Jump To
- Install Steps
- Install Commands
- Post Install
- Enable your VPK Server
- Validate your VPK Server
- Additional VPK Servers
Install Steps
-
Install Podman
-
Download Install Script
-
Run Install Script
-
Start VPK Service
Install Commands
Install Podman
If completed during prerequisites, you can skip to "Download and Execute Setup Script"
#Podman
yum install podman
Create alias to align Docker and Podman commands
Follow the steps below to add an alias and reload your .bashrc
file.
- Run the following command to add the alias to your
.bashrc
file:printf "\nalias docker=podman\n" >> ~/.bashrc
- Reload your bash config:
source ~/.bashrc
Download and Execute Setup Script
Shell Commands
mkdir /var/virtru
mkdir /var/virtru/scripts
cd /var/virtru/scripts
curl -s https://raw.githubusercontent.com/virtru/cks-setup-script/main/download.sh -o download.sh
bash ./download.sh
bash ./cks-setup-scripts/setup-cks-latest.sh
Warning: If SELinux is in use please reference this article.
Offline Install
To run the installer in offline mode first follow prerequisites listed here. Then execute:
bash ./setup-cks-latest.sh
-o true
Recommended
The installer will create all appropriate directories. The recommended install root directory: /var/virtru/cks/
VPK Domain Selection
During the install, enter the VPK URL of your choice. The installer creates a self-signed TLS certificate for transport security based on the domain given.
Support URL and Email
Enter your support email address, as well as the primary support domain for your organization. This will be logged by Virtru for use by our Technical Support team if error’s are generated.
Virtru Organization ID
Enter your Virtru Org ID provided by your Virtru representative. This will allow for JWT authentication to be set up with your new VPK server.
HMAC Authentication
You will be prompted to use HMAC auth:
-
Select yes to leverage HMAC token authentication
Self Signed Certificate Creation
In the next section, the script will prompt for certificate request information. This information is needed to create the self-signed certificate that will be used by your VPK server as a placeholder. Once all inputs are put in place within the VPK setup wizard, we recommend replacing the self-signed certificate with a valid CA signed TLS certificate. This will be located in the /var/virtru/cks/ssl directory once the setup wizard completes.
Note:
To prevent decryption errors, the order of cert chain in the .crt file must be formatted correctly. The certificate for your VPK FQDN must come before the intermediate and/or root certificates within the .crt file.
VPK Re-Wrap Keys (RSA key pair)
Once complete, the installer will generate your RSA Key Pair and then output key information for your install. Please take the time to ensure all fields are correctly filled out.
Post Install
Once completed, the setup script will have created the following:
- The Environment Variables for the Virtru Private Keystore and its companion containers
- tokens.json file that defines the HMAC token used to authenticate between Virtru and your VPK service. It is also automatically loaded into the environment variables in env/cks.env
- run.sh file to run the deployment.
- RSA Key Pair
- in the cks/keys directory, verify that rsa001.pem and rsa001.pub have 644 permissions applied
chmod 644 rsa001.pem
chmod 644 rsa001.pub
- Replace self-signed certificate with a valid CA signed TLS Certificate in the /var/virtru/cks/ssl directory
Email send_to_virtru.tar.gz to Virtru
Please click here for detailed steps on downloading the send_to_virtru.tar.gz file.
Once the script has completed successfully, a file, send_to_virtru.tar.gz will be in your /var/virtru/cks/ directory. This file will contain the required information so that Virtru can communicate with your VPK appliance.
Send the file via Secure Share to the deployment team:
Enable your VPK Server
- Navigate to the scripts folder, open the setup script in Vim, nano or any editor of your choice, and replace 'docker' commands with 'podman';
cd /var/virtru/scripts
vim run.sh
- Add the bolded text(s) to your existing
run.sh
file. This is the file path to the container log. (VPK Latest Version) - Use the following 'podman run' command to deploy a VPK container:
podman run \
--name Virtru_CKS \
--interactive --tty --detach \
--env-file /var/virtru/cks/env/cks.env \
-v /var/virtru/cks/keys/:/app/keys \
-v /var/virtru/cks/ssl/:/app/ssl \
-p 443:9000 \
--restart unless-stopped \
--log-opt path=/var/log/Virtru_CKS.log \
containers.virtru.com/cks:<latestCKSVersion> - Run the setup script to create the container.
sh run.sh
Example Directory
Validate your VPK Server
Check that your VPK container started successfully with the below command
podman ps -a
View the logs from the container to ensure the process started successfully
podman logs <containerID> -f
Additional VPK Servers
If you are installing VPK on multiple instances for a Highly-Available configuration, follow the instructions found here: Virtru Private Keystore (for Virtru Solutions): Install - Additional Instance, Linux Server