Hashicorp Vault , keeping things secret – Part 1 install and configure Vault

Hello folks

Today I am going to talk about a great tool from Hashicorp, it’s called Vault (https://www.vaultproject.io) . This piece of software is in my opinion an essential part it our Devops toolkit. It allows you to safely save, and dynamically generate secrets for your infrastructure. The main use case for me has been to allow me to set passwords in Terraform templates, without exposing the password itself in clear text,  but for now what I am talking about here is how to install it and get it up and running in your Linux Server, and I will also provide a Dockerfile you can use to spin up a container and play around with vault.

So let’s get our hands dirty

1 – Download your binary from https://www.vaultproject.io/downloads.html , you will see links for MacOS, Linux, BSD etc, choose your own . For example

#wget https://releases.hashicorp.com/vault/0.8.1/vault_0.8.1_linux_amd64.zip

2 – Uncompress the archive and copy the file into a directory in $PATH

#unzip vault_0.8.1_linux_amd64.zip ; cp vault /usr/local/bin

3 – Test that tou can execute vault.

#vault -v

this should return something like

#vault -v
Vault v0.8.1 (‘8d76a41854608c547a233f2e6292ae5355154695’)

Of course your values could be different as newer versions are released. You should also do the same thing on your workstation as the same binary is used for the client too. So download it to your computer expand the zip file and copy it to a location of your choice (as long as that location is in $PATH).

So , now we have vault in place and we can start the server, this can be done by using the command

#vault server -config <PATH_TO_CONFIG_FILE>

output will look something like

==> Vault server configuration:

Cgo: disabled
Listener 1: tcp (addr: “”, cluster address: “”, tls: “disabled”)
Log Level: info
Mlock: supported: true, enabled: true
Storage: file
Version: Vault v0.8.1
Version Sha: 8d76a41854608c547a233f2e6292ae5355154695

==> Vault server started! Log data will stream in below:

Please make sure your firewall allows port 8200/8201 TCP to this server.

If you want to use Vault inside a docker container you can checkout this git repo , as it contains a Dockerfile and an example configuration file for Vault.


Ok so now we have vault running. Lets initialize it , I would advise you execute this on your workstation,


Let’s check that we can actually reach it

# vault status
Error checking seal status: Error making API request.

Code: 400. Errors:

* server is not yet initialized

so this tells us that we can indeed reach the server, however it’s not initialized.

So let’s do just that.

#vault init

#vault init
Unseal Key 1: IIeMHIGq+xmIDqXN7Q43Lt7nmi5sLvNad5NgUjOVPoiA
Unseal Key 2: phNTpSyjBqobHYeLVOfiaUHQ6iidw2/BowKnTb3HzaC4
Unseal Key 3: jJcuYrSiQRHv0TvD1/AVrHBpd2f6mjtjriGLa66A2O5b
Unseal Key 4: so5WqFp1nmXFeuLE4tUZiglCTEBP2gkc9/teNZNvVOmz
Unseal Key 5: hCNg3wwVfYY/x0A6TLVmvyKyutilr5qvhkiH4mUDHWXR
Initial Root Token: 880fde6a-f672-fe8e-50d0-2e51f566654a

As we can see vault has provided the Unseal Keys, and the Root token to authenticate with.

At this point you need to unseal the vault, and you need to provide 3 keys using vault unseal.

Hope you find this useful and hope to see you again soon.


Rui Moreira

PS: If you are using a docker container to play around with Vault, the I would like to remind you to use the -p option to expose the port of the container you are running vault on.

More information here