Skip to main content
Skip table of contents

Configuring Vault for Encryption

Use the following guide to initialize and unseal the vault: Initializing and unsealing the vault

Below we're using the pod vault-0 from the cluster as it is usually the active pod in the cluster. Make sure to replace that in the commands with the vault pod that is the active one. To check if the pod is active, use this command:

CODE 
kubectl exec -it -n vault vault-0 -- vault status

Example output

CODE 
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            5
Threshold               3
Version                 1.13.3
Build Date              2023-06-06T18:12:37Z
Storage Type            raft
Cluster Name            vault-integrated-storage
Cluster ID              97a5bd70-2dcb-0457-1bb8-96db310f5c5f
HA Enabled              true
HA Cluster              <https://vault-0.vault-internal:8201>
HA Mode                 active
Active Since            2025-02-11T10:33:48.686231049Z
Raft Committed Index    133
Raft Applied Index      133

Here, HA Mode is active, and if it is standby then that pod is not the active one.

  1. Login into Vault (Using the password as Initial Root Token that you received along with 5 secret keys in the nested guide mentioned above)

CODE 
kubectl exec -it -n vault vault-0 -- vault login

  1. Enable Transit Secrets Engine

CODE 
kubectl exec -it -n vault vault-0 -- vault secrets enable transit

  1. Create an Encryption Key

CODE 
kubectl exec -it -n vault vault-0 -- vault write -f transit/keys/ef-encryption-key exportable=true

  1. Enable AppRole Authentication (if not already enabled)

Check if AppRole already exists
kubectl exec -it vault-0 -n vault -- /bin/sh
vault auth list
You’ll see something like:

Path         Type      Accessor              Description
approle/     approle   auth_approle_xxxxx    n/a
token/       token     auth_token_xxxxx      n/a

CODE 
kubectl exec -it -n vault vault-0 -- vault auth enable approle

  1. Create an AppRole (if not already created)

CODE 
kubectl exec -it -n vault vault-0 -- sh -c 'vault write auth/approle/role/expertflow \
    token_ttl=1h \
    token_max_ttl=4h'

  1. Create a Policy

CODE 
kubectl exec -it -n vault vault-0 -- sh -c 'vault policy write ef-policy - <<EOF
path "/transit/export/*" {
  capabilities = ["read"]
}
EOF'

  1. Attach the Policy to an AppRole

CODE 
kubectl exec -it -n vault vault-0 -- vault write auth/approle/role/expertflow policies="ef-policy"

  1. Create secret containing role-id, secret-id, path and encryption-key name

CODE 
ROLE_ID=$(kubectl exec -n vault vault-0 -- vault read -field=role_id auth/approle/role/expertflow/role-id) && \
SECRET_ID=$(kubectl exec -n vault vault-0 -- vault write -f auth/approle/role/expertflow/secret-id | grep "secret_id " | awk '{print $2}') && \
kubectl create secret generic vault-approle-secret -n expertflow \
  --from-literal=ROLE_ID="$ROLE_ID" \
  --from-literal=SECRET_ID="$SECRET_ID" \
  --from-literal=TRANSIT_PATH="transit" \
  --from-literal=TRANSIT_KEY="ef-encryption-key" \
  --save-config --dry-run=client -o yaml | kubectl apply -f -

  1. Copy Vault TLS secrets to Expertflow namespace

CODE 
kubectl get secret tls-ca -n vault  -o yaml | sed 's/namespace: vault/namespace: expertflow/' | kubectl create -f -
kubectl get secret tls-server-client -n vault  -o yaml | sed 's/namespace: vault/namespace: expertflow/' | kubectl create -f -

  1. Apply Encryption Schema

CODE 
cd 4.10_f-CIM-release-candidate/kubernetes
CODE 
kubectl create configmap -n expertflow conversation-manager-encryption-schema --from-file=pre-deployment/conversation-manager/encryption/encryption-schema.json

The above encryption schema configmap is applied for the conversation manager. You can change the path and name to apply a different schema to another component.

  1. Deploy/upgrade the solution

Post Configuration Stuff (No need to do right away)

Key rotation

  1. Rotate key in vault

CODE 
kubectl exec -it -n vault vault-0 -- vault write -f transit/keys/ef-encryption/rotate

  1. Reload keys in the component using API

CODE 
GET <https://<FQDN>>/conversation-manager/reload-keys

Taking Backups

  1. Taking backup snapshot

CODE 
kubectl exec -it -n vault vault-0 -- vault operator raft snapshot save /vault/data/raft/snapshots/backup.snap

  1. Copy backup from the vault pod to local machine

CODE 
kubectl cp -n vault vault-0:/vault/data/raft/snapshots/backup.snap ~/backups/vault/raft/snapshots/backup.snap

Restoring Backups

  1. Copy backup from local machine to the vault pod

CODE 
kubectl cp -n vault ~/backups/vault/raft/snapshots/backup.snap vault-0:/vault/data/raft/snapshots/backup.snap

  1. Restore backup snapshot

CODE 
kubectl exec -it -n vault vault-0 -- vault operator raft snapshot restore /vault/data/raft/snapshots/backup.snap
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close