Setting Up HashiCorp Vault (dev) + EthSigner

HashiCorp Vault dev server is a fast and convenient way to set up a Vault server instance. However, its security level is lower than a non-dev server. For one, all secrets are stored in memory, as opposed to encrypted storage in a non-dev server. In addition, the server connection is TLS-disabled. Finally, the dev server gives you 1 unseal key to unseal the Vault, whereas the non-dev server requires you to enter 3 of 5 keys to unseal the Vault.

1. Install HashiCorp Vault

   1. sudo apt update

      • updates apt-installed packages

   2. sudo apt install gpg wget

      • installs gpg (GNU Privacy Guard), which is a cryptography library, and wget, which is like curl but used mostly for downloading files

   3. wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg

      • If you get a certificate verification error, use wget -O- https://apt.releases.hashicorp.com/gpg --no-check-certificate | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg

      • This downloads a "keyring" from Hashicorp and puts it into the file defined by the last part of the command (the pipe key "|" takes ouput of statement before and uses it as the input for the statement after)

   4. gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint

      • This verifies the keyring

   5. echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list

      • This writes the string in the quotes to the file after the pipe key ("|"). The string is a command to use the "deb" package manager to download a repo from the https url. The package is signed by the key ring you downloaded earlier. "$lsb_release -cs" prints the version of Ubuntu of your system.

   6. sudo apt update && sudo apt install vault

      • This installs Vault using the apt package manager

   7. Check installation with vault and vault --version

2. Download and unzip EthSigner

   1. sudo apt-get install openjdk-17-jdk

      • Installs Java 17 (must use Java 17, not Java 11); 500MB

   2. download ethsigner.tar.gz file (.tar.gz is like a .zip file) in link:

      • https://cloudsmith.io/~consensys/repos/ethsigner/packages/?q=tag%3Alatest

   3. cd into the folder where you want the folder extracted

   4. tar -xzvf filename.tar.gz

      • extracts the files into a folder called "ethsigner-23.6.0"

   5. check permissions of the ethsigner binary (a binary is an executable file)

      1. cd into "ethsigner-23.6.0" folder, cd into "bin" folder

      2. run ls, you should see the files "ethsigner" and "ethsigner.bat"

      3. run ls -l ./ethsigner, ensure you have "x" (executable) permissions. If not, then run chmod +x ./ethsigner

   6. check ethsigner binary works

      1. cd into "ethsigner-23.6.0" folder

      2. ./bin/ethsigner --help

3. Run a Vault dev server in tmux

   1. Create new tmux window called "vault" with tmux new -s vault

   2. vault server -dev

      • You should see the "Unseal Key" and "Root Token"

      • copy the "Root Token" to a temporary place (we will use it later)

   3. Leave tmux window with ctrl + b, then d

   4. Set env vars:

      1. export VAULT_ADDR='http://127.0.0.1:8200'

      2. export VAULT_TOKEN="hvs.6j4cuewowBGit65rheNoceI7"

         • replace string with your token

         • check env vars with env

         • TODO: Later, in the Authentication tutorial, you will learn to use the vault login <token_value> command to authenticate with Vault

      3. save Root Token into "authFile" file in ethsigner-23.6.0/bin folder

         1. cd into "ethsigner-23.6.0" folder, cd into "bin" folder

         2. touch authFile

         3. vim authFile

            1. press "i" to go into "insert mode"

            2. copy Root Token string into first line

            3. ctrl + c to quit "insert" mode, then write/quite with :wq

            4. check authFile by reading it with cat authFile

   5. Check if Vault server running with vault status

   6. Import private key into HashiCorp Vault

      1. vault kv put secret/ethsignerSigningKey value=<privateKeyWithout0x>

4. Run EthSigner server in tmux

   1. cd into "ethsigner-23.6.0" folder

   2. create new tmux window called "ethsigner" with tmux new -s ethsigner

   3. ./bin/ethsigner --chain-id=137 --downstream-http-port=443 hashicorp-signer --host=127.0.0.1 --port=8200 --auth-file=./bin/authFile --tls-enabled=false --signing-key-path=/v1/secret/data/ethsignerSigningKey

   4. Leave tmux window with ctrl + b, then d

   5. Check EthSigner server is running

      1. test1: curl -X GET http://127.0.0.1:8545/upcheck

         • Success should show "I'm up!"

      2. test2: curl -X POST --data '{"jsonrpc":"2.0","method":"eth_accounts","params":[],"id":1}' http://127.0.0.1:8545

         • Success should show your address

5. Seal the Vault with vault operator seal

   • Success shows: "Success! Vault is sealed."

   • With the Vault sealed, you cannot access secrets with vault kv get

   • Unseal Vault with vault operator unseal and enter the single Unseal Key

     • An unsealed Vault is needed to import secrets and initialize EthSigner

6. (if needed) run the NodeJS App (see Local Server)

7. View all running servers with tmux ls

Test

Send a Trading View alert or mimic one using sendAlert.js. If you already set up Ngrok, use the Ngrok URL as the webhook URL. If not, your NodeJS App should be listening on http://localhost:8080/. If using the "localhost" URL, you must run node sendAlert.js on the same machine.

A successful test should show transaction details the the swap hash in the console.