This guide demonstrates an automated password rotation workflow using HashiCorp Vault and a simple Bash or Powershell script. These scripts could be run in a cron job or scheduled task to dynamically update local system passwords on a regular basis.
NOTE: This is not the be-all and end-all of password rotation. It is also not a PAM tool. It can do the following:
- Rotate local system passwords on a regular basis
- Allow systems to rotate their own passwords
- Store login credentials securely in Vault
- Ensure that passwords meet complexity requirements
- Require users to check credentials out of Vault
- HashiCorp Vault cluster that is reachable from your server instances. (Inbound TCP port 8200 to Vault)
- Seth Vargo's most excellent vault-secrets-gen plugin
- Vault command line configured for your Vault cluster. (Hint: You need to set VAULT_ADDR and VAULT_TOKEN environment variables.)
- A version 2 K/V secrets backend mounted at
systemcreds
The following policies allow 'create' and 'update' rights. This essentially creates a one way door, whereby systems can update their passwords but not read them from Vault.
vault policy write rotate-linux policies/rotate-linux.hcl
vault policy write rotate-windows policies/rotate-windows.hcl
vault token create -period 24h -policy rotate-linux
vault token create -period 24h -policy rotate-windows
Append the following lines to /etc/environment.
export VAULT_ADDR=https://your_vault.server.com:8200
export VAULT_TOKEN=4ebeb7f9-d691-c53f-d8d0-3c3d500ddda8
Windows users should set these as system environment variables.
./rotate-linux-password.sh root.\rotate-windows-password.sh Administrator