auth enable approle

  1. Create an AppRole (if not already created)

kubectl exec -it -n vault vault-0 -- sh -c 'vault write auth/approle/role/expertflow \
    token_ttl=1h \
    token_max_ttl=4h'

  1. Create a Policy

kubectl exec -it -n vault vault-0 -- sh -c 'vault policy write ef-policy - <<EOF
path "/transit/export/*" {
  capabilities = ["read"]
}
EOF'

  1. Attach the Policy to an AppRole

kubectl exec -it -n vault vault-0 -- vault write auth/approle/role/expertflow policies="ef-policy"

  1. Create secret containing role-id, secret-id, path and encryption-key name

ROLE_ID=$(kubectl exec -n vault vault-0 -- vault read -field=role_id auth/approle/role/expertflow/role-id) && \
SECRET_ID=$(kubectl exec -n vault vault-0 -- vault write -f auth/approle/role/expertflow/secret-id | grep "secret_id " | awk '{print $2}') && \
kubectl create secret generic vault-approle-secret -n expertflow \
  --from-literal=ROLE_ID="$ROLE_ID" \
  --from-literal=SECRET_ID="$SECRET_ID" \
  --from-literal=TRANSIT_PATH="transit" \
  --from-literal=TRANSIT_KEY="ef-encryption-key" \
  --save-config --dry-run=client -o yaml | kubectl apply -f -

  1. Copy Vault TLS secrets to Expertflow namespace

kubectl get secret tls-ca -n vault  -o yaml | sed 's/namespace: vault/namespace: expertflow/' | kubectl create -f -
kubectl get secret tls-server-client -n vault  -o yaml | sed 's/namespace: vault/namespace: expertflow/' | kubectl create -f -

  1. Apply Encryption Schema

kubectl create configmap -n expertflow conversation-manager-encryption-schema --from-file=pre-deployment/conversation-manager/encryption/encryption-schema.json

The above encryption schema configmap is applied for the conversation manager. You can change the path and name to apply a different schema to another component.

  1. Deploy/upgrade the solution

Post Configuration Stuff (No need to do right away)

Key rotation

  1. Rotate key in vault

kubectl exec -it -n vault vault-0 -- vault write -f transit/keys/ef-encryption/rotate

  1. Reload keys in the component using API

GET <https://<FQDN>>/conversation-manager/reload-keys

Taking Backups

  1. Taking backup snapshot

kubectl exec -it -n vault vault-0 -- vault operator raft snapshot save /vault/data/raft/snapshots/backup.snap

  1. Copy backup from the vault pod to local machine

kubectl cp -n vault vault-0:/vault/data/raft/snapshots/backup.snap ~/backups/vault/raft/snapshots/backup.snap

Restoring Backups

  1. Copy backup from local machine to the vault pod

kubectl cp -n vault ~/backups/vault/raft/snapshots/backup.snap vault-0:/vault/data/raft/snapshots/backup.snap

  1. Restore backup snapshot

kubectl exec -it -n vault vault-0 -- vault operator raft snapshot restore /vault/data/raft/snapshots/backup.snap