Configure Vault
  • 03 Oct 2022
  • Dark
    Light
  • PDF

Configure Vault

  • Dark
    Light
  • PDF

Article Summary

Configure Vault

To configure Vault:

  1. Navigate to /opt/vault.

    Figure 1: Change Directory

    Change Directory

  2. Create a config file with an hcl file extension.

    Figure 2: Create Config File

    Create Config File

  3. Edit the config by adding the information below.

    storage "raft" {
      path    = "/opt/vault/data"
      node_id = "node1"
    }
    
    listener "tcp" {
      address     = "127.0.0.1:8200"
      tls_disable = "true"
    }
    
    api_addr = "http://127.0.0.1:8200"
    cluster_addr = "https://127.0.0.1:8201"
    ui = true
    

    Figure 3: Edit Config File

    Edit Config File

  4. Run Vault using the command vault server -config=/opt/vault/config.hcl. This will start the Vault Server using the newly created config file.

    vault server -config=/opt/vault/config.hcl
    

    Figure 4: Start Vault

    Start Vault

  5. Once the Vault Server is running, open a second terminal window. Do not close the first terminal window as this will stop the Vault Server.

    Figure 5: Vault Server is Running

    Vault Server is Running

Unseal Vault Server

To unseal the Vault server:

  1. In the second terminal window run the following commands:

    export VAULT_ADDR='http://127.0.0.1:8200'
    vault operator init
    

    Figure 6: Run Commands Second Terminal Window

    Run Commands Second Terminal Window

  2. Copy the outlined key information from the terminal window into a text file. You will need to use this information more than once.

    Figure 7: Copy Key Information

    Copy Key Information

  3. Run the unseal command vault operator unseal three (3) times using the unseal key information copied to the text file. You will need to use three (3) different unseals keys. It does not matter which three you use, but make sure each one is different.


    Note: By default there are five (5) keys with a threshold of three (3) keys. Once three (3) keys are entered the vault is unsealed. The progress of unsealing is outlined in the image below.


    Figure 8: Unseal Progress

    Unseal Progress

  4. Login to Vault using the initial root token (it should have been copied to the text file with the unseal keys). Use vault login <INITIAL_ROOT_TOKEN>.

    Figure 9: Login to Vault

    Login to Vault

  5. Run the vault operator generate-root -init to obtain a One Time Password (OTP).

    Figure 10: Get OTP

    Get OTP

  6. Run the command vault operator generate-root to obtain the encoded key. This step will need to be performed three (3) times using the unseal keys. You may use the same three keys from before. Copy the encoded key to your text file.

    Figure 11: Get Encoded Key

    Get Encoded Key

  7. Use the command vault operator generate-root -decode=$ENCODED_TOKEN -otp=$OTP to obtain a new root key. Remember to replace the variable with your encoded token and OTP.

    Figure 12: Get New Root Key

    Get New Root Key

  8. Once the new root key is generated (outlined in the image below), create a token.txt file for storage. The location of the token file should be in /opt/vault directory.

    Figure 13: Store New Root Key

    Store New Root Key


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.