Skip to content

Latest commit

 

History

History
63 lines (55 loc) · 2.75 KB

README.md

File metadata and controls

63 lines (55 loc) · 2.75 KB

Painless Password Rotation with HashiCorp Vault

This guide demonstrates an automated password rotation workflow using HashiCorp Vault and a simple Bash or Powershell script. These scripts could be run in a cron job or scheduled task to dynamically update local system passwords on a regular basis.

NOTE: This is not the be-all and end-all of password rotation. It is also not a PAM tool. It can do the following:

  • Rotate local system passwords on a regular basis
  • Allow systems to rotate their own passwords
  • Store login credentials securely in Vault
  • Ensure that passwords meet complexity requirements
  • Require users to check credentials out of Vault

Prerequisites

  • HashiCorp Vault cluster that is reachable from your server instances. (Inbound TCP port 8200 to Vault)
  • Seth Vargo's most excellent vault-secrets-gen plugin
  • Vault command line configured for your Vault cluster. (Hint: You need to set VAULT_ADDR and VAULT_TOKEN environment variables.)
  • A version 2 K/V secrets backend mounted at systemcreds
  • jq installed on the linux servers

Step 1: Configure Your Policies

The following policies allow 'create' and 'update' rights. This essentially creates a one way door, whereby systems can update their passwords but not read them from Vault.

vault policy write rotate-linux policies/rotate-linux.hcl
vault policy write rotate-windows policies/rotate-windows.hcl

Step 2: Generate a token for each server

vault token create -period 24h -policy rotate-linux -orphan
vault token create -period 24h -policy rotate-windows -orphan

Step 3: Put the token onto each instance

Append the following lines to /etc/environment. The VAULT_NAMESPACE is optional if you have one.

export VAULT_ADDR=https://your_vault.server.com:8200
export VAULT_TOKEN=4ebeb7f9-d691-c53f-d8d0-3c3d500ddda8
export VAULT_NAMESPACE=xxxxx

Windows users should set these as system environment variables.

Step 4: Run the script

./rotate-linux-password.sh -u root -t passphrase
REQUIRED OPTIONS:
-u USERNAME = User to change the password for
-t TYPE = Type of secret to create, this takes either password or passphrase
PASSWORD OPTIONS:
-l PW_LENGTH = Length (int)
-d PW_DIGITS = Amount of digits (int)
-s PW_SYMBOLS = Amount of symbols (int)
-c PW_ALLOW_UPPERCASE = Allow uppercase characters (bool)
-r PW_ALLOW_REPEAT = Allow repetition inside the password (bool)
PASSPHRASE OPTIONS:
-w PH_WORDS = Amount of words (int)
-p PH_SEPARATOR = Separator for the words (string)
.\rotate-windows-password.sh Administrator

Step 5: Log onto the Vault UI and verify that the password was saved successfully