Originally this was going to be a single guide for going from nothing to a working solution, but i realised the post became HUGE, so im splitting it out into “Setting up consul”, “setting up vault” and finally “Configuring Vault”. At the end of the “series” you should be able to pull LUKS keys from vault on boot and automatically.
I will add links to each next part as i write them, at the bottom of each post.
This post in particular is going over my need for this and also the hardware / software requirements for building this.
After the embarrassing situation of losing the LUKS key for a server i built (funnily enough, for my Bitwarden server…) i needed to build a solution where i could store the LUKS key securely. My completely over engineered solution was to use Hashicorp Vault.
I will preface this by saying, i really would not recommend using this setup in production without some major reworking. The internal comms are currently not using TLS for starters. That will be added very shortly, but at the moment this was more a proof of concept.
By the end of this, you should have a working consul cluster, a working vault cluster and a test server should be able to have a drive encrypted with the key pushed to vault and be able to reboot the server and have the drive decrypted and mounted automatically on boot.
Its also worth me pointing out that i am by no means an expert in any of this. This is essentially a compilation of my notes after i spent a few days working / battling through a problem and coming up with a viable solution.
For a basic consul cluster you need 3 nodes and for a basic HA Vault cluster you need 2 nodes.
To try and limit the chance of me taking down all of the consul cluster, i have 1 server on each node of my Proxmox cluster (2 nodes) and 1 Raspberry Pi.
For the Vault side, i have 1 server on the proxmox cluster and 1 on another Raspberry Pi.
All the VM’s used are running the latest version of Centos 7. All the Raspberry Pi’s are running the latest version of Rasbian Lite (or whatever they call the headless version).
The version of Consul that i used is: 1.6.1
The version of Vault that i used is: 1.2.3
The architecture for the Raspberry Pi is just ‘arm’ on the Consul/Vault download page.
Feel free to move onto actually building the consul cluster.