Set up Vault service

When you install the Vault binary to be run as a server, it is common to configure to run Vault as a service, instead of manually starting Vault.

The instructions included on this page are based on the example vault.service included in the Vault GitHub repository and tested on Ubuntu 22.04.

1. Download a precompiled binary or build from source.

2. Move the Vault binary to /usr/bin/

   $ sudo mv vault /usr/bin/
   

3. Configure the Vault binary with the ability to allow mlock()

   $ sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
   

4. Create a directory to store Vault data. A good practice is to store Vault data, and Vault logs on a different volume than the operating system.

   $ sudo mkdir -p /opt/vault/data
   

5. Create a system user to run Vault and set the shell to nologin.

   $ sudo useradd --system --home /opt/vault/data --shell /sbin/nologin vault
   

6. Change directory ownership of /opt/vault/data to Vault and set permissions.

   $ sudo chown vault:vault /opt/vault/data && sudo chmod -R 750 /opt/vault/data
   

7. Create a directory for the Vault configuration file.

   $ sudo mkdir -p /etc/vault.d
   

8. Create a Vault configuration file. The example used is suitable for testing and development but should not be used for real use cases with tls_disable set to 1 (true). Refer to the configuration documentation for a list of supported parameters.

   $ sudo tee /etc/vault.d/vault.hcl <<EOF
   ui            = true
   cluster_addr  = "http://127.0.0.1:8201"
   api_addr      = "https://127.0.0.1:8200"
   disable_mlock = true
   
   storage "raft" {
     path    = "/opt/vault/data"
     node_id = "127.0.0.1"
   }
   
   listener "tcp" {
     address       = "0.0.0.0:8200"
     cluster_address = "0.0.0.0:8201"
     tls_disable = 1
   }
   EOF
   

9. Change ownership and permission on the Vault configuration file.

   $ sudo chown vault:vault /etc/vault.d/vault.hcl && sudo chmod 640 /etc/vault.d/vault.hcl
   

10. Create a systemd service.

    $ sudo tee /etc/systemd/system/vault.service <<EOF
    [Unit]
    Description="HashiCorp Vault - A tool for managing secrets"
    Documentation=https://developer.hashicorp.com/vault/docs
    ConditionFileNotEmpty=/etc/vault.d/vault.hcl
    
    [Service]
    User=vault
    Group=vault
    SecureBits=keep-caps
    AmbientCapabilities=CAP_IPC_LOCK
    CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
    NoNewPrivileges=yes
    ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl
    ExecReload=/bin/kill --signal HUP
    KillMode=process
    KillSignal=SIGINT
    
    [Install]
    WantedBy=multi-user.target
    EOF
    

11. Reload the systemd configuration.

    $ sudo systemctl daemon-reload
    

12. Start the Vault service.

    $ sudo systemctl start vault.service
    

13. Verify the service status.

    $ systemctl status vault.service
    

Additional information

• Vault and mlock()