This guide applies to Vault versions 1.6 - 1.8.
This deployment guide outlines the required steps to manually install and configure a single HashiCorp Vault cluster as defined in the Vault with Integrated Storage Reference Architecture on virtual machines (VMs) or bare-metal servers running a Debian- or RedHat-based Linux distribution.
This guide includes general guidance as well as specific recommendations for popular cloud infrastructure platforms. These recommendations have also been encoded into official Terraform modules for AWS, Azure, and GCP.
»Install Vault
Pre-built Vault packages are available from the HashiCorp Linux
Repository.
In addition to the installing the Vault binary, the official package also
seeds Vault with a working configuration, a systemd service unit, and a local
vault user account under which the service will be run.
Add the HashiCorp GPG key as a trusted package-signing key.
Add the official HashiCorp Linux repository.
Update the package index.
Install Vault.
NOTE: To install open source Vault, replace vault-enterprise with vault.
»Prepare TLS certificates
NOTE: The installation package generates a self-signed TLS certificate for use by the Vault service to secure intra-cluster communication. While these certificates are usable for experimenting with getting Vault up and running, HashiCorp strongly recommends replacing them with certificates generated and signed by an appropriate CA.
You must have three files to configure TLS for Vault. Place them at these paths:
/opt/vault/tls/vault-cert.pem- The Vault TLS certificate itself, which a Common Name (CN) or Subject Alternative Name (SAN) that matches the value set forleader_tls_servernamein the Raft configuration. If this file was signed by an intermediate CA, append the certificate of that CA (and any other chained CAs) to the end of this file./opt/vault/tls/vault-key.pem- The private key of the Vault TLS certificate./opt/vault/tls/vault-ca.pem- The certificate of the CA root which signed the Vault TLS certificate.
Set the file ownership of the CA and certificate files to be owned by root.
Set the file group ownership of the private key to allow the Vault service to read the file.
Set the file permissions of the CA and certificate files to be world-readable.
Set the file permissions of the private key file to be readable only by the Vault service.
»Configure Vault
Vault may be configured by editing the /etc/vault.d/vault.hcl file included
with the installation package. Refer to the Vault Configuration
Overview for additional details
about each setting.
»Base configuration
The core required configuration values for Vault are cluster_addr, api_addr,
and listener. The configuration below tells vault to advertise its local IPv4
address for internal communication, and to listen to TCP port 8200 on all
network interfaces using the TLS configuration files specified.
The configuration also sets disable_mlock to true, which is strongly
recommended for the integrated storage backend to avoid out-of-memory errors.
»Raft configuration
Using Vault integrated storage requires configuring the Raft storage backend. Raft peers may be initialized manually, with hard-coded configuration values, or via the cloud auto-join feature on supported cloud providers. Refer to the Integrated Storage configuration documentation for additional details about each setting.
To use Raft auto-join on AWS, each Vault EC2 instance must be tagged with a
key-value pair that is unique to its specific Vault cluster. The instances
must also have appropriate permissions via an IAM role attached to their
instance profile. See the Cloud auto-join
documentation
for more details about the format of the auto_join configuration value and
the permissions required.
»Auto-unseal
If you are using a supported cloud provider or have access to a supported
hardware security module (HSM),
you can enable auto-unseal using the seal configuration stanza.
To use AWS KMS for auto-unsealing securely, your EC2 instances should have
appropriate permissions to a KMS key via their instance profile. See the
awskms seal documentation
for full details of the configuration options and necessary permissions.
»Enterprise license
NOTE: This section applies only to Vault Enterprise.
Beginning with Vault 1.8, an Enterprise license file must exist on disk and be readable by the Vault service.
Copy your Vault Enterprise license file to /opt/vault/vault.hclic. Then set
the file's group ownership to allow the Vault service to read the file.
Set the file permissions to allow the Vault service to read the file, but no other users to access the file.
Add the path to the Enterprise license file to /etc/vault.d/vault.hcl.
»Vault web UI
To enable the Vault web UI, set the ui configuration value to true.
»Enable and start the Vault service
Enable the systemd vault.service unit to allow the Vault service to start.
Start the Vault service.
Check the status of the Vault service to ensure it is running.
»Check the status of Vault
To ensure Vault is running, you can use the vault status command.
To ensure TLS connection can be validate, first set the VAULT_CACERT
environment variable to the path of the CA root certificate.
Then use vault status to see the status of the local Vault server.
»Initialize Vault
If this is the first time you are running this cluster, Vault will need to be initialized on one host before Raft clients can be joined.
Take note of these values and store them securely. You will need them to manually unseal Vault and to perform initial setup.
»Unseal Vault
If you configured auto-unseal, Vault should unseal automatically. Use the
vault status command to check whether Vault is sealed.
If Vault is sealed, use the vault operator unseal command on each host
in the cluster with the unseal keys you received when initializing Vault
to unseal it.
Repeat the unseal command with new keys until the unseal progress is complete and Vault is unsealed.
»Additional configuration
»Audit Logging
Vault provides audit logging via Audit devices which serialize details of each request and response Vault handles. These logs may be stored to a file on disk, or sent to syslog or any socket endpoint.
Learn more about using audit logs to monitor and secure your Vault deployment with the Monitor Telemetry & Audit Device Log Data tutorial.
»Autopilot
Integrated storage Autopilot
may be configured through the Vault API. If you are using an autoscaling
cloud service to manage your Vault instances, it's important to set the
Cleanup Dead Servers setting to true and to tune the Min Quorum,
Dead Server Last Contact Threshold, and Server Stabilization Time values
for your deployment environment. See the Autopilot
tutorial
for more information on each configuration value.
»Replication
Vault Enterprise supports replication functionality to support performance and disaster recovery use cases. There are a number of tutorials and other documentation to explain the concepts and provide details about configuring these replication modes.
- Vault Enterprise Replication
- Vault Replication Internals
- Setting Up Performance Replication
- Disaster Recovery Repication Setup
- Monitoring Vault Replication
»Resource Quotas
Vault provides tools for establishing lease count limits (Enterprise only) and request rate limits to avoid systemwide denial-of-service. Learn more about the concepts and capabilities behind Vault resource quotas in the Resource Quotas concepts documentation, and discover how to enable and manage resource quotas in the Protecting Vault with Resource Quotas tutorial.
»Telemetry
The telemetry stanza specifies various configurations for Vault to publish
metrics to upstream systems. Vault supports sending telemetry to a number of
systems including Circonus, DogStatsD, Prometheus, Stackdriver, Statsite, and
any statsd-compatible endpoint.
Review the telemetry configuration section of our documentation for details on configuring Vault telemetry for your provider, and learn more about Vault's telemetry collection and which metrics are collected in the telemetry internals documentation.
You can also learn more about using telemetry to monitor Vault on our Monitor Telemetry & Audit Device Log Data tutorial.
