Secure and Simplify Server Access: Using HashiCorp Vault for Seamless SSH into EC2 Instances

Efficiently managing SSH keys across multiple servers can be daunting, especially as the number of servers and team members grows. HashiCorp Vault provides a robust solution to securely store and manage secrets, including SSH keys. This guide walks you through the steps to set up HashiCorp Vault for seamless SSH access into your EC2 instances.

Efficiently Manage SSH Keys Across Multiple Servers

Managing SSH keys manually can lead to security risks and operational inefficiencies. With Vault, you can centrally manage and dynamically distribute SSH keys, ensuring only authorized users have access and reducing the risk of key compromise. Vault’s dynamic secrets management capabilities allow you to generate SSH keys on-demand, ensuring your infrastructure remains secure and compliant.

Step 1: Setting Up Two EC2 Instances

First, you’ll need two EC2 instances: one for the Vault server and another to simulate a client accessing the Vault server for SSH credentials.

Launch EC2 Instances:
- Log in to the AWS Management Console.
- Navigate to EC2 Dashboard and click on “Launch Instance”.
- Select the Amazon Machine Image (AMI) (e.g., Amazon Linux 2).
- Choose an instance type (e.g., t2.micro for testing).
- Configure instance details, add storage, and configure security groups to allow SSH access.
- Review and launch the instances.
Connect to EC2 Instances:

Use SSH to connect to both instances:

ssh -i /path/to/your-key.pem ec2-user@your-ec2-instance-ip

Step 2: Installing the Vault Server on EC2

Next, we’ll install the Vault server on one of the EC2 instances.

Install Vault:

Update your package manager and install Vault:

sudo yum update -y

sudo yum install -y yum-utils

sudo yum-config-manager –add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo

sudo yum -y install vault

Verify Installation:

Check the Vault version to verify the installation:

vault –version

Granting Vault User Access to Configuration Files

To secure the Vault setup, create a dedicated user for Vault and grant the necessary permissions.

Create Vault User:

sudo useradd –system –home /etc/vault.d –shell /bin/false vault

Create Configuration Directory:

sudo mkdir –parents /etc/vault.d

sudo chown –recursive vault:vault /etc/vault.d

Assigning Permissions for the Vault Directory

Ensure that the Vault user has the appropriate permissions to the Vault directory.

Set Permissions:

sudo chown -R vault:vault /usr/local/bin/vault

sudo chown -R vault:vault /etc/vault.d

Initializing the Vault Server

Before starting the Vault server, we need to configure and initialize it.

Create Configuration File:

Create a configuration file (/etc/vault.d/vault.hcl):

storage “file” {

path = “/etc/vault.d/data”

}

listener “tcp” {

address = “0.0.0.0:8200”

tls_disable = 1

}

ui = true

Start Vault Server:

sudo vault server -config=/etc/vault.d/vault.hcl

Initialize Vault:

Open another terminal and initialize the Vault server:

export VAULT_ADDR=’http://127.0.0.1:8200′

vault operator init

Unseal Vault:

Unseal the Vault with the keys provided during initialization:

vault operator unseal <Unseal_Key_1>

vault operator unseal <Unseal_Key_2>

vault operator unseal <Unseal_Key_3>

Setting the VAULT_ADDR Environment Variable

Set the VAULT_ADDR environment variable to communicate with the Vault server.

Set VAULT_ADDR:

export VAULT_ADDR=’http://127.0.0.1:8200′

By following these steps, you’ve successfully set up HashiCorp Vault on an EC2 instance, initialized the server, and prepared it for managing SSH keys dynamically. This setup enhances security and efficiency, making SSH key management across multiple servers a breeze.