Debug School

Cover image for Install Hashicorp Vault
Suyash Sambhare
Suyash Sambhare

Posted on

Install Hashicorp Vault

Deploy Vault

Unset the VAULT_TOKEN environment variable.

Enter fullscreen mode Exit fullscreen mode

Configuring Vault

Vault is configured using HCL files.

Create the Vault configuration in the file config.hcl.


storage "raft" {
  path    = "./vault/data"
  node_id = "node1"

listener "tcp" {
  address     = ""
  tls_disable = "true"

api_addr = ""
cluster_addr = ""
ui = true
Enter fullscreen mode Exit fullscreen mode

Vault Enterprise

Within the configuration file, there are two primary configurations:

  • storage - This is the physical backend that Vault uses for storage. Up to this point the dev server has used "inmem" (in memory), but the example above uses Integrated Storage (raft), a much more production-ready backend.

  • listener - One or more listeners determine how Vault listens for API requests. The example above listens on localhost port 8200 without TLS. In your environment set VAULT_ADDR= so the Vault client will connect without TLS.

    Insecure operation

    The listener stanza disables TLS (tls_disable = "true"). In production, Vault should always use TLS to provide secure communication between clients and the Vault server. It requires a certificate file and key file on each Vault host.

  • api_addr - Specifies the address to advertise to route client requests.

  • cluster_addr - Indicates the address and port to be used for communication between the Vault nodes in a cluster.

The ./vault/data directory that raft storage backend uses must exist.

$ mkdir -p ./vault/data
Enter fullscreen mode Exit fullscreen mode

Set the -config flag to point to the proper path where you saved the configuration above.

$ vault server -config=config.hcl

==> Vault server configuration:

             Api Address:
                     Cgo: disabled
         Cluster Address:
              Go Version: go1.16.2
              Listener 1: tcp (addr: "", cluster address: "", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: true
           Recovery Mode: false
                 Storage: raft (HA available)
                 Version: Vault v1.7.0
             Version Sha: 4e222b85c40a810b74400ee3c54449479e32bb9f

==> Vault server started! Log data will stream in below:
Enter fullscreen mode Exit fullscreen mode

If you get a warning message about mlock not being supported, that is okay. However, for maximum security, you should run Vault on a system that supports mlock.

Vault outputs details about its configuration, and then blocks. This process should be run using a resource manager such as systemd or upstart.

On Linux, Vault may fail to start with the following error:

Error initializing core: Failed to lock memory: cannot allocate memory

This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
Enter fullscreen mode Exit fullscreen mode


storage "raft" {
  path    = "./vault/data"
  node_id = "node1"

listener "tcp" {
  address     = ""
  tls_disable = "true"

disable_mlock = true

api_addr = ""
cluster_addr = ""
ui = true
Enter fullscreen mode Exit fullscreen mode

Initializing the Vault

Initialization is the process of configuring Vault. This only happens once when the server is started against a new backend that has never been used with Vault before. When running in HA mode, this happens once per cluster, not per server. During initialization, the encryption keys are generated, unseal keys are created, and the initial root token is created.

Launch a new terminal session, and set VAULT_ADDR environment variable.

$ export VAULT_ADDR=''
Enter fullscreen mode Exit fullscreen mode

To initialize Vault use vault operator init. This is an unauthenticated request, but it only works on brand-new Vaults without existing data:

$ vault operator init
Enter fullscreen mode Exit fullscreen mode

Example output:

Unseal Key 1: 4jYbl2CBIv6SpkKj6Hos9iD32k5RfGkLzlosrrq/JgOm
Unseal Key 2: B05G1DRtfYckFV5BbdBvXq0wkK5HFqB9g2jcDmNfTQiS
Unseal Key 3: Arig0N9rN9ezkTRo7qTB7gsIZDaonOcc53EHo83F5chA
Unseal Key 4: 0cZE0C/gEk3YHaKjIWxhyyfs8REhqkRW/CSXTnmTilv+
Unseal Key 5: fYhZOseRgzxmJCmIqUdxEm9C3jB5Q27AowER9w4FC2Ck

Initial Root Token: s.KkNJYWF5g0pomcCLEmDdOVCW

The vault was initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

The vault does not store the generated root key (previously known as the master key).
Without at least 3 keys to reconstruct the root key, the Vault will remain
permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal key shares. See "vault operator rekey" for more information.
Enter fullscreen mode Exit fullscreen mode

Initialization outputs two incredibly important pieces of information: the unseal keys and the initial root token. This is the only time ever that all of this data is known by Vault, and also the only time that the unseal keys should ever be so close together.

For this getting started tutorial, save all of these keys somewhere, and continue. In a real deployment scenario, you would never save these keys together. Instead, you would likely use Vault's PGP and support to encrypt each of these keys with the users' PGP keys. This prevents one single person from having all the unsealed keys. Please see the documentation on using PGP, GPG, and Keybase for more information.


Every initialized Vault server starts in the sealed state. From the configuration, Vault can access the physical storage, but it can't read any of it because it doesn't know how to decrypt it. The process of teaching Vault how to decrypt the data is known as unsealing the Vault.

Unsealing has to happen every time Vault starts. It can be done via the API and the command line. To unseal the Vault, you must have the threshold number of unseal keys. In the output above, notice that the "key threshold" is 3. This means that to unseal the Vault, you need 3 of the 5 keys that were generated.

The vault does not store any of the unsealed key shards. Vault uses an algorithm known as Shamir's Secret Sharing to split the root key into shards. Only with the threshold number of keys can it be reconstructed and your data finally accessed.

Begin unsealing the Vault:

$ vault operator unseal

Unseal Key (will be hidden):
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    1/3
Unseal Nonce       d3d06528-aafd-c63d-a93c-e63ddb34b2a9
Version            1.7.0
Storage Type       raft
HA Enabled         true
Enter fullscreen mode Exit fullscreen mode


After pasting in a valid key and confirming, you see that the Vault is still sealed, but progress is made. Vault knows it has 1 key out of 3. Due to the nature of the algorithm, Vault doesn't know if it has the correct key until the threshold is reached.

Also, notice that the unseal process is stateful. You can go to another computer, use vault operator unseal, and as long as it's pointing to the same server, that other computer can continue the unsealing process. This is incredibly important to the design of the unseal process: multiple people with multiple keys are required to unseal the Vault. The Vault can be unsealed from multiple computers and the keys should never be together. A single malicious operator does not have enough keys to be malicious.

Continue with vault operator unseal to complete unsealing the Vault. To unseal the vault you must use three different unseal keys, the same key repeated will not work.

$ vault operator unseal

Unseal Key (will be hidden):
# ...
Enter fullscreen mode Exit fullscreen mode

As you use keys, as long as they are correct, you should soon see output like this:

Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            5
Threshold               3
Version                 1.7.0
Storage Type            raft
Cluster Name            vault-cluster-0ba62cae
Cluster ID              7d49e5fd-a1a4-c1d1-55e2-7962e43006a1
HA Enabled              true
HA Cluster              n/a
HA Mode                 standby
Active Node Address     <none>
Raft Committed Index    24
Raft Applied Index      24
Enter fullscreen mode Exit fullscreen mode

When the value for Sealed changes to false, the Vault is unsealed.

Feel free to play around with entering invalid keys, keys in different orders, etc. to understand the unsealing process.

Finally, authenticate as the initial root token (it was included in the output with the unseal keys).

$ vault login
Token (will be hidden):
Enter fullscreen mode Exit fullscreen mode

Enter the token value when prompted.

Example output:

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                s.spAZOi7SlpdFTNed50sYYCIU
token_accessor       OevFmMXjbmOCQ8rSubY84vVp
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
Enter fullscreen mode Exit fullscreen mode

As a root user, you can reseal the Vault with the vault operator seal. A single operator is allowed to do this. This lets a single operator lock down the Vault in an emergency without consulting other operators.

When the Vault is sealed again, it clears all of its state (including the encryption key) from memory. The Vault is secure and locked down from access.

Clean up

Before continuing on to the Using the HTTP APIs with Authentication tutorial, press Ctrl+C to stop the server.

Or, kill the Vault process from a command.

$ pgrep -f vault | xargs kill
Enter fullscreen mode Exit fullscreen mode

Delete the /vault/data directory which stores the encrypted Vault data.

$ rm -r ./vault/data
Enter fullscreen mode Exit fullscreen mode


Top comments (0)