Introduction

Vault stores, controls, and protects the data used for authentication and authorization. Vault is a management system for secrets, restricting or approving access to passwords, certificates, or APIs. It also provides data encryption, on-demand secrets, and revocation.

In this tutorial, learn how to install Vault on CentOS and run Vault as a service.

guide on how to install hashicorp vault on centos

Prerequisites

  • A CentOS Linux system
  • A user account with sudo privileges
  • Access to a command-line/terminal window (Ctrl+Alt+F2)

Install Vault from Binary on CentOS

1. Before installing Vault, create a new directory in Linux using the mkir command to store the binary package and other necessary data for the software. To illustrate, we will name it “directory” and run the following command to create it:

sudo mkdir -p /opt/vault/directory

2. With the directory set up, move on to downloading the binary from Vault’s official website. Navigate to the website and click on the blue Download icon.

3. Find the appropriate package for your CentOS operating system (Linux) and click on the tile.

4. You will see the Linux icon and a Download button. Right-click on the button and select Copy Link Location.

download vault for linux

5. Next, go back to the command line. Use the wget command and the link location you copied in the previous step to download the binary:

sudo wget https://releases.hashicorp.com/vault/1.2.3/vault_1.2.3_linux_amd64.zip

6. Then, unzip the package using the command:

unzip vault_1.2.3_linux_amd64.zip

example of installing vault from the binary on CentOS
7. After unzipping, type:

sudo chown root:root vault
sudo mv vault /usr/local/bin/ (or to som other DIR that's present in your $PATH

8. Verify Vault is running with the command:

vault --version

The output displays the version of Vault running on the system.

For additional information, you can prompt the help page with the command:

vault

Note: Vault 1.2.3 is currently the newest version. However, newer releases may be available by the time of your installation.


Configuring Vault

Create a Service User for Vault

It is best to consider privileged account security and have a separate non-privileged system user for running a Vault server.

Use the following command to create a system user and grant ownership of the installation directory:

sudo useradd --system –home /etc/vault.d – shell /bin/false vault

Check to see if you have successfully created the service user with:

sudo grep vault /etc/passwd

The output should show something like the line below:

vault:x:997:995::/etc/vault.d:/bin/false

Run Vault as a Service

To run Vault as a service, you also need to create a new Systemd service file:

sudo vi/etc/systemd/system/vault.service

Then, add the content below:

[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3

[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity

[Install]
WantedBy=multi-user.target

Enable and start the service with the commands:

sudo systemctl enable vault.service
sudo systemctl start vault.service

Prepare to Administer Vault

The next step is to move the Vault bin directory to the PATH environment variable with the command:

export PATH=$PATH:/opt/vault/bin
echo "export PATH=$PATH:/opt/vault/bin" >> ~/.bashrc

preparing to initialize vault
Followed by setting the environment variables for Vault by typing:

export VAULT_ADDRESS=http://10.128.0.2:8200
echo "export VAULT_ADDR=http://10.128.0.2:8200" >> ~/.bashrc

Initialize and Unseal your Vault

To initialize and unseal Vault, you will first need to start Vault as a server in the dev mode. However, make sure not to run a dev server in production.

Run the following command:

vault server -dev

The command produces an output that includes the server configuration, the unseal key, and root token. Save the unseal key and root token values, as you will need them in the next steps.


Note: As Vault does not fork, you need to open another shell or terminal to run the following commands.


Start by setting the environment variable. You will find this command as part of the output from the previous steps:

export VAULT_ADDR=’http://127.0.0.1:8200’

Then, run the following command with the information from the dev server’s output:

export VAULT_DEV_ROOT_TOKEN_ID=”XXXXXXXXXXXXXXXX”

Check the status of the server:

valut status

The output should display that Vault is now initialized and no longer sealed.

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.2.3
Cluster Name    vault-cluster-18e6bce0
Cluster ID      16382125-eb14-f23a-8145-ad64eee072cf
HA Enabled      false

Conclusion

After reading this article, you have installed and configured Vault on CentOS 7 successfully. Although the installation includes numerous steps, if you follow the guide, you should not have any issues.


Next you should also read