DevSecOps - Kubernetes DevOps & Security
HashiCorp Vault Kubernetes
Demo Vault Initialization
In this guide, you’ll learn how to initialize HashiCorp Vault, unseal it, and verify its status both locally and in Kubernetes. Initialization generates the master key shares and the initial root token—secrets revealed only once.
Table of Contents
- Understanding Initialization & Unsealing
- Default Initialization and Unseal Workflow
- Customizing Key Shares and Threshold
- Initializing and Unsealing Vault in Kubernetes
- Links and References
Understanding Initialization & Unsealing
When Vault starts, it remains sealed—incapable of decrypting any stored data. Initialization performs the following:
- Generates a master key, split into shares using Shamir’s Secret Sharing.
- Creates an encryption key for the backend storage.
- Issues the initial root token.
Unsealing reconstructs the master key (never stored on disk) by providing a quorum of unseal key shares.
Note
Store unseal key shares and the root token securely. Loss of the root token requires using Recovery Keys or reinitializing with existing shares.
Default Initialization and Unseal Workflow
By default, Vault uses 5 shares and a threshold of 3. Run:
vault operator init
Sample output:
Unseal Key 1: 4jyBl2CBIV6SpkKj6Hos9iD32k5RfGkLzlosrrq/JgOm
Unseal Key 2: B05G1DRtfyKFV5BbDbVqQwkk5HFgB9g2jCmnNfTQiS
Unseal Key 3: Ariq09Nf9ezkTRo74gTBg5IZDaonOc35He803FhCa
Unseal Key 4: 0cZEOC/gEk3YHaKjIwxyfS8REhRqk/CXtmniLv+
Unseal Key 5: fyhZ0seRgxmJcmiqUdXmE9C3jB5027AoER9w4FC2ck
Initial Root Token: s.KhNJWF5g0pomcCLEmDb0VCW
To unseal, supply any 3 shares:
vault operator unseal <Unseal Key 1>
vault operator unseal <Unseal Key 2>
vault operator unseal <Unseal Key 3>
vault login s.KhNJWF5g0pomcCLEmDb0VCW
Once unsealed and authenticated, Vault is ready for secret management.
Customizing Key Shares and Threshold
You can adjust the number of shares and the threshold:
Parameter | Description | Example |
---|---|---|
-key-shares | Total master key shares to create | 3 |
-key-threshold | Minimum shares required to unseal | 2 |
vault operator init -key-shares=3 -key-threshold=2
Example output:
Unseal Key 1: AbCdEfGhIjKlMnOpQrStUvWxYz123456
Unseal Key 2: BaDcFeHgIjKlMnOpQrStUvWxYz654321
Unseal Key 3: CaDbEaFgHiJkLmNoPqRsTuVwXyZ789012
Initial Root Token: s.XYZ1234567890abcdef
Unseal with 2 shares and log in:
vault operator unseal <Unseal Key 1>
vault operator unseal <Unseal Key 2>
vault login s.XYZ1234567890abcdef
Initializing and Unsealing Vault in Kubernetes
If Vault is deployed with Helm, follow these steps:
Verify Pods
kubectl get pods # NAME READY STATUS AGE # vault-0 0/1 Running 41s # vault-agent-injector-... 1/1 Running 41s
Check Vault Status
kubectl exec -it vault-0 -- vault status # Initialized false # Sealed true # Total Shares 0 # Threshold 0
Initialize Vault
kubectl exec -it vault-0 -- vault operator init
Sample output:
Unseal Key 1: tUt+pJ0mIKRHTIigQRu2B90X7PjIaIp Unseal Key 2: NYAzWgTQ4qTgHaBUMsK0xR2mX5Pwh9W8 Unseal Key 3: ivymuAvH42gHbY7nXfe109LvBK7 Unseal Key 4: P4qJ1vYp+XJBxqEHr5Xyf01UPe Unseal Key 5: 3mgVcrKfSwpFqZJ3Y1vNVPB1M3Gg/LsGgB Initial Root Token: s.A1yg3V1lBD3uTG0X4DqGpNbP
Unseal with Any 3 Keys
kubectl exec -it vault-0 -- vault operator unseal tUt+pJ0mIKRHTIigQRu2B90X7PjIaIp kubectl exec -it vault-0 -- vault operator unseal NYAzWgTQ4qTgHaBUMsK0xR2mX5Pwh9W8 kubectl exec -it vault-0 -- vault operator unseal ivymuAvH42gHbY7nXfe109LvBK7
Verify and Log In
kubectl exec -it vault-0 -- vault status # Sealed: false # Total Shares: 5 # Threshold: 3
kubectl exec -it vault-0 -- vault login s.A1yg3V1lBD3uTG0X4DqGpNbP
Confirm Pod is Ready
kubectl get pods # vault-0 1/1 Running 5m # vault-agent-injector-... 1/1 Running 5m
Vault is now unsealed and ready for storing secrets, enabling auth methods, and integrating with applications.
Links and References
Watch Video
Watch video content