Install Hashi Corp Vault on Ubuntu
- 19 Dec 2024
- 4 Minutes to read
- Print
- PDF
Install Hashi Corp Vault on Ubuntu
- Updated on 19 Dec 2024
- 4 Minutes to read
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
HashiCorp Vault is a robust tool designed to securely manage secrets and protect sensitive data in a dynamic environment. It offers a comprehensive set of features for managing access to tokens, passwords, certificates, and encryption keys, enabling organizations to enhance their security posture. Installing HashiCorp Vault on an Ubuntu system involves downloading the Vault binary, setting appropriate permissions, and configuring it to suit your security requirements. This guide will take you through the installation process, ensuring that Vault is properly set up and ready to store and manage your critical data assets securely. Following these steps, you can leverage Vault's capabilities to enhance your application's security infrastructure.
Install Hashi Corp Vault on Ubuntu
To install Hashi Corp Vault on Ubuntu, perform the following steps:
Log in to the Ubuntu server as a root user.
Update your local package index to ensure you have the latest version of available packages.
sudo apt updateInstall Python3 on the Ubuntu machine.
sudo apt install -y python3To check the installed version of Python, use the command.
python3 –versionInstall pip package manager that is useful for managing Python libraries.
sudo apt install -y python3-pipInstall the latest version of HashiCorp Vault.
wget https://releases.hashicorp.com/vault/1.15.3/vault_1.15.3_linux_amd64.zipUnzip the HashiCorp Vault. Change the version details as per the installed version.
unzip vault_1.15.3_linux_amd64.zipMove the HashiCorp Vault to a system path.
sudo mv vault /usr/local/bin/Verify the version of the installed HashiCorp Vault.
vault --versionCreate the HashiCorp Vault user.
sudo useradd --system --home-dir /etc/vault.d --shell /bin/false vaultsudo mkdir -p /etc/vault.d
sudo chown vault:vault /etc/vault.d
Create the HashiCorp Vault directories.
sudo mkdir -p /etc/vault.d /var/lib/vaultsudo chown -R vault:vault /etc/vault.d /var/lib/vault
As the backend storage, configure HashiCorp Vault with MSSQL.
touch /etc/vault.d/vault.hcl vi /etc/vault.d/vault.hcl
Paste the following code exactly as it is.storage "mssql" { server = "192.168.X.X" port = 1433 username = "vault" password = "**********" database = "vault" table = "Vault" appname = "vault" schema = "dbo" connectionTimeout = 30 logLevel = 0 } listener "tcp" { address = "0.0.0.0:8200" tls_disable = 1 } api_addr = "http://0.0.0.0:8200" ui = true disable_mlock = trueNotes
In the code above, replace “Server” IP address with the IP address of your database.
Username and Password is the SSMS username and password created to authenticate the database.
Table vault is automatically created. Create a database named "vault" and a user named "vault," and assign a password to this user.
Setup the Systemd service for HashiCorp Vault.
Touch /etc/systemd/system/vault.serviceVi /etc/systemd/system/vault.service
Paste the following code exactly as it is.[Unit] Description=HashiCorp Vault Documentation=https://www.vaultproject.io/docs/ After=network-online.target Wants=network-online.target [Service] User=vault Group=vault ProtectSystem=full ProtectHome=read-only PrivateTmp=yes ProtectControlGroups=yes ProtectKernelModules=yes SecureBits=keep-caps NoNewPrivileges=yes ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl ExecReload=/bin/kill --signal HUP $MAINPID KillMode=process KillSignal=SIGINT Restart=on-failure RestartSec=5 StartLimitInterval=60 StartLimitBurst=3 LimitNOFILE=65536 LimitMEMLOCK=infinity [Install] WantedBy=multi-user.targetReload, enable and start the HashiCorp Vault.
sudo systemctl daemon-reloadsudo systemctl enable vault
sudo systemctl start vault
Verify if the HashiCorp Vault is running.
sudo systemctl status vault
Initialize and Unseal Vault
Open a browser and navigate to http://localhost or server ip address:8200. The vault will be initialized now.
On the following screen, enter 5 in the Key shares and 3 in the Key threshold fields and click Initialize.
Figure: Root keys On the unseal keys page, scroll to the bottom and select Download Key. Save the generated unseal keys file to your vault folder.
Figure: Unseal keys The unseal process requires these keys and the access requires the root token.Click Continue to Unseal.
Open the download file.
Copy any one of the keys (not keys_base64) and enter it in the Unseal Key Portion field. Click Unseal to proceed.
Figure: Unseal vault
The Unseal status shows 1/3 keys provided.Enter another key and click Unseal. The Unseal status shows 2/3 keys provided.
Enter another key and click Unseal. After 3 out of 5 unseal keys are entered, the Vault is unsealed and is ready to operate.
Copy the root_token and enter the value in the Token field. Click Sign In.
Figure: Sign in to vault The Dashboard displays basic information about the current server settings.
Figure: Vault dashboard
Figure: Unseal vault 
Figure: Sign in to vault 
Figure: Vault dashboardAuto Unseal
Save the Unsealed downloaded keys to the following folder. cd /etc/vault.d/ touch unseal_keys.json - Add the entire JSON Key with the below command. vi unseal_key.json
The Python script to Auto Unseal the HashiCorp Vault. touch /etc/vault.d/auto_unseal.py vi auto_unseal.py
Paste the following code exactly as it is.import requests import json import time # Vault server address VAULT_ADDRESS = "http://localhost or server ip address:8200" # Path to unseal keys UNSEAL_KEYS_FILE = "/etc/vault.d/unseal_keys.json" # Function to load unseal keys from a file def load_unseal_keys(): with open(UNSEAL_KEYS_FILE, 'r') as file: data = json.load(file) return data["keys"] # Function to unseal Vault def unseal_vault(): keys = load_unseal_keys() for key in keys: response = requests.put(f"{VAULT_ADDRESS}/v1/sys/unseal", json={"key": key}) if response.status_code == 200: print("Unseal step successful") else: print("Error in unsealing step:", response.json()) return # Check if Vault is already unsealed if requests.get(f"{VAULT_ADDRESS}/v1/sys/seal-status").json()["sealed"] == False: print("Vault is unsealed.") return print("All keys applied, Vault should be unsealed now.") # Function to check if Vault is sealed def is_vault_sealed(): response = requests.get(f"{VAULT_ADDRESS}/v1/sys/seal-status") return response.json()["sealed"] # Main function to auto-unseal Vault def main(): # Wait until Vault is accessible while True: try: if not is_vault_sealed(): print("Vault is already unsealed.") return print("Vault is sealed, starting unseal process...") unseal_vault() break except requests.exceptions.ConnectionError: print("Vault is not reachable, retrying in 5 seconds...") time.sleep(5) if __name__ == "__main__": main()Configure a Systemd service to run the script. touch /etc/systemd/system/vault-auto-unseal.service
vi /etc/systemd/system/vault-auto-unseal.service
Paste the following code exactly as it is.[Unit] Description=Auto-Unseal Vault After=vault.service Requires=vault.service [Service] Type=simple ExecStart=/usr/bin/python3 /etc/vault.d/auto_unseal.py Restart=on-failure [Install] WantedBy=multi-user.targetGrant the required permission and validate python script.
chmod +x /Enter the file path of the python script/auto_unseal.py - For permission.
To check access in the script.
python3 /Enter the file path of the python script/auto_unseal.py
Enable and Start the Service for HashiCorp Vault.
sudo systemctl daemon-reload
sudo systemctl start vault-auto-unseal.service
sudo systemctl status vault-auto-unseal.service
To test the setup run the following commands.
sudo systemctl status vault
sudo systemctl status vault-auto-unseal.service
Was this article helpful?