Hashicorp Vault : Installation In Prod Mode

Updated: Aug 26, 2020

In the last article we discussed about installation of vault in dev mode, tried creating few secrets walked through both GUI ans CLI interface.

I want to point out that dev mode is only good for testing purpose and there are a few limitations in this case.

  • Data and configuration is not persistent

  • Configuration is stored in "in-memory database"

  • By default GUI can be opened only on localhost

  • Lesser security features

To get rid of this now we will see how vault can be installed in prod mode.Follow the below steps to do so.

  • Login to a Centos 7 machine and execute the below commands

yum install epel-release -y
yum install wget unzip -y
wget https://releases.hashicorp.com/vault/1.5.0/vault_1.5.0_linux_amd64.zip 
unzip vault_1.5.0_linux_amd64.zip
mv vault /usr/bin/

Create a file vault.config with below contents

[root@linuxadvise vault]# cat vault.config
ui = true
listener "tcp" {

  address = ""
  tls_disable = 1

  # If bound to localhost, the Vault UI is only
  # accessible from the local machine!
  # address = ""

storage "file" {
  path = "/mnt/vault/data"

  • By default GUI is disabled in prod mode we can enable it by passing relevant parameter in config file.

  • Also unlike dev mode where data is stored in memory, in prod mode we can create a file which acts as a storage back end where configuration can be stored.

  • Possible back end storage options are Filesystem,S3 bucket, Consul, databases(MySQL, DynamoDB)

  • TLS can be enabled by using a self signed cert or any valid SSL certificate but here I have disabled it.

  • I have specified the IP address of the server where vault is installed so that I am able to access GUI on that IP instead of localhost.

  • Then finally execute below command

[root@linuxadvise vault]# vault server -config=vault.config
==> Vault server configuration:

                     Cgo: disabled
              Go Version: go1.14.4
              Listener 1: tcp (addr: "", cluster address: "", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: true
           Recovery Mode: false
                 Storage: file
                 Version: Vault v1.5.0

==> Vault server started! Log data will stream in below:

2020-08-22T13:04:52.912+0530 [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2020-08-22T13:04:52.913+0530 [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set

  • To access vault using cli , run the below commands

vault operator init
vault operator unseal

After this vault should be accessible on

Let me now initialize it.

Download the keys that will be show in the next step

In the next two steps provide both keys and then Initial token. Next the vault console will be displayed.

Rest of the things will work the same way once on the vault console.

In the next article we will move forward and study about Secrets engine .


249 views0 comments

Recent Posts

See All