Platform On-PremControl accessSecretsHashiCorp Vault

Configure HashiCorp Vault

This guide shows you how to configure and start the HashiCorp Vault server.

Start the Vault server

2

Create configuration file

Create a config file with an hcl file extension.

$touch config.hcl
3

Edit configuration

Add the following configuration to the file.

1storage "raft" {
2  path    = "/opt/vault/data"
3  node_id = "node1"
4}
5
6listener "tcp" {
7  address     = "127.0.0.1:8200"
8  tls_disable = "true"
9}
10
11api_addr = "http://127.0.0.1:8200"
12cluster_addr = "https://127.0.0.1:8201"
13ui = true
4

Start Vault server

Run Vault using the configuration file.

$vault server -config=/opt/vault/config.hcl

This starts the Vault server using the newly created config file.

5

Open second terminal

Open a second terminal window. Keep the first terminal window open—closing it will stop the Vault server.

Unseal the Vault server

1

Initialize Vault

In the second terminal window, run the following commands.

$export VAULT_ADDR='http://127.0.0.1:8200'
$vault operator init
2

Save key information

Copy the unseal keys and initial root token from the terminal output into a text file. You’ll need this information for the next steps.

3

Unseal Vault

Run the unseal command three times using three different unseal keys from your saved information.

$vault operator unseal

By default, Vault generates five unseal keys with a threshold of three keys. You need to enter three different keys to unseal the vault. Any three of the five keys will work.

4

Log in to Vault

Log in using the initial root token you saved earlier.

$vault login <INITIAL_ROOT_TOKEN>
5

Generate One Time Password

Generate a One Time Password (OTP).

$vault operator generate-root -init

Copy the OTP to your text file.

6

Generate encoded token

Generate an encoded token by running this command three times with three unseal keys (you can use the same keys from step 3).

$vault operator generate-root

Copy the encoded key to your text file.

7

Decode token

Decode the token to obtain a new root key. Replace $ENCODED_TOKEN and $OTP with your actual values.

$vault operator generate-root -decode=$ENCODED_TOKEN -otp=$OTP
8

Store root key

Create a token.txt file in the /opt/vault directory and save the new root key in this file.

$echo "YOUR_ROOT_KEY" > /opt/vault/token.txt

Next steps

Enable Secrets Engine
Create secrets