How to Install Hashicorp Vault on Ubuntu 18.04

December 19, 2019

Introduction

Vault is a powerful tool developed by HashiCorp used for managing secrets and sensitive data. Installing Vault in Ubuntu provides a secure and centralized platform for storing, accessing, and controlling access to passwords, API keys, certificates, and other confidential information.

The following text explains how to install Vault in Ubuntu using three different approaches.

How to install Vault in Ubuntu

Prerequisites

  • Ubuntu system (this tutorial uses the 22.04 Ubuntu version).
  • A user account with sudo privileges
  • Access to the terminal.

Install Vault on Ubuntu from the Official Git Repository

One way to install Vault is from the official Git repository. Git is a distributed version control system utilized in software development to track changes in source code. The official Git repository contains the latest features, enhancements, and bug fixes that are not always available in the stable releases distributed through package managers. To get Vault via the Git repository, take the following steps.

Step 1: Install and Configure Go

When installing Vault via the official Git repository, Go needs to be installed and properly configured because Vault is written in the Go programming language.

Take the following steps to install Go:

1. Update system packages

sudo apt update
sudo apt update terminal output

2. Install Go with the following

sudo apt install golang
Terminal output for sudo apt install golang

3. Confirm the installation was successful with:

go version
Terminal output for go version

4. Set up environment variables by editing the ~/.bashrc file. Open the file in a text editor and add the following lines:

echo 'export GOPATH="$HOME/go"' >> ~/.bashrc
echo 'export PATH="$PATH:/usr/local/go/bin:$GOPATH/bin"' >> ~/.bashrc
Editing .bashrc file in Vim

5. Save and exit the file.

6. Refresh the shell by running:

source ~/.bashrc

The command has no output

7. GOPATH is an environment variable used by Go to specify the Go workspace root directory. The workspace contains the Go source code files, their compiled binaries, and other related files.

Verify GOPATH is correctly set by running:

echo $GOPATH
echo $GOPATH

The terminal returns the directory Go is installed in.

If the terminal returns an empty line, it means GOPATH is not set. Set it manually by adding the following line to the ~/.bashrc file:

export GOPATH="$HOME/go"
Add export GOPATH="$HOME/go" to .bashrc file in VIm

Save and exit the file and run source ~/.bashrc and echo $GOPATH again.

Step 2: Ensure Git is in the PATH

To verify Git is in the PATH, run the git --version command.

git --version
git --version terminal output

If Git is in the PATH, the terminal prints the version information. If git is not in the PATH, the terminal returns an error message or prints no output at all.

Note: If Git is not installed, use sudo apt install git to get Git on Ubuntu.

If Git is installed but not in the PATH, add it by modifying the shell configuration file. Here's how to do it for the ~/.bashrc file:

1. Open the Bash configuration file (~/.bashrc) in a text editor:

sudo vim ~/.bashrc

2. Add the following line at the end of the file:

export PATH="$PATH:[/path/to/git/directory]"

In this case, [/path/to/git/directory] is /usr/bin/git. Therefore, the command is:

export PATH="$PATH:/usr/bin/git"
Adding Git to PATH in Vim

3. Save the file and exit the text editor.

4. Apply changes to the current shell session with the following:

source ~/.bashrc

The command has no output

5. Run the git --version command again.

git --version terminal output

The terminal prints the Git version output if Git is correctly configured.

Step 3: Clone the Vault Repository

Cloning the Vault repository is essential because it allows users to obtain the Vault source code from the official GitHub repository. To accomplish this, run the following:

mkdir -p $GOPATH/src/github.com/hashicorp && cd $_<br>git clone https://github.com/hashicorp/vault.git<br>cd vault
mkdir -p $GOPATH/src/github.com/hashicorp && cd $_git clone https://github.com/hashicorp/vault.gitcd vault terminal output

The command consists of the following:

  • mkdir -p. Creates necessary directories while $GOPATH presents an environment variable that points to the workspace directory where Go projects are stored.
  • cd $_. Changes the current directory to the last argument of the previous command, which is the hashicorp directory created by mkdir.
  • git clone https://github.com/hashicorp/vault.git. Clones a repository from the specified URL.
  • cd vault. Navigates to the cloned repository, allowing users to interact with the Vault source code, configure it, build it, and install it on the system.

Step 4: Bootstrap the Project

Bootstrapping includes fetching and compiling essential dependencies, libraries, and tools to construct the Vault binary. This ensures all prerequisites are set up correctly before moving forward with the build process.

Executing this step via the make bootstrap command guarantees the project is appropriately configured and ready for compilation. Run the following:

make bootstrap
make bootstrap terminal output

Step 5: Build Vault

Compile Vault specifically for your system with the make dev command. The command stores the compiled program in a directory called bin.

make dev
make dev terminal output

Step 6: Confirm Vault Installation

Run vault to verify the program is successfully installed on the system

vault
Terminal output for vault command

Install Vault on Ubuntu via Package Manager

Using a package manager to download and install Vault on Ubuntu offers a streamlined installation process. The process configures dependencies automatically, making the installation process smoother and faster as users proceed without manual intervention. The following text elaborates on installing Vault using the package manager.

Step 1: Update the Local Package Index

Ensure the system's package manager is up-to-date by running the following command:

sudo apt update
terminal output for sudo apt update

Step 2: Install GPG

When installing Vault from a package manager, it's crucial to ensure the packages come from a trusted source and haven't been tampered with. GPG helps by providing cryptographic signatures for packages. These signatures verify the authenticity of the HashiCorp repository and the packages it provides.

If GPG is not already installed, install it using the following command:

sudo apt install gpg
sudo apt install gpg terminal output

Step 3: Download a Keyring

Download the HashiCorp keyring and save it as a GPG keyring file using the following command:

wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
Downloading keyring terminal output

The command above does the following:

  • Downloads a keyring file from HashiCorp's website using the wget command.
  • Converts this file into a format easier for the system to use for security purposes using sudo gpg --dearmort .
  • Saves the converted keyring as a GPG keyring file named hashicorp-archive-keyring.gpg in the /usr/share/keyrings/ directory, where the package manager uses it to ensure the HashiCorp's packages authenticity during installation.

Step 4: Verify the Keyring Authenticity

To confirm the downloaded keyring's authenticity, run the following:

gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint

Verifying keyring terminal output

The command instructs GPG to examine the specified keyring file and display the fingerprint (a unique identifier generated from a cryptographic key) associated with its keys.
Verifying the fingerprint ensures the keyring file is authentic and hasn't been tampered with.

Step 5: Add the HashiCorp Repository to the System's Package Sources List

This following command adds the HashiCorp repository, which hosts the Vault package, to the system's list of package sources:

echo "deb [arch=$(dpkg --print-architecture) signed by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list

The command contains the following:

  • echo. Prints text to the terminal.
  • "deb [arch=$(dpkg --print-architecture) signed by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main". Specifies the repository's configuration details.
  • sudo tee /etc/apt/sources.list.d/hashicorp.list. Writes the echo command output to the file /etc/apt/sources.list.d/hashicorp.list. This ensures the package manager recognizes the HashiCorp repository as a valid source for software packages. 

The command has no output.

Once completed, update the package manager once more with sudo apt update.

Step 6: Install Vault

Use the following command to install Vault:

sudo apt install vault
sudo apt install vault terminal output

Following these steps ensures a smooth Vault installation on the Ubuntu system using the package manager. There is no need to configure Vault, unlike with the manual installation. Verify the installation is successful by executing:

vault
vault command terminal output

Install Vault on Ubuntu via Binary Installation

While more complex, the binary method for Vault installation on Ubuntu offers flexibility, control, and ease of upgrade compared to other installation methods. It allows users to install Vault on various systems, customize configurations, and manage upgrades seamlessly. The following steps explain how to install Vault on Ubuntu via the binary installation process.

Step 1: Install Consul

Consul is a scalable service discovery and configuration system, offering features like service registration, health checks, and a distributed key-value store. Consul integration allows Vault to securely manage dynamic secrets and ensures reliable communication between Vault servers and clients.

To install Consul on Ubuntu, take the following steps:

1. Navigate to the official Consul webpage and click the Download icon.

2. The browser takes you to the Download page with all the available packages. Search for the Linux section and the Binary download subsection.

Binary download subsection

At the time of writing this article, the latest available version is 1.17.3. There are four available downloads for different system architectures:

  • 386. Meant for 32-bit x86 processors. Less common nowadays as most systems use 64-bit processors.
  • AMD64. Also known as x86_64. Used for 64-bit x86 processors. Most modern desktop and laptop computers use this architecture.
  • ARM. Meant for 32-bit ARM processors, commonly found in many embedded systems and some low-power devices.
  • ARM64. This is for 64-bit ARM processors, common in modern smartphones, tablets, and some servers.

3. Choose the download compatible with the system's architecture. In this example, it's AMD64.

4. Right-click the Download button and copy the link location, as it is needed in the next step.

copying download link address

5. Open the terminal and use the wget command to download the Consul package:

wget [copied URL]

In this example, it is:

wget https://releases.hashicorp.com/consul/1.17.3/consul_1.17.3_linux_amd64.zip
wget terminal output

6. Unzip the package with the command:

unzip consul_1.17.3_linux_amd64.zip
unzip consul terminal output

The command varies depending on the version. Make sure to use the correct version in the command.

Note: To download unzip software, use the command sudo apt install unzip –y.

7. Move the installation package by typing the following command:

sudo mv consul /usr/bin

The command has no output. However, it moves the Consul installation package to /usr/bin, which allows users to execute the Consul binary from any directory within the system without specifying its full path.

8. Verifying the installation with the command:

consul
consul terminal output

The output lists all available consul commands.

Step 2: Configure Consul

1. Create and open a new file with a text editor of choice. This example uses Vim:

sudo vim /etc/systemd/system/consul.service

2. Add the following content to the consul.service file:

[Unit]

Description=Consul

Documentation=https://www.consul.io/

[Service]

ExecStart=/usr/bin/consul agent -server -ui -data-dir=/temp/consul -bootstrap-expect=1 -node=vault -bind=10.0.2.15 -config-dir=/etc/consul.d/

ExecReload=/bin/kill -HUP $MAINPID

LimitNOFILE=65536

[Install]

WantedBy=multi-user.target

consul.service configuration in vim

Note: In the ExecStart line, the -bind option should include your IP address. Make sure to add it.

The consul.service file content specifies its configuration and behavior and ensures it is automatically started during system boot. It includes:

  • [Unit]. Provides metadata about the unit, including a description and documentation link.
  • Description=Consul. Describes the service's purpose, which in this case is Consul.
  • Documentation=https://www.consul.io/. Provides a link to the documentation for Consul.
  • [Service]. Defines how the service is to be executed.
  • ExecStart=/usr/bin/consul agent. Specifies the command to start the Consul agent.
  • ExecReload=/bin/kill -HUP $MAINPID. Defines the command to reload the service configuration without stopping it completely.
  • LimitNOFILE=65536. Sets a limit on the number of open files the service has.
  • [Install]. Specifies how the service is to be installed.
  • WantedBy=multi-user.target. Indicates the service starts automatically when the system reaches the multi-user target, which is a basic system initialization level.

3. Save and exit the file.

4. Create a configuration directory

sudo mkdir /etc/consul.d

5. The UI configuration file (ui.json) is used to customize various aspects of Consul's user interface, such as enabling or disabling specific features, defining ACL settings, configuring UI themes, etc.

Create a new .json file in the directory:

sudo vim /etc/consul.d/ui.json

5. Set up the Consul UI to listen on all available network interfaces (0.0.0.0) for HTTP connections by adding the following to the newly created file:

{

"addresses": {

"http": "0.0.0.0"

}

}
json file configuration

6. Save and exit the file.

7. Reload the system for the changes to take effect:

systemctl daemon-reload

The command has no output.

8. Start the service with:

systemctl start consul

9. Enable Consul with:

systemctl enable consul
systemctl enable consul terminal output

10. Verify the service is up and running with the journalctl command:

sudo journalctl -u consul
sudo journalctl -u consulterminal output

11. Open a web browser and navigate to the URL:

http://localhost:8500/ui

Consul online management platform

This opens HashiCorp's online management platform and displays available services. If Consul is listed as a service, you have successfully set up the software.

Step 3: Installing Vault on Ubuntu

With Consul in place, install Vault on the Ubuntu system.

1. Go to Vault's official website and click Download.

Vault website, download  button

2. Scroll down to the Linux section.

3. Find the Binary download subsection.

Find the Binary download

4. Choose the download compatible with the system architecture. In this example, it is AMD64.

2. Right-click the Download button and note the link location.

Vault download copying link adress


5. Using the wget command, download the package by pasting the link location copied in the previous step:

wget https://releases.hashicorp.com/vault/1.15.5/vault_1.15.5_linux_amd64.zip
Download vault with wget

4. Unzip the package using the following command:

unzip vault_1.15.5_linux_amd64.zip
unzip vault terminal output

5. Move the package to the /usr/bin directory:

sudo mv vault /usr/bin

The command has no output

6. Check the installation using the following command:

vault
vault terminal output

The output shows all available vault commands.

Step 4: Configure Vault

In binary Vault installation, configuring Vault is crucial because it allows users to set up Vault's behavior in various aspects. Proper configuration ensures Vault operates securely and according to the user's specific requirements. Take the following steps to configure Vault:

1. Create a configuration directory

sudo mkdir /etc/vault

The command has no output.

2. Vault's configuration file, config.hcl, is written in HCL (HashiCorp Configuration Language). With a simpler syntax than JSON or YAML, HCL enhances flexibility and readability, which is particularly useful for specifying policies, authentication methods, secret engines, and other advanced settings in Vault.

Make a configuration file within the directory using a text editor. For instance, to create it with Vim, run:

sudo vim /etc/vault/config.hcl

3. Type or paste the following content into the file:

storage "consul" {
  address = "127.0.0.1:8500"
  path    = "vault/"
}

listener "tcp" {
  address     = "IP.ADDRESS.OF.SERVER:8200" # or "0.0.0.0:8200" to listen to everything
  tls_disable = 1
}

ui = true
vault config file in vim

The configuration file consists of:

  • storage "consul". Specifies that Vault uses Consul as its storage backend. It provides the Consul server address (127.0.0.1:8500) and the path where Vault's data is to be stored ("vault/").
  • listener "tcp". Defines how Vault listens for incoming connections. It specifies the address and port (IP.ADDRESS.OF.SERVER:8200) where Vault should listen to client requests. 
  • tls_disable=1. Indicates TLS (Transport Layer Security), which provides secure communication over a network, is disabled in this configuration. Disabling TLS simplifies the configuration and makes it easier to set up and manage Vault,
  • ui = true. Enables the Vault Web UI, allowing users to interact with Vault using a graphical interface.

Note: Make sure to replace "IP.ADDRESS.OF.SERVER" with the actual IP address of your server or "0.0.0.0" if you want to listen to all available interfaces.

4. Save and exit the file.

5. Create a UNI (.uni) file. Vault typically uses HCL for more complex configurations and UNI for simpler, more straightforward configurations. To make a .uni file in Vim, execute:

sudo vim /etc/systemd/system/vault.service

6. Make sure the file content matches the one below:

[Unit]
Description=Vault
Documentation=https://www.vault.io/

[Service]
ExecStart=/usr/bin/vault server -config=/etc/vault/config.hcl
ExecReload=/bin/kill -HUP $MAINPID
LimitNOFILE=65536
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target

vault .uni configuration file

The configuration file is similar to the consul.service configuration file and consists of:

  • [Unit]. Shows metadata about the unit.
  • Description. Explains the unit purpose, which is running Vault.
  • Documentation. Establishes a link to additional documentation for Vault.
  • [Service]. Specifies how the service is to be executed and managed.
  • ExecStart. Determines the command to start the Vault server, including the path to the Vault binary and the configuration file location.
  • ExecReload. Defines the command to reload the service configuration without interrupting service.
  • LimitNOFILE. Sets the maximum number of open file descriptors the Vault process is allowed to use.
  • Restart. Specifies the conditions under which the service is to be restarted.
  • RestartSec. Sets the time to wait before restarting the service.
  • [Install]. Configures installation-related properties.
  • WantedBy. Specifies the target the service should start under. In this case, it's multi-user.target, which means Vault starts when the system enters the multi-user mode.

7. Save and exit the file.

8. Confirm the changes with:

systemctl daemon-reload

9. Start vault with:

systemctl start vault

10. Enable vault with:

systemctl enable vault
systemctl enable vault terminal output

11. Verify the vault status with:

systemctl status vault
systemctl status vault terminal output

The status shows the service is active (running).

8. Using a vault client, connect to the running service with the command:

export VAULT_ADDR=http://[IP.ADDRESS.OF.VAULT]:[PORT.NUMBER]

The IP.ADDRESS.OF.VAULT is to be replaced with the actual IP address and the appropriate port number.

In this example, the command is:

export VAULT_ADDR=http://10.0.2.15:8200

The command has no output.

Step 5: Initialize Vault

As you have already installed Consul to serve as the back-end storage, initialize Vault manually for it to work correctly. Take the following steps:

1. Run the following command to see the current Vault status:

vault status
vault status terminal output


As in the image above, the output displays Vault is sealed and not initialized yet.

2. To change Vault's status, users need three keys. Find them by running the command:

vault operator init
vault operator init terminal output

The terminal returns five Unseal Keys as well as the Initial Root Token. Moreover, it explains that users need to supply at least three keys when the Vault package is resealed, restarted, or stopped. Otherwise, Vault remains sealed. Therefore, copy all five keys and paste them into a separate file.

3. Run the command:

vault operator unseal
vault operator unseal terminal output

4. Copy and paste the first key and hit Enter.

5. Repeat the command three times using the three keys. After the last one, the vault Sealed status changes to false.

vault operator init unsealed terminal output

6. The last step to unseal Vault is to run the following command with the Initial Root Token (listed with the Unseal Keys):

vault login [root_token]
vault login terminal output

7. Now, check the status again to verify the software has been initialized:

vault status
vault status initialized true terminal output

Conclusion

After reading this article, you know how to install Vault on Ubuntu using three different methods. Next, protect your machine by learning about Linux security stats, tools, and best practices.

Was this article helpful?
YesNo
Sofija Simic
Sofija Simic is an experienced Technical Writer. Alongside her educational background in teaching and writing, she has had a lifelong passion for information technology. She is committed to unscrambling confusing IT concepts and streamlining intricate software installations.
Next you should read
How to Install Hashicorp Vault on CentOS 7
December 17, 2019

If you need a management system that will store and protect your authentication and authorization data, you...
Read more
How To Install SSL Certificate on Apache for CentOS 7
September 15, 2019

Learn how to obtain and install SSL Certificates on Apache CentOS 7. The article explains how to use an...
Read more
21 Server Security Tips to Secure Your Server
January 11, 2023

Hackers are always on the lookout for server vulnerabilities. Minimize risks and be confident your data is...
Read more
Vagrant Tutorial: Everything a Beginner Needs To Know
April 17, 2019

Vagrant is a tool for configuring and deploying an exact image of a virtual operating system. It is often...
Read more