HashiDays One conference. Three cities. Find a city near you
Vault
Vault Home

Set up Vault service

If you build or manually download the Vault binary to be run as a server, it is common to configure to run Vault as a service, instead of manually starting Vault.

Note

These steps are not required if you install Vault from a supported package manager.

The instructions included on this page are based on the example vault.service included in the Vault GitHub repository and tested on Ubuntu 22.04.

  1. Download a precompiled binary and extract it or build from source.

  2. Move the Vault binary to /usr/bin/

    $ sudo mv vault /usr/bin/

  3. Configure the Vault binary with the ability to allow mlock()

    $ sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))

  4. Create a directory to store Vault data. A good practice is to store Vault data, and Vault logs on different volumes than the operating system.

    $ sudo mkdir -p /opt/vault/data

  5. Create a system user to run Vault and set the shell to nologin.

    $ sudo useradd --system --home /opt/vault/data --shell /sbin/nologin vault

  6. Change directory ownership of /opt/vault/data to Vault and set permissions.

    $ sudo chown vault:vault /opt/vault/data && sudo chmod -R 750 /opt/vault/data

  7. Create a directory for the Vault configuration file.

    $ sudo mkdir -p /etc/vault.d

  8. Create a Vault configuration file. The example used is suitable for testing and development but should not be used for real use cases with tls_disable set to 1 (true). Refer to the configuration documentation for a list of supported parameters.

    $ sudo tee /etc/vault.d/vault.hcl <<EOF
ui            = true
cluster_addr  = "http://127.0.0.1:8201"
api_addr      = "https://127.0.0.1:8200"
disable_mlock = true

storage "raft" {
  path    = "/opt/vault/data"
  node_id = "127.0.0.1"
}

listener "tcp" {
  address       = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_disable = 1
}
EOF

  9. Change ownership and permission on the Vault configuration file.

    $ sudo chown vault:vault /etc/vault.d/vault.hcl && sudo chmod 640 /etc/vault.d/vault.hcl

  10. Create a systemd service.

    $ sudo tee /lib/systemd/system/vault.service <<EOF
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://developer.hashicorp.com/vault/docs
ConditionFileNotEmpty=/etc/vault.d/vault.hcl

[Service]
User=vault
Group=vault
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP
KillMode=process
KillSignal=SIGINT

[Install]
WantedBy=multi-user.target
EOF

  11. Change the permissions on /lib/systemd/system/vault.service to 644.

    $ sudo chmod 644 /lib/systemd/system/vault.service

  12. Reload the systemd configuration.

    $ sudo systemctl daemon-reload

  13. Start the Vault service.

    $ sudo systemctl start vault.service

  14. Verify the service status.

    $ systemctl status vault.service

vault.service - "HashiCorp Vault - A tool for managing secrets"
     Loaded: loaded (/lib/systemd/system/vault.service; disabled; vendor preset: enabled)
     Active: active (running) since Thu 2024-09-05 13:58:45 UTC; 4s ago
       Docs: https://developer.hashicorp.com/vault/docs
   Main PID: 3145 (vault)
      Tasks: 8 (limit: 2241)
     Memory: 23.6M
        CPU: 200ms
     CGroup: /system.slice/vault.service
             └─3145 /usr/bin/vault server -config=/etc/vault.d/vault.hcl

Additional information

Edit this page on GitHub