How to Install Hashicorp Vault on Linux


Secrets management is a crucial component to any environment, including for web applications and server configuration management. In this tutorial, you will learn how to install Hashicorp Vault on Ubuntu and use it to store your sensitive information.

Hashicorp Vault is used for securely storing tokens, passwords, certificates, and encryption keys. It tightly controls access to secrets and encryptions keys by authenticating against trusted sources of identity, including Active Directory, LDAP, Kubernetes, CloudFoundry, and cloud platforms.

Access to secrets and encrypted data is powered by a Vault API.

Installing Hashicorp Vault

To install Hashicorp vault you download a binary from the Vault website. The download is a single binary, which is functions as both a client and server.

Installing Vault as a client is as simple as placing it the /usr/bin directory. However, the server installation isn’t nearly as intuitive.

Prepare for the server installation by creating a directory structure to hold the binary, logs, and vault data.

sudo mkidr -p /opt/vault/{logs,bin,data}

Next, download the binary from the official Hashicorp Vault website. At the the time of this writing, version 1.1.3 was the latest release. More releases can be found on the download page.

sudo wget

Unzip the Vault binary file and place it in the installation directory.

unzip -d /opt/vault/bin

Configuring Hashicorp Vault

To run Vault as a service it needs a configuration. Create a directory for Vault under /etc, where we will store the Vault configuration file.

sudo mkdir /etc/vault

Vault’s configuration is written in JSON. Create a new JSON file named config.json under the newly created /etc/vault directory.

sudo touch /etc/vault/config.json

And the following configuration to it.

  "listener": [{
    "tcp": {
      "address" : "",
      "tls_disable" : 1
  "api_addr": "",
  "storage": {
     "file": {
       "path" : "/opt/vault/data"
  "max_lease_ttl": "10h",
  "default_lease_ttl": "10h",

Create a Service User for Vault

You should always run a Vault server as an unprivileged user. The user should also not be your day-to-day user account. Create a new user account for Vault and grant it ownership of the installation directory.

To create the service user, run the following command. The -r flag sets the user as a system user. This will prevent the user from being accessed via SSH, for example.

sudo useradd -r vault

Now grant the user account ownership of the installation directory created earlier.

sudo chown -rV vault:vault /opt/vault

Running Vault as a Service

Create a new Systemd service file for Hashicorp Vault

sudo touch /etc/systemd/system/vault.service

Add the following contents to it

Description=vault service

ExecStart=/opt/vault/vault server -config=/etc/vault/config.json
ExecReload=/bin/kill -HUP $MAINPID


To configure Vault to start automatically at boot, enable the service using the systemctl enable command.

sudo systemctl enable vault.service 

Start Vault as a service using the systemctl start command.

sudo systemctl start vault.service

Preparing to Administer Vault

Add the Vault bin directory to your PATH environment variable.

export PATH=$PATH:/opt/vault/bin
echo "export PATH=$PATH:/opt/vault/bin" >> ~/.bashrc

Set environment variables for Vault

echo "export VAULT_ADDR=" >> ~/.bashrc

Initialize and Unseal your Vault

Initialize your Vault

sudo vault operator init

The output will look like the following. You should store this information in a secure location, as it will be required to unseal the vault, as well as to administer the server.

Unseal Key 1: aUEvSKm/O9CQhQspwNFcHYuabF1uD1m7FpMmo7f5AVau
Unseal Key 2: EjLBTmuaeZgEl8kGWJIuJhhWYNVCLEEqKEA7I6i4FjpF
Unseal Key 3: tVSkHbcUqhLzOlKbwWWJkoLDPemZNoDWXrXbPIU3Zfad
Unseal Key 4: IT8+r4aZ2gq/7YujNGDbP2Of3UQ5Kw5jKbWrr4m1atYx
Unseal Key 5: e75ORgXvs8GMu1PxMgpu2hvqxj7St7LllI8eTjfEo8bX

Initial Root Token: s.5iSwFPh0XQa96MSrBHquCFlH

Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See "vault operator rekey" for more information.

To unseal the vault choose any three of the unseal keys, and then run the vault unseal key command against them.

vault operator unseal aUEvSKm/O9CQhQspwNFcHYuabF1uD1m7FpMmo7f5AVau
vault operator unseal EjLBTmuaeZgEl8kGWJIuJhhWYNVCLEEqKEA7I6i4FjpF
vault operator unseal tVSkHbcUqhLzOlKbwWWJkoLDPemZNoDWXrXbPIU3Zfad

This operation will have to be done every time the server is stopped, or the system is rebooted.

Enabling Secrets

A new installation of Vault will not have secrets or api access enabled. You will have to enable both of these features in order to use them.

To enable API access you will use the vault auth enable command, as seen in the following example.

vault auth enable approle

When acting as a secrets vault, you must enable the secrets feature. Use the following command to use version 2 of the vault, as well as setting the path to the secrets.

vault secrets enable -version=2 -path=secret kv