Vault Install

This guide documents the process of installing and configuring vault to safely manage secrets/sensitive data.

System

# System version
ubuntu@vault:~$ uname -a
Linux vault 6.8.0-86-generic #87-Ubuntu SMP PREEMPT_DYNAMIC Mon Sep 22 18:03:36 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@vault:~$
ubuntu@vault:~$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.3 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
ubuntu@vault:~$

Install

# Install Vault
sudo apt update && sudo apt upgrade -y
wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(grep -oP '(?<=UBUNTU_CODENAME=).*' /etc/os-release || lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vault

# verify version
ubuntu@vault:~$ vault --version
Vault v1.21.0 (818ca8b3575ea937ca48b640baf35e1b2ede1833), built 2025-10-21T19:33:18Z
ubuntu@vault:~$

Configuration

# vault configuration file
cat /etc/vault.d/vault.hcl
# Copyright IBM Corp. 2016, 2025
# SPDX-License-Identifier: BUSL-1.1

# Full configuration options can be found at https://developer.hashicorp.com/vault/docs/configuration

ui = true

#mlock = true
#disable_mlock = true

storage "file" {
  path = "/opt/vault/data"
}

#storage "consul" {
#  address = "127.0.0.1:8500"
#  path    = "vault"
#}

# HTTP listener
#listener "tcp" {
#  address = "127.0.0.1:8200"
#  tls_disable = 1
#}

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}

# API address for cluster communication
api_addr = "https://vault.uclab8.net:8200"

# Enterprise license_path
# This will be required for enterprise as of v1.8
#license_path = "/etc/vault.d/vault.hclic"

# Example AWS KMS auto unseal
#seal "awskms" {
#  region = "us-east-1"
#  kms_key_id = "REPLACE-ME"
#}

# Example HSM auto unseal
#seal "pkcs11" {
#  lib            = "/usr/vault/lib/libCryptoki2_64.so"
#  slot           = "0"
#  pin            = "AAAA-BBBB-CCCC-DDDD"
#  key_label      = "vault-hsm-key"
#  hmac_key_label = "vault-hsm-hmac-key"
#}

# enable vault service
systemctl enable --now vault.service

Status

# verify service status
ubuntu@vault:~$ systemctl status vault.service
● vault.service - "HashiCorp Vault - A tool for managing secrets"
     Loaded: loaded (/usr/lib/systemd/system/vault.service; enabled; preset: enabled)
     Active: active (running) since Sat 2025-10-25 11:01:03 UTC; 1 week 1 day ago
       Docs: https://developer.hashicorp.com/vault/docs
   Main PID: 2142 (vault)
      Tasks: 9 (limit: 7065)
     Memory: 98.5M (peak: 99.2M)
        CPU: 1h 56min 41.603s
     CGroup: /system.slice/vault.service
             └─2142 /usr/bin/vault server -config=/etc/vault.d/vault.hcl

Certificates

# generate certificates
certbot certonly --preferred-challenges=dns --manual -d vault.uclab8.net

# set new certificates
cp /etc/letsencrypt/live/vault.uclab8.net/fullchain.pem /opt/vault/tls/tls.crt
cp /etc/letsencrypt/live/vault.uclab8.net/privkey.pem /opt/vault/tls/tls.key

# set permissions
chown vault:vault /opt/vault/tls/tls.crt /opt/vault/tls/tls.key
chmod 600 /opt/vault/tls/tls.crt /opt/vault/tls/tls.key

# export vault url
echo 'export VAULT_ADDR="https://vault.uclab8.net:8200"' >> ~/.bashrc

# restart service
systemctl restart vault

Initialize vault

# initialize and setup vault
vault operator init
vault operator unseal
vault login
vault secrets enable -path=apps kv-v2
vault auth enable userpass
cat <<EOF | vault policy write apps-manager -
# Allow full access to apps/ path (KV v2)
path "apps/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "apps/metadata/*" {
capabilities = ["list", "read", "delete"]
}
path "apps/*" {
capabilities = ["list"]
}
EOF
vault write auth/userpass/users/affragak   password=supersecretpassword   policies=apps-manager
vault write auth/userpass/users/affragak   password=supersecretpassword   policies=apps-manager

# vault login
vault login -method=userpass \
username=affragak  \
password=supersecretpassword

my DevOps Odyssey

“Σα βγεις στον πηγαιμό για την Ιθάκη, να εύχεσαι να ‘ναι μακρύς ο δρόμος, γεμάτος περιπέτειες, γεμάτος γνώσεις.” - Kavafis’ Ithaka.

Vault setup and configuration

2025-11-02

Series:lab

Categories:Linux

Tags:#linux, #lab, #vault, #ubuntu

Vault Install:

System

Install

Configuration

Status

Certificates

Initialize vault

Login

my DevOps Odyssey