One place for hosting & domains

      Secrets

      Secrets Management with Ansible


      Ansible stands out for its capabilities in automating server provisioning and management. Ansible’s playbooks, its ability to group and organize resources, and numerous other features make it a great asset for administering servers.

      However, Ansible’s operations often necessitate that your playbooks leverage secrets like server passwords, access tokens, and API keys.

      To bring security to the convenience of your Ansible setup, you should use a secrets management process. Secrets management continues to let Ansible automate your server tasks, with all the access it needs. At the same time, secrets management keeps your secrets safely out of plain text files and other vulnerable locations.

      In this tutorial, learn the most useful methods for implementing secrets management with your Ansible setup. The tutorial covers a range of methods, from simple to scalable, and helps you choose the right fit.

      Before You Begin

      1. If you have not already done so, create a Linode account. See our Getting Started with Linode guide.

      2. Follow our guide on Getting Started With Ansible: Basic Installation and Setup. Specifically, follow the sections on setting up a control node and managed nodes, configuring Ansible, and creating an Ansible inventory.

      3. Refer to our guide Automate Server Configuration with Ansible Playbooks for an overview of Ansible playbooks and their operations.

      Secrets in Ansible

      A secret refers to a key or other credential that allows access to a resource or system. Secrets include things like access tokens, API keys, and database & system passwords.

      When managing nodes with Ansible, you often need to provide it with secrets. Typically, you can provide these secrets within Ansible playbooks, but doing so exposes them to possible interception and exploitation.

      To secure your secrets, you should implement secrets management with your Ansible playbooks. Secrets management refers to the ways in which secrets are stored safely, with different methods balancing between accessibility and security.

      Managing Secrets in Ansible

      Several options exist for managing secrets with your Ansible playbooks. The option that fits your needs depends on your particular setup. How accessible you need your secrets to be and how secure you want to make them determine which solutions work best for you.

      The upcoming sections outline some of the most useful options for managing secrets with Ansible. These attempt to cover a range of use cases, from interactive and manual, to automated and integrated.

      All of the examples that follow use an Ansible setup with one control node and two managed nodes. The managed nodes are given the example IP addresses 192.0.2.1 and 192.0.2.2 throughout, and are listed in an ansiblenodes group in the control node’s Ansible inventory.

      Using Prompts to Manually Enter Secrets

      Ansible playbooks include the option to prompt users for variables. This is actually an option for managing secrets within your Ansible setup.

      With this option, you configure your Ansible playbook to prompt users to manually input secrets. The secrets never need to be persisted on the system, allowing you to safeguard them otherwise. This method is the easiest of the options covered here.

      Of course, this option comes with some significant drawbacks. By not storing the secrets, you also prevent Ansible from accessing them automatically, reducing the ability to integrate your playbooks into automated processes. Additionally, leaving the secrets to manual entry introduces its own risks, as users can mishandle secrets.

      Here is an example Ansible playbook from our Automate Server Configuration with Ansible Playbooks guide. This playbook adds a new non-root user to the managed nodes.

      The playbook uses the vars_prompt option to prompt the user to input a password for the new user. Ansible then hashes the password and deploys the new user to each of the managed nodes.

      Note

      This playbook assumes you have an SSH public key on your control node. The public key allows for secure passwordless connections to the new user in the future. Learn more in our guide Using SSH Public Key Authentication.

      This tutorial also assumes that your control node’s SSH key is secured by a password, and hence uses the --ask-pass option in some of the Ansible playbook commands below. If your SSH key is not secured by a password, remove the --ask-pass option from the Ansible playbook commands shown in this tutorial.

      File: add_limited_user.yml
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

      ---
- hosts: ansiblenodes
  remote_user: root
  vars:
    limited_user_name: 'example-user'
  vars_prompt:
    - name: limited_user_password
      prompt: Enter a password for the new non-root user
  tasks:
    - name: "Create a non-root user"
      user: name={{ limited_user_name }}
            password={{ limited_user_password | password_hash }}
            shell=/bin/bash
    - name: Add an authorized key for passwordless logins
      authorized_key: user={{ limited_user_name }} key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
    - name: Add the new user to the sudoers list
      lineinfile: dest=/etc/sudoers
                  regexp="{{ limited_user_name }} ALL"
                  line="{{ limited_user_name }} ALL=(ALL) ALL"
                  state=present

      To run the playbook, first make sure you’re in the same directory as the playbook, then execute the following command:

      Ansible Control Node

      ansible-playbook --ask-pass add_limited_user.yml

      Ansible prompts for the SSH password first, then for a password for the new user. The output should resemble what is shown below:

      SSH password:
Enter a password for the new non-root user:

PLAY [ansiblenodes] ************************************************************

TASK [Gathering Facts] *********************************************************
ok: [192.0.2.2]
ok: [192.0.2.1]

TASK [Create a non-root user] **************************************************
changed: [192.0.2.1]
changed: [192.0.2.2]

TASK [Add remote authorized key to allow future passwordless logins] ***********
ok: [192.0.2.1]
ok: [192.0.2.2]

TASK [Add normal user to sudoers] **********************************************
ok: [192.0.2.1]
ok: [192.0.2.2]

PLAY RECAP *********************************************************************
192.0.2.1              : ok=4    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
192.0.2.2              : ok=4    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

      Using the Ansible Vault to Manage Secrets

      Ansible has a tool, Ansible Vault, that can facilitate secrets management. The Vault encrypts information, which you can then use within your Ansible playbooks.

      With some setup, Ansible Vault can make secrets both secure and accessible. Secrets are encrypted, meaning that no one can get to them without your password. The secrets are, at the same time, made accessible to Ansible. A password file can give Ansible everything it needs to run in an automated setup.

      The vault password can either be entered manually or automatically through a password file. You can even use an external password manager, and implement a script or other solution to retrieve the password.

      This example of Ansible Vault deploys rclone to the managed nodes and configures it to connect to a Linode Object Storage instance. The secrets are the access keys for the object storage instance.

      To follow along, you need to set up a Linode Object Storage instance with access keys and at least one bucket. You can learn how to do so in our guide Object Storage – Get Started.

      1. Create a file with the access keys for your Linode Object Storage instance. You can do so with the following command, just replace the text in arrow brackets with your corresponding object storage keys:

        Ansible Control Node

        echo "s3_access_token: <S3_ACCESS_TOKEN>" > s3_secrets.enc
echo "s3_secret_token: <S3_SECRET_TOKEN>" >> s3_secrets.enc
ansible-vault encrypt s3_secrets.enc

        Ansible Vault prompts you to create a vault password before encrypting the file’s contents.

        New Vault password:
Confirm New Vault password:
Encryption successful

      2. Create a password file in the same directory you intend to create the Ansible playbook in. The file needs to contain only the password for your encrypted secrets file. The example in this next command assumes your password is examplepassword:

        Ansible Control Node

        echo "examplepassword" > example.pwd

      3. Create a new Ansible playbook with the following contents. This playbook connects to the non-root users created using the playbook in the previous section of this tutorial. The playbook then installs rclone and creates a configuration file for it. The playbook also inserts the access keys from the s3_secrets.enc file into the configuration file.

        File: set_up_rclone.yml
         1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

        ---
- hosts: ansiblenodes
  remote_user: 'example-user'
  become: yes
  become_method: sudo
  vars:
    s3_region: 'us-southeast-1'
  tasks:
    - name: "Install rclone"
      apt:
        pkg:
          - rclone
        state: present
        update_cache: yes
    - name: "Create the directory for the rclone configuration"
      file:
        path: "/home/example-user/.config/rclone"
        state: directory
    - name: "Create the rclone configuration file"
      copy:
        dest: "/home/example-user/.config/rclone/rclone.conf"
        content: |
          [linodes3]
          type = s3
          env_auth = false
          acl = private
          access_key_id = {{ s3_access_token }}
          secret_access_key = {{ s3_secret_token }}
          region = {{ s3_region }}
          endpoint = {{ s3_region }}.linodeobjects.com

      4. Run the Ansible playbook. The playbook command here adds the variables from the secrets file using the -e option, and gets the password for decrypting them from the --vault-password-file. The --ask-become-pass option has Ansible prompt for the limited user’s sudo password.

        Ansible Control Node

        ansible-playbook -e @s3_secrets.enc --vault-password-file example.pwd --ask-pass --ask-become-pass set_up_rclone.yml

        The result should resemble:

        SSH password:
BECOME password[defaults to SSH password]:

PLAY [ansiblenodes] ************************************************************

TASK [Gathering Facts] *********************************************************
ok: [192.0.2.2]
ok: [192.0.2.1]

TASK [Install rclone] **********************************************************
changed: [192.0.2.1]
changed: [192.0.2.2]

TASK [Create the directory for the rclone configuration] ***********************
changed: [192.0.2.2]
changed: [192.0.2.1]

TASK [Create the rclone configuration file] ************************************
changed: [192.0.2.2]
changed: [192.0.2.1]

PLAY RECAP *********************************************************************
192.0.2.1              : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
192.0.2.2              : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

      5. To verify that everything is working as expected, log into either of the managed nodes as the non-root user. Then use the following command to list the buckets on your Linode Object Storage instance:

        Ansible Managed Node

        You should see something like the following for each bucket, where ansible-test-bucket is the name of the bucket:

        -1 2022-12-08 00:00:00        -1 ansible-test-bucket

      Using a Secrets Manager

      Dedicated solutions exist for managing secrets, and many password managers are capable of doing so for your Ansible playbooks. In terms of their underlying methods, many of these tools function similarly to Ansible Vault. Despite being external tools, several are supported by official or community plugins for Ansible.

      The primary advantage of an external secrets management solution is using a tool already adopted more widely among your team or organization. Ansible Vault may offer a default integration with Ansible, but you are not likely using it more widely for password management within your organization.

      One of the more popular solutions for secret management is HashiCorp’s Vault. HashiCorp’s Vault is a centralized secrets management system with a dynamic infrastructure to keep passwords, keys, and other secrets secure.

      Ansible maintains a plugin for interacting with HashiCorp’s Vault, the hashi_vault plugin.

      The following steps walk you through an example using HashiCorp’s Vault with Ansible. The example accomplishes the same ends as the example in the previous section, so you can more easily compare the two.

      1. Follow along with our guide on Setting Up and Using a Vault Server. By the end, you should have HashiCorp’s Vault installed, a vault server running and unsealed, and be logged into the vault.

      2. Ensure that the key-value (kv) engine is enabled for the secret path:

        Vault Server

        vault secrets enable -path=secret/ kv
        Success! Enabled the kv secrets engine at: secret/

      3. Add the access keys for your Linode Object Storage instance to the secret/s3 path in the vault. Replace the text in arrow brackets below with your corresponding keys:

        Vault Server

        vault kv put secret/s3 s3_access_token=<S3_ACCESS_TOKEN> s3_secret_token=<S3_SECRET_TOKEN>
        Success! Data written to: secret/s3

      4. On your Ansible control node, install hvac via pip in order to use the hashi_vault plugin referenced in the Ansible playbook below.

        Ansible Control Node

      5. Create a new Ansible playbook with the contents shown below. This parallels the playbook built in the previous section, which installs and configures rclone to connect to a Linode Object Storage instance. This version simply fetches the secrets from a HashiCorp vault instead of an Ansible vault:

        Replace both instances of <HASHI_VAULT_IP> below with the IP address for your HashiCorp Vault server. Similarly, replace both instances of <HASHI_VAULT_TOKEN> with your login token for the HashiCorp Vault server.

        File: another_rclone_setup.yml
         1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

        ---
- hosts: ansiblenodes
  remote_user: 'example-user'
  become: yes
  become_method: sudo
  vars:
    s3_region: 'us-southeast-1'
  tasks:
    - name: "Install rclone"
      apt:
        pkg:
          - rclone
        state: present
        update_cache: yes
    - name: "Create the directory for the rclone configuration"
      file:
        path: "/home/example-user/.config/rclone"
        state: directory
    - name: "Create the rclone configuration file"
      copy:
        dest: "/home/example-user/.config/rclone/rclone.conf"
        content: |
          [linodes3]
          type = s3
          env_auth = false
          acl = private
          access_key_id = {{ lookup('hashi_vault', 'secret=secret/s3:s3_access_token token=<HASHI_VAULT_TOKEN> url=http://<HASHI_VAULT_IP>:8200')}}
          secret_access_key = {{ lookup('hashi_vault', 'secret=secret/s3:s3_secret_token token=<HASHI_VAULT_TOKEN> url=http://<HASHI_VAULT_IP>:8200')}}
          region = {{ s3_region }}
          endpoint = {{ s3_region }}.linodeobjects.com

      6. Run the Ansible playbook, providing the appropriate passwords when prompted:

        Ansible Control Node

        ansible-playbook --ask-pass --ask-become-pass another_rclone_setup.yml

        The result should resemble:

        SSH password:
BECOME password[defaults to SSH password]:

PLAY [ansiblenodes] ********************************************************

TASK [Gathering Facts] *****************************************************
ok: [192.0.2.2]
ok: [192.0.2.1]

TASK [Install rclone] ******************************************************
changed: [192.0.2.2]
changed: [192.0.2.1]

TASK [Create the directory for the rclone configuration] *******************
changed: [192.0.2.2]
changed: [192.0.2.1]

TASK [Create the rclone configuration file] ********************************
changed: [192.0.2.1]
changed: [192.0.2.2]

PLAY RECAP *****************************************************************
192.0.2.1              : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
192.0.2.2              : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

      7. Just like the previous section, you can verify the setup by logging into one of the managed nodes and running an rclone ls command, such as rclone lsd linodes3:.

      Conclusion

      You now have some options to ensure that your Ansible setup has secure secrets. Choosing between these options comes down to scale and accessibility. Manual entry is simple to start with, but only suits smaller projects and teams. Ansible Vault is in many ways ideal, but an external solution may better fit your team and organization.

      To keep learning about Ansible and efficiently automating your server tasks, read more of our guides on Ansible.

      More Information

      You may wish to consult the following resources for additional information
      on this topic. While these are provided in the hope that they will be
      useful, please note that we cannot vouch for the accuracy or timeliness of
      externally hosted materials.



      Source link

      How To Securely Manage Secrets with HashiCorp Vault on Ubuntu 20.04


      Introduction

      Vault is an open-source tool that provides a secure, reliable way to store and distribute secrets like API keys, access tokens, and passwords. Software like Vault can be critically important when deploying applications that require the use of secrets or sensitive data.

      In this tutorial, you will:

      • Install Vault and configure it as a system service
      • Initialize an encrypted on-disk data store
      • Store and retrieve a sensitive value securely over TLS

      With some additional policies in place, you’ll be able to use Vault to securely manage sensitive data for your various applications and tools.

      As with any service that manages sensitive information, you should consider reading additional documentation regarding Vault’s deployment best practices before using it in a production-like environment. For example, Vault’s production hardening guide covers topics such as policies, root tokens, and auditing.

      Prerequisites

      Before you begin this guide you’ll need the following:

      Note: Vault generates a self-signed TLS certificate when you install the package for the first time. If you do not have a domain name or TLS certificate to use with Vault but would like to follow the steps in this tutorial, you can skip TLS verification by adding the -tls-skip-verify flag to the commands in this tutorial, or by defining the VAULT_SKIP_VERIFY environment variable.

      This option is only suitable for experimenting with Vault and should not be used in a production environment.

      Step 1 — Installing Vault

      HashiCorp provides Vault as a typical Debian/Ubuntu package, so we’ll go through the normal steps of adding their package repository to our server’s list of package sources:

      First, add Hashicorp’s GPG key to your package manager, so that your system trusts their package repositories:

      • curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -

      Then add the repository itself to your list of package sources, so it’ll be checked for regular updates:

      • sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"

      Then install the package:

      You can now use the vault command. Try checking Vault’s version to make sure it works.

      Output
      Vault v1.8.5 (647eccfe0bd5817bdd8628f3c3171402dfc8a8fc)

      The Vault executable is installed on your server, so the next step is to configure it to run as a system service.

      Step 2 — Configuring Vault

      Installing the Vault package automatically creates a vaultvault user on your system and sets up a system service for running Vault in the background. We need to make a couple of changes to its default configuration in order to use the HTTPS certificates generated by Let’s Encrypt.

      Note: In this tutorial and by default, Vault uses the filesystem backend to store encrypted secrets on the local filesystem at /opt/vault. This is suitable for local or single-server deployments that do not need to be replicated. Other Vault backends, such as the Consul backend, will store encrypted secrets at rest within a distributed key/value store.

      Vault’s default configuration is stored in /etc/vault.d/vault.hcl. You’ll use this file to control various options in Vault, such as where encrypted secrets are stored.

      Open vault.hcl using nano or your favorite text editor.

      • sudo nano /etc/vault.d/vault.hcl

      Find the listener "tcp" section of the file that contains this block. If you are using nano, you can press Ctrl+W then enter listener “tcp” to find that line directly:

      /etc/vault.hcl

      listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
...
}

      Edit the tls_cert_file and tls_key_file lines to point to your Let’s Encrypt certificate and key files. Don’t forget to substitute in your own domain name in place of the highlighted your_domain part of each line.

      /etc/vault.hcl

      listener "tcp" {
...
  tls_cert_file = "/etc/letsencrypt/live/your_domain/fullchain.pem"
  tls_key_file = "/etc/letsencrypt/live/your_domain/privkey.pem"
}

      Note: You should also change address = "0.0.0.0:8200" to address = “127.0.0.1:8200” to prevent external connections to this server for now. 127.0.0.1 is a reserved address for localhost only. This is to ensure that the service is not exposed to the public internet before it has been properly secured. You can update this later, but for now, this configuration change will let us use the vault command and correctly resolve the HTTPS-secured domain name.

      Save and close the file. If you are using nano, press Ctrl+X, then Y when prompted to save the file, and Enter to confirm.

      Next, the vault system user also needs permission to read these certificates. By default, these certificates and private keys are only accessible by root. To make these available securely, we’ll create a special group called pki to access these files. We will create the group and then add the vault user to it.

      Update the permissions on the two directories in the /etc/letsencrypt directory to allow members of the pki group to read the contents.

      • sudo chgrp pki /etc/letsencrypt/archive

      • sudo chgrp pki /etc/letsencrypt/live

      • sudo chmod g+rx /etc/letsencrypt/archive

      • sudo chmod g+rx /etc/letsencrypt/live

      Then add the vault user to the pki group. This will grant Vault access to the certificates so that it can serve requests securely over HTTPS.

      • sudo usermod -a -G pki vault

      As a final step for convenience, add a rule in /etc/hosts to direct requests to Vault to localhost.

      Replace your_domain in the following command with the domain you acquired the Let’s Encrypt certificate for:

      • echo 127.0.0.1 your_domain.com | sudo tee -a /etc/hosts

      This command appends the line 127.0.0.1 your_domain.com to /etc/hosts so that any HTTP requests that you make on your Vault server to your_domain.com ignore DNS and are sent to localhost directly.

      With the Vault service set up and the Vault configuration file complete, we’re now ready to start Vault and initialize the secret store.

      Step 3 — Initializing Vault

      When you first start Vault, it will be uninitialized, which means that it isn’t ready to receive and store data. In this section of the tutorial, you will start the Vault server, and then initialize it with a set of secret keys that will be used to unseal (open) Vault’s secret stores.

      The first time you start Vault, the backend that actually stores the encrypted secrets is uninitialized, too. Start the Vault system service to initialize the backend and start running Vault itself.

      • sudo systemctl start vault.service

      You can run a quick check to confirm the service has started successfully.

      • sudo systemctl status vault.service

      You should receive output similar to the following:

      Output
      ● vault.service - "HashiCorp Vault - A tool for managing secrets"
     Loaded: loaded (/lib/systemd/system/vault.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-11-16 21:55:13 UTC; 22s ago
       Docs: https://www.vaultproject.io/docs/
   Main PID: 104207 (vault)
      Tasks: 7 (limit: 1137)
     Memory: 179.3M
     CGroup: /system.slice/vault.service
             └─104207 /usr/bin/vault server -config=/etc/vault.d/vault.hcl

      The output of that command should include several pieces of information about the running service, such as its process ID and resource usage. Ensure that the following line is included in the output, which indicates that the service is running correctly.

      Output
      . . .
Active: active (running)
. . .

      If the service is not active, take a look at the accompanying log lines at the end of the command’s output to see Vault’s output, which can help pinpoint any issues.

      Next, we’ll set an environment variable to tell the vault command how to connect to the Vault server. In Step 1 you configured Vault to only listen on the local loopback interface, so set the VAULT_ADDR environment variable to the local HTTPS endpoint.

      • export VAULT_ADDR=https://your_domain:8200

      The vault command can now communicate with the daemon. Note that defining the actual hostname instead of simply localhost or 127.0.0.1 is necessary to properly validate the HTTPS certificate.

      Confirm that the vault server is in an uninitialized state by checking its status.

      The server should return some output so that you can tell it is working but not yet initialized.

      Key Value
--- -----
Seal Type shamir
Initialized false
Sealed true
Total Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version 1.8.5
Storage Type file
HA Enabled false

      There are two pieces of information that Vault will expose at initialization time that will not be available at any other point:

      • Initial root token. This is equivalent to root permissions to your Vault deployment, which allows the management of all Vault policies, mounts, and secrets.
      • Unseal keys. These are used to unseal Vault when the daemon starts, which permits the Vault daemon to decrypt the backend secret store.

      More specifically, Vault’s unsealing process decrypts the backend using a key formed by key shares. When you first initialize Vault, you may choose how many unseal keys to create and how many are necessary at unseal time to successfully unseal Vault. To learn more about Vault’s sealing mechanism, you can refer to the Vault documentation.

      A typical configuration for the unseal parameters would be to create three keys and require at least two of those keys at unseal time. This permits the important key shares to be separated and stored in distinct locations to ensure that compromising one is not sufficient to unseal Vault.

      In other words, whenever Vault is started, at least two unseal keys will be required in order to make the service become available and ready to use. While sealed, the files that store the actual secret values will remain encrypted and inaccessible.

      Initialize Vault with three unseal keys using the -key-shares=3 option, and require at least two keys to unseal the vault with the -key-threshold=2 flag::

      • vault operator init -key-shares=3 -key-threshold=2

      You will receive output like the following:

      Output
      Unseal Key 1: eZcJeydRrqeSMZ1zTN+VVll9TFT2KvJy7VlnxUgtvuz5
Unseal Key 2: ntmqCKq8rgNnKT1YSLCjVmCCZBAA3NwUeqxIyRpYD4Wm
Unseal Key 3: 3FK1+Hsorh4p8/L9mki3VskaEU2eQhLqGOI/pJkTHMbx

Initial Root Token: s.hY0ieybfDqCadz7JpL88uO3x

      Be sure to save each unseal token and the initial root token in a secure way. You will not be able to retrieve these keys and root token again. For example, one option would be to store one unseal key in a password manager, another on a USB drive, and another in a GPG-encrypted file.

      If you examine vault status again, the Initialized status will now be set to true, and the Total Shares and Threshold values will reflect the number of key shards and minimum number of keys that you will need to unseal the vault.

      Output
      . . .
Initialized     true
Sealed          true
Total Shares    3
Threshold       2
Unseal Progress 0/2
. . .

      Note that the Unseal Progess line shows the value 0/2. Begin unsealing Vault using your newly created unseal tokens. Run the vault operator unseal command and input any of your keys when prompted:

      The command will ask for an unseal token:

      Output
      Key (will be hidden):

      After entering it, the output from the command will indicate that the unsealing is in progress, but still requires one more unsealing key before Vault is ready for use.

      Output
      Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       3
Threshold          2
Unseal Progress    1/2
Unseal Nonce       0f3a328b-e0c6-6294-d6a2-56da49271dff
Version            1.8.5
Storage Type       file
HA Enabled         false

      Notice how the Unseal Progress 1/2 line has changed in the output. Run the unseal command again.

      And enter a different key than the one you already used:

      Output
      Key (will be hidden):

      The command’s output indicates that the unseal process had completed successfully.

      Output
      Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    3
Threshold       2
Version         1.8.5
Storage Type    file
Cluster Name    vault-cluster-3042c7bc
Cluster ID      c3e9d814-cf2a-2901-f0e4-ebc52d29e5cc
HA Enabled      false

      Vault is now unsealed and ready for use. These unseal steps are necessary whenever Vault is started or restarted.

      However, unsealing is a distinct process from normal interaction with Vault (such as reading and writing values), which are authenticated by tokens. In the next steps, we’ll create the necessary access tokens and policies to store secret values and read/write to specific paths in Vault.

      Step 4 — Reading and Writing Secrets

      There are several [secret backends]](https://www.vaultproject.io/docs/secrets/index.html) that you can use with Vault, but for this example we will use the kv secret backend. This backend stores simple key/value pairs in Vault. However, it is not enabled by default.

      In this section of the tutorial, you will enable the kv secret backend, and then learn how to read and write secrets to it.

      First, save the previously generated root token to a shell variable for ease of use.

      • root_token=your_root_token_here

      Next, while authenticating with the root token, enable the kv backend:

      • VAULT_TOKEN=$root_token vault secrets enable kv

      You will receive output like the following if the command is successful:

      Output
      Success! Enabled the kv secrets engine at: kv/

      You can then verify that it’s been added to your local list of available secrets backends:

      • VAULT_TOKEN=$root_token vault secrets list

      You should receive output like the following:

      Output
      Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_abc1631b    per-token private secret storage
identity/     identity     identity_631fe262     identity store
kv/           kv           kv_4d5855c8           n/a
sys/          system       system_79b13f2f       system endpoints used for control, policy and debugging

      Note the highlighted line that indicates the new kv backend is enabled. Now we can store some data with this backend.

      • VAULT_TOKEN=$root_token vault write kv/message value=mypassword

      In this command, the highlighted kv/ prefix indicates that we are writing to the kv backend mounted at the kv path, and we are storing the key value at the path message with the value mypassword. We used the root token, which has superuser privileges, to write the generic secret.

      Check the secret that you created using the vault read command:

      • VAULT_TOKEN=$root_token vault read kv/message

      You should receive output like the following, with the contents of the secret that you created:

      Output
      Key                 Value
---                 -----
refresh_interval    768h
value               mypassword

      However, creating, reading, and otherwise interacting with Vault using the Root Token only is not secure, scalable in a team setting, and does not allow for fine-grained access control to secrets. In the next section you’ll learn how to define policies and create additional access tokens to restrict how users can interact with Vault.

      Step 5 — Creating an Authorization Policy

      In a real-world scenario, you may store values like API keys or passwords that external tools can consume. Although you may read the secret value again using the root token, it is illustrative to generate a less privileged token with read-only permissions to our single secret.

      In this section of the tutorial you will create a Vault policy that will enforce read-only access to secrets. To create the policy you’ll need to edit a file and then load it into Vault using the vault policy command.

      To get started creating a policy, open a file called policy.hcl using nano or your preferred editor:

      Populate the file with the following Vault policy, which defines read-only access to the secret path::

      policy.hcl

      path "kv/message" {
     capabilities = ["read"]
}

      Save and close the file, then write this policy to Vault. The following command will load the policy.hcl file into Vault and create a policy named message-readonly with the read-only capability

      • VAULT_TOKEN=$root_token vault policy write message-readonly policy.hcl

      Next, create a token that you will use for read-only access to Vault. Add the -policy=”message-readonly” flag to the vault token create command to use the new policy that you created:

      • VAULT_TOKEN=$root_token vault token create -policy="message-readonly"

      The output will look like this:

      Output
      Key                  Value
---                  -----
token                your_token_value
token_accessor       your_token_accessor
token_duration       768h0m0s
token_renewable      true
token_policies       ["default" "message-readonly"]
identity_policies    []
policies             ["default" "message-readonly"]

      Save the highlighted your_token_value value to an environment variable called app_token:

      • app_token=your_token_value

      You can use the value of app_token to access the data stored in the path kv/message (and no other values in Vault).

      • VAULT_TOKEN=$app_token vault read kv/message

      Output
      Key                     Value
---                     -----
refresh_interval        768h0m0s
value                   mypassword

      You can also test that this unprivileged token cannot perform other operations, such as listing secrets in Vault.

      • VAULT_TOKEN=$app_token vault list kv/

      Output
      Error reading kv/: Error making API request.

URL: GET https://your_domain:8200/v1/secret?list=true
Code: 403. Errors:

* 1 error occurred:
    * permission denied

      This verifies that the less-privileged app token cannot perform any destructive actions or access other secret values aside from those explicitly stated in its Vault policy. If you would like to continue using the read-only token, be sure to record it somewhere safe for future use.

      Conclusion

      In this article you installed, configured, and deployed Vault on Ubuntu 20.04. You also created a sharded key to unseal Vault, enabled the kv backend secret store, and defined a read-only policy to limit how a user can interact with Vault secrets.

      Although this tutorial only demonstrated how to use an unprivileged token, the Vault documentation has more examples of additional ways to store and access secrets as well as alternative authentication methods.

      These instructions demonstrated how to deploy and use some of the core features of Vault. Your needs may require other configuration changes and more complex policies. Be sure to read the Vault documentation and make appropriate configuration changes for your needs. Some production-ready changes may include:

      • Generating lesser-privileged tokens for everyday use. The specific policies that these tokens should use depends on your specific use cases, but the example app_token in this tutorial illustrates how you can create limited-privilege tokens and policies.

      • If you are deploying Vault as part of a service that will be used by a team, initialize Vault with unseal keys for each team member. This approach can ensure that Vault’s storage is only decrypted when more than one team member participates in the process.



      Source link

      11 Secrets to Making a Successful Website


      Affiliate Disclosure: DreamHost maintains relationships with some of our recommended partners, so if you click through a link and purchase, we may receive a commission. We only recommend solutions we believe in.

      Whether you’re a writer looking to reach a wider audience, a boutique manufacturer needing to boost sales, or you’re someone who just wants to make money online — you’re going to need a website. And not just any website — a great website.

      Unfortunately, the World Wide Web has been saturated with sites for some years now.

      Standing out. Making your mark. It’s not easy.

      But here at DreamHost, we know a fair bit about websites and what makes them work — so here are our 11 secrets to making a successful website.

      1. Defined goals
      2. A good domain name
      3. Quality web hosting
      4. A clear description
      5. A top-notch CMS
      6. A great e-commerce platform
      7. Engaging web design
      8. SEO optimization
      9. High-quality content
      10. Using Google Analytics
      11. A site maintenance plan

      1. Define your goals

      Before you do anything else, you need to decide what you want to achieve from this website.

      • Is it going to be an e-commerce website that you use to sell products?
      • Are you looking to promote a service?
      • Do you want to make money via affiliate links?
      • Are you simply after a platform to share your thoughts and ideas?

      It can be hard to change the direction of an established website. Make sure you know what type of website you want to create and what you need to get out of it.

      2. Choose a good domain

      Picking a good domain name is easier said than done. It’s also seriously important since it’s tricky to change it once you’ve started establishing your site and brand. (Yes, you can migrate to a new domain, but that comes with all sorts of complications.)

      So what is a good domain? What does a good domain look like?

      • It is your brand name or includes your brand name.
      • It’s memorable.
      • It’s easy to spell.
      • It’s short (ideally under 14 characters; but the shorter, the better).
      • It’s free of numbers, hyphens, or other unusual characters.
      • It has a recognized, trustworthy extension (.com is the ideal).

      It can also be a good idea to choose an SEO-friendly domain that includes one of your most important keywords.

      3. Get secure, quality web hosting with good tech support

      It can be tempting to skimp on web hosting and choose the cheapest service you can find. Don’t do this.

      A cheap web host can cost you in other ways: excessive downtime, slow site speeds, limited or non-existent support.

      It’s not worth it.

      If you’re serious about making your website a success, invest in quality web hosting you can rely on. You won’t go wrong with DreamHost web hosting.

      Related: How to Choose a Web Hosting Provider — 15-Point Checklist

      4. Include a clear description of your business

      This is something a lot of companies get wrong. They know their industry and their business, inside and out. That’s great. But it often means they forget how to describe it to people that don’t.

      Ideally, you should be able to sum up what you do in a couple of sentences. This summary should be displayed prominently on your homepage. And anyone should be able to read it and understand it.

      If you have any doubts, ask someone who knows nothing about what you do what they think. Better yet, enlist the help of a professional copywriter.

      Related: How to Write Meta Descriptions That Get Clicks

      5. Use a top-notch content management system

      A content management system (CMS) is where you’ll manage your website’s pages and content. The right one can make this quick, easy, and fun. The wrong one can be the source of endless headaches and can even limit what you’re able to do.

      Good content management systems allow you to build pages and posts on a site with no prior knowledge of coding. They cut down the barrier to entry and enable anyone to create their own site.

      But how do you know which is the right one for you?

      The following questions will help you decide:

      • Do I want a basic website with no frills?
      • Do I want to be able to build the website in the future to have more features?
      • What’s my budget?
      • Will I want to add the ability for a website visitor to buy products in the future?
      • Am I happy to pay ongoing costs, or do I just want to pay a one-off fee?
      • Do I need to integrate with other parts of my business (such as a lead generation tool or a payment platform)?
      • Is it SEO-friendly?
      • Will it scale with my business?
      • Can I use a website builder to make the design process easier?

      Depending on what you want to use the CMS for, you may have other questions, but these basic ones should set you off on finding the right content management system for your needs.

      Related: How to Build an Awesome Online Store with the OceanWP Theme

      6. Choose a great e-commerce platform

      If you know that you’ll want to sell products on your site, you need to know what e-commerce platform you need to choose. You can choose from many platforms, but not all of them are built to scale or fit for your purposes. As with most things in life, you get what you pay for.

      If you’re running a business website, you need to make sure that the platform you choose is reliable and sturdy. You don’t want to deal with customer complaints because you chose a platform that can’t deliver.

      Related: WooCommerce vs. Shopify: An In-Depth E-commerce Platform Guide

      Before selecting a platform, ask yourself the following:

      • Is it SEO-friendly? While there are many cheap and easy-to-set-up e-commerce platforms, not all of them are particularly SEO-friendly.
      • Is it mobile-friendly? We live in a mobile-first world, and if that platform is even a little bit clunky, you’re going to be losing out on revenue.
      • Is it a trusted and secure platform? One of the most important considerations for customers is that their details will be safe when purchasing. Your platform needs to be fully secure, and it needs to communicate that to potential customers.
      • Will it scale? We all have high hopes for our businesses, and while not all succeed, a fair few do. When choosing an e-commerce platform, ensure that it will scale with your online business.
      • How do the systems work? One of the critical areas to investigate is how well the platform deals with product and order management. You need it to be swift so that you aren’t wasting time on the back end, and you can get on with delivering the best service to your customers.

      Your Online Store Deserves WooCommerce Hosting

      Sell anything, anywhere, anytime on the world’s biggest e-commerce platform.

      7. Create a beautiful, engaging, accessible website design

      When you imagine a design that matches usability, one company usually springs to mind: Apple. They have managed to combine both of these into a wildly successful business.

      Users appreciate good design, and when it’s combined with solid usability, you have a winner. A site that people want to revisit. A site that people want to buy from.

      Google has always said that you need to create websites with the end-user in mind — and it’s more true today than it’s ever been.

      Here are a few tips for creating sites that ooze design quality.

      • Know your target audience and design accordingly — what features would they want, and how design-savvy are they?
      • Don’t skimp on cost. With design, you get what you pay for. Don’t try to cut corners. Use a professional, experienced designer (like team of pros at DreamHost).
      • Look at the competition. Find some sites in your niche that perform well and study them. Google will rank sites based on niches, and design is crucial. If your competitors’ websites are winning with simplistic colors and designs, take notice. Then make yours better.

      Related: What Are Core Web Vitals? And Why Is Google Setting a Minimum Threshold for Them?

      8. Optimize for search engines

      One of the simplest, fastest ways to help make your site successful is to optimize it for search engines. While search engines might be smart — and every day they get better at understanding the meaning and context of web pages, their content, and users’ intent — they still need us to help them along.

      In most cases, the first step to optimizing for search engines is keyword research. This will help you identify the sort of keywords you should be targeting through optimization.

      Popular keyword research tools include:

      If you want to take a more sophisticated approach to keyword research, try Semrush. It’s a great tool for advanced digital marketers, and it’s accessible to people with less experience too. We love it so much, we’ve set up a free 14-day PRO trial for our readers!

      SEMrush

      Semrush’s keyword research section works similarly to most other keyword research tools; however, in addition to keyword suggestions, search volume, and difficulty scores, you also get global volume data, keyword variations, and questions linked to your starting keyword. You also get insights into the current state of the SERPs.

      Related: 13 Simple Ways to Boost SEO on Your WordPress Website

      How to Choose Which Keywords to Target

      The right keywords to target can generally be determined by three things:

      1. Search volume
      2. Difficulty/competitiveness
      3. Relevance

      Ideally, you want to target keywords that lots of people are searching for (how many searches you can realistically expect this to be will depend on your industry), that have low competition (which increases the odds that you’ll be able to rank), and that, of course, are relevant to your site!

      Related: How to Do Keyword Research for Your WordPress Blog

      How to Optimize for Target Keywords

      The main places for including your target keywords are:

      The title tag

      This forms part of the snippet of information that appears in the search results. For example, this is the title tag for the DreamHost homepage:

      <H> tags

      H tags are header tags. You might know them as H1s, H2s, H3s, and so on. They are used to help organize the information on a page, particularly in terms of hierarchy.

      While search engines use all the text on a page for ranking, H tags have extra weight behind them — particularly the H1 tag. Include keywords in them where you can (but never, ever be spammy about it!).

      On-page content

      Search engines use all of a page’s content when determining its subject matter and what it should rank for. It goes without saying that keywords should be included here. Just be tactical about how you do it.

      Use words and phrases naturally. Use permutations where possible. Consider entities. And most importantly of all, write for users, not search engines.

      If you need more help with optimizing your website, consider adding SEO toolkit to your hosting plan for $4.99/month. It’ll help you improve your search engine rankings and drive more customers to your site with its suite of DIY tools, helpful analytics, and a step-by-step SEO plan.

      Related: How to Determine the Most Valuable Keywords to Target

      9. Create high-quality content

      It’s hardly a secret that websites with high-quality content have a better chance of performing well than those with poor-quality content.

      Great content should be informative, well written, and easy to understand. It should be formatted in a way that guides the user through the copy.

      But “create high-quality content” sounds somewhat subjective, doesn’t it?

      It’s not quite as subjective as you might think. Here are some ways you can ensure you’re writing high-quality content for your niche.

      • Invest in good writers — as with many points in this guide, cutting corners won’t help your website succeed in the long run. Our SEO marketing service can help.
      • Have experts write your content — Google has been working towards making sure only the best and most accurate content reaches the top of the search results. Middle-of-the-road content isn’t going to cut it for much longer.
      • Conduct deep research — you need to find out what your customers want, not what you think they want. Many websites miss this point entirely. If you don’t satisfy your users’ needs, you can’t really call your content high-quality.

      It’s not just about the words — you need to make your content sing. Make sure it appeals to different users. If it’s right for your target audience, then introduce videos, images, infographics, and charts.

      Related: How to Create a Content Marketing Strategy

      10. Track your progress with analytics

      It’s tricky, if not impossible, to know whether your site is a success if you’re not tracking your progress. While many tools allow you to track your website and even spy on the status of others, there is arguably no better website tracking tool than Google’s own Analytics.

      To get started with Google Analytics, you will need to:

      And that’s pretty much it. You can create filtered views of the data to help you hone in on specific data elements, but the above is all you need to do for Google to start gathering extremely detailed data that will enable you to assess the performance of your site and adapt your strategy accordingly.

      Related: 20 Metrics Every Blogger Needs to Track to Measure Success

      11. Set up a site maintenance plan

      What do you do once your site’s up and running? Should you sit back, relax, and let the visits/leads/money roll in?

      No.

      Depending on your goals, you may be able to slow down. But you can’t just forget about your website. Things will go wrong.

      Instead, implement a maintenance plan, like what we offer as part of our DreamCare service. Your maintenance plan should include a list of periodic must-dos and when you will do them. The most important will likely be:

      • Running security scans
      • Backing up your site’s data
      • Checking Webmaster Tools, primarily for any glaring errors that have gone unnoticed

      Another thing we’d advise is to run Hotjar or another tool that monitors user behavior. While you can use its findings to gain a deep understanding of your website’s user experience (UX), you can also use it periodically to pinpoint specific issues or points of contention.

      Get Our Best Tips to Boost Website Traffic

      Whether you need help optimizing a landing page, crafting the ideal social media strategy, or creating buyer personas, we can help! Subscribe to our monthly digest so you never miss an article.

      Your New Website Is Waiting

      As you can see, creating a successful website isn’t quick, and it isn’t particularly easy — but knowing the secrets to a successful website will help.

      Get started with these key takeaways.

      1. Define your goals. Decide exactly what you want your website to achieve.
      2. Choose a good domain name that’s relevant, memorable, short, and has a trustworthy extension.
      3. Invest in quality web hosting that’s secure, with great tech support.
      4. Describe your business clearly on your homepage, and anywhere else it’s relevant.
      5. Use a quality content management system: one that’s robust and easy to use.
      6. Choose a good e-commerce platform that can grow with your business.
      7. Create a beautiful website design that’s one step above your competitors.
      8. Optimize for search engines. Ensure they understand what your site’s about and the terms it should rank for.
      9. Create high-quality content; substandard content doesn’t rank.
      10.  Track your progress, starting with Google Analytics.
      11.  Create a site maintenance plan, including backing up data and checking Search Console.

      Ready to get started with your website? If you’re starting from scratch, we can help with our Pro Services. Our expert team can design, build, manage and market your website — everything you need to launch yourself or your brand online. Learn more about what DreamHost can do for you here.



      Source link

      Forgot Your Password ?