How to Install and Configure HashiCorp Vault on Linux (Ubuntu)

How to Install and Configure HashiCorp Vault on Linux (Ubuntu)

Santosh Nc's photo
Santosh Nc
·

4 min read

HashiCorp Vault is a popular tool for securely storing and accessing secrets. Whether you’re managing database credentials, API keys, or encryption keys, Vault provides a unified interface to access secrets across different environments. In this blog, we'll walk through the process of installing HashiCorp Vault on an Ubuntu server.

Prerequisites

Before you begin, ensure the following:

  • A Linux server running Ubuntu (We’ll use Ubuntu 22.04 for this guide).

  • Root or sudo privileges on the system.

  • Basic familiarity with the Linux command line.

Step 1: Install HashiCorp Vault

The first step in installing Vault is to add the official HashiCorp repository to your system.

  1. Update the System Packages
    Run the following command to update the system’s package list:

     sudo apt update

  2. Install Dependencies
    Vault requires curl and gnupg for downloading and verifying packages. Install them by running:

     sudo apt install -y curl gnupg

  3. Add the HashiCorp GPG Key
    To verify the packages' authenticity, you'll need to add HashiCorp’s GPG key:

     curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg

  4. Add the HashiCorp APT Repository
    Now, add the HashiCorp repository to your system:

     echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list

  5. Install HashiCorp Vault
    After adding the repository, update your local package database and install Vault:

     sudo apt update
 sudo apt install vault

Step 2: Verify the Installation

Once Vault is installed, you can verify the installation by checking the version:

vault -v

This should display the version of Vault installed on your system.

Step 3: Configure Vault

Vault can be configured in various ways, but for this guide, we'll use a simple file-based storage backend.

  1. Create the Vault Configuration File
    Create a configuration file for Vault at /etc/vault.d/vault.hcl using your preferred text editor:

     sudo nano /etc/vault.d/vault.hcl

    Add the following configuration:

     hclCopy code# Enable the default storage backend (File Storage)
 storage "file" {
   path = "/opt/vault/data"
 }

 # Enable the default listener (TCP listener)
 listener "tcp" {
   address = "0.0.0.0:8200"
   tls_disable = 1
 }

 # Enable the default API address (optional, for HTTP-based access)
 api_addr = "http://127.0.0.1:8200"

    This configuration uses file storage and listens on TCP port 8200. Make sure to disable TLS in this example for simplicity (in production, it’s recommended to use HTTPS).

  2. Create the Vault Data Directory
    Ensure that Vault has the proper directory for storing its data:

     sudo mkdir -p /opt/vault/data
 sudo chown vault:vault /opt/vault/data

Step 4: Start Vault as a Service

Now that Vault is configured, you can start it as a background service.

  1. Reload systemd
    Reload systemd to recognize the new Vault service configuration:

     sudo systemctl daemon-reload

  2. Start the Vault Service
    Start the Vault service and enable it to start on boot:

     sudo systemctl start vault
 sudo systemctl enable vault

  3. Check Vault Status
    Verify that Vault is running using the following command:

     sudo systemctl status vault

    You should see a message indicating that Vault is active and running.

Step 5: Initialize Vault

Before you can start using Vault, you need to initialize it. This involves generating the initial set of keys and the root token.

  1. Set the Vault Address Environment Variable
    Set the VAULT_ADDR environment variable to the address of the Vault server:

     export VAULT_ADDR="http://127.0.0.1:8200"

  2. Initialize Vault
    Run the vault operator init command to initialize Vault. This will generate unseal keys and the root token:

     vault operator init

    This will output several unseal keys and a root token. Make sure to save these keys somewhere secure, as you’ll need them later to unseal the Vault.

Step 6: Unseal Vault

Vault is initially sealed after installation, meaning it is not yet operational. To unseal Vault, you need to provide at least 3 of the 5 unseal keys generated during initialization.

  1. Unseal Vault
    Use the following command to unseal Vault:

     vault operator unseal

    Enter one of the unseal keys when prompted. Repeat this process for the other two keys until Vault is unsealed.

  2. Verify the Unseal Status
    You can check the seal status of Vault using the following command:

     vault status

    Once Vault is unsealed, it should show the status as Sealed: false.

Step 7: Access Vault

You can now start interacting with Vault. To login as the root user, use the vault login command with the root token generated during initialization:

vault login <root_token>

You can now begin storing and managing secrets within Vault.

Step 8: Set Up Vault for Production (Optional)

For production deployments, you should:

  • Set up TLS encryption to secure communication between clients and Vault.

  • Use a high availability backend like Consul or AWS S3 instead of the default file storage.

  • Configure Access Control Policies (ACLs) to limit what users and applications can access within Vault.

HashiCorp Vault Vault Installation Vault Configuration Secret Management DevOps Security Infrastructure as Code Linux Vault Setup System Administration IT SecuritVault InstallationVault ConfigurationHow to install hashicorp vault on ubuntusecrets managementDevopsDevops articlesSecurityInfrastructure as codeLinuxhashicorp-vaultSystem administrationIT_Security