Use Vault as the Encryption Backend¶
In this guide we walk you through the required steps to configure and use Vault as an encryption backend for Notary.
Note
Once Notary is initialized it must continue using the encryption backend configured at the time of initialization, at the moment there is no way to switch backends.
Prerequisites¶
A Vault that has the Transit secrets engine enabled
1. Configure Notary with your Vault Information¶
Provide a name to your backend (in the following example we call our backend vault-backend)
Add your Vault’s information in the config file:
Endpoint of your Vault server
Mount path of the Transit secrets engine
Name of the key to use for encryption
Either a Vault token or AppRole credentials (Role ID and Role Secret ID)
encryption_backend:
vault-backend: # name of the backend
vault:
endpoint: "https://vault.example.com"
mount: "transit"
key_name: "notary-key"
token: "s.xxxxxxx" # if you use a token for authentication
approle_role_id: "xxxxxx" # if you use AppRole for authentication
approle_secret_id: "xxxxxx" # if you use AppRole for authentication
tls_ca_cert: "/path/to/ca.crt" # optional, if your Vault server uses a CA not in your system's trust store.
tls_skip_verify: false # optional (defaults to false), if you want to skip TLS certificate verification. It is strongly discouraged to set this to true outside of development environments.
2. Start Notary¶
sudo snap start notary.notaryd
Upon successful startup, you should see the following log:
"msg":"Vault backend configured using <method>"