Vault

Table of contents
  1. Installation
    1. With Homebrew
    2. With Docker
  2. Server configuration file
    1. storage
    2. listener
    3. log level
    4. ttl (Time-To-Live)
    5. ui

Installation

With Homebrew

brew tap hashicorp/tap

brew install hashicorp/tap/vault

With Docker

Official docker image is vault.

Three volumes can be mounted.

  • /vault/logs to persist logs
  • /vault/file to persist data when file is the storage backnd for Vault
  • /vault/config for Vault server configuration file

By default, Vault will run in container as a development server (vault server -dev).

Vault entrypoint checks for a command and uses it as a subcommand to vault.

If you do not wish to run in development mode, set command to server.

To prevent memory leaking information to disk through swaps, container must be run with cap-add set to IPC_LOCK.

To disable memory locking due to setcap issues, set SKIP_SETCAP environment variable to a non-empty value. In non-development environment, you must add disable_mlock: true to the configuration file to disable this functionality.

Place a configuration file (either using .hcl or .json) for the Vault server in /vault/config.

Vault will automatically read it.

Server configuration file

You can use either HCL or JSON, but I will use HCL because I prefer its syntax.

The entire set of configuration can be found here.

The following are some of the most basic configurations to run a Vault server.

storage

The list of all storage backends can be found here.

The simplest storage backend is the filesystem.

Example:

storage "file" {
  path = "/vault/file"
}

listener

listener configures where Vault should listen for requests.

There is only one configuration right now which is TCP.

listener "tcp" {
  # If you're using docker, and you want to access the web UI
  # Use address = "0.0.0.0:8200"
  address = "127.0.0.1:8200"
  # You must explicitly disable tls if you're not using it
  tls_disable = "false" | "true" (string)
  # Else
  tls_cert_file = "..."
  tls_key_file = "..."
}

Make sure to secure your connection with tls (Let’s Encrypt or so) if you expect your Vault server to have non-local http requests, which usually is the case when being used for production.

log level

Specifies log level.

log_level = "trace" | "debug" | "error" | "warn" | "info"

ttl (Time-To-Live)

max_lease_ttl = "768h" (string)
default_least_ttl = "700h" (string)

These set the lease expiration time for non-root tokens and secrets.

default_least_ttl cannot be greater than max_lease_ttl.

max_lease_ttl can be overriden later for different token lease methods.

ui

ui = false | true (boolean)

Set to true to enable web UI.

Table of contents