Install Vault

System preparation

  1. Open the following firewall ports for incoming Vault connections:

    # sudo firewall-cmd --permanent --add-port=8200/tcp
# sudo firewall-cmd --permanent --add-port=8201/tcp
# sudo firewall-cmd --reload

  2. Install open-vm-tools:

    # sudo yum install open-vm-tools unzip opensc

Create Vault user and group

  1. Create the Vault group:

    # sudo groupadd --system vault

  2. Create the Vault user:

    # sudo useradd --system --shell /sbin/nologin --gid vault vault

  3. Add the Vault user to the nShield nfast group:

    # sudo usermod --append --groups nfast vault

Install Vault

  1. Download the Vault package from HashiCorp at https://releases.hashicorp.com/vault/, ensuring that it is the binary file for Enterprise with HSM support:

    # cd Downloads

# wget https://releases.hashicorp.com/vault/1.19.0+ent.hsm/vault_1.19.0+ent.hsm_linux_amd64.zip
--2025-04-04 10:56:18--  https://releases.hashicorp.com/vault/1.19.0+ent.hsm/vault_1.19.0+ent.hsm_linux_amd64.zip
Resolving releases.hashicorp.com (releases.hashicorp.com)... 18.160.181.50, 18.160.181.55, 18.160.181.20, ...
Connecting to releases.hashicorp.com (releases.hashicorp.com)|18.160.181.50|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 165452931 (158M) [application/zip]
Saving to: ‘vault_1.19.0+ent.hsm_linux_amd64.zip’

vault_1.19.0+ent.hsm_linux_amd6 100%[=====================================================>] 157.79M  27.7MB/s    in 6.8s

2025-04-04 10:56:34 (23.3 MB/s) - ‘vault_1.19.0+ent.hsm_linux_amd64.zip’ saved [165452931/165452931]

  2. Unzip the binary file and extract it to the working directory on the host machine, for example /usr/local/bin. There should only be a single binary file named vault.

    # unzip vault_1.19.0+ent.hsm_linux_amd64.zip -d /usr/local/bin
Archive:  vault_1.19.0+ent.hsm_linux_amd64.zip
replace /usr/local/bin/EULA.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: /usr/local/bin/EULA.txt
replace /usr/local/bin/vault? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: /usr/local/bin/vault
replace /usr/local/bin/TermsOfEvaluation.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: /usr/local/bin/TermsOfEvaluation.txt

  3. Set Vault permissions:

    # sudo chmod 755 /usr/local/bin/vault
# sudo setcap cap_ipc_lock=+ep /usr/local/bin/vault
# ls -la /usr/local/bin/vault
-rwxr-xr-x. 1 root root 397524552 Sep 22 17:22 /usr/local/bin/vault

  4. Add the Vault binary file to the path:

    # sudo vi /etc/profile.d/vault.sh

    Add the following information to vault.sh and restart the system. The VAULT_ADDR variable allows Vault to be accessed from a web browser via the web user interface (web UI).

    # HashiCorp Vault Enterprise path variable
export PATH="$PATH:/usr/local/bin"
export VAULT_ADDR=http://127.0.0.1:8200

  5. Create the Vault data directories:

    # sudo mkdir --parents /opt/vault/data
# sudo mkdir --parents /opt/vault/data/hsm
# sudo mkdir --parents /opt/vault/logs
# sudo chmod --recursive 750 /opt/vault
# sudo chown --recursive vault:vault /opt/vault

  6. Reboot the server:

    # reboot

  7. Confirm the binary file is available:

    # vault version
Vault v1.19.0+ent.hsm (838f2be3861a749e52d97bbacf275a472bec8ccb), built 2025-03-04T12:36:26Z (cgo)

Install Vault license

  1. Create a directory for the Vault license and configuration files:

    # sudo mkdir /etc/vault

  2. Three options are given in the Install a HashiCorp Enterprise License page of the online documentation for enabling an enterprise license, as well as a procedure to request a trail license. For this guide, create a file containing the enterprise license key:

    # cat /etc/vault/license.hclic
02MV4UU43B...

Create a configuration file

Create a /etc/vault/config.hcl configuration file to enable Vault to be run as a service. See also Vault commands.

An example configuration file with OCS protection is shown below. The pin is the passphrase entered when the OCS was created in section install-entrust-hsm.adoc#create-ocs.

# PKCS#11 Seal, Entrust nShield Integration
seal "pkcs11" {
lib = "/opt/nfast/toolkits/pkcs11/libcknfast.so"
slot = "761406614"
pin = "xxxxxxx"
key_label = "vault_v1_ocs"
hmac_key_label = "vault_hmac_v1_ocs"
# Vault is commanding HSM to generate keys if these don't already exists
generate_key = true
}

# Vault listener with TLS disabled
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}

# Storage
storage "raft" {
   path = "/opt/vault/data/hsm"
   node_id = "vault"
}

ui = true

# License file
license_path = "/etc/vault/license.hclic"

disable_mlock = false
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"

# Managed Key Library
kms_library "pkcs11" {
name = "hsm1" # This can be re-named to anything you like
library = "/opt/nfast/toolkits/pkcs11/libcknfast.so" #PKCS11 Library Location
}

In this example:

  • The slot and pin parameters will change according to the protection selected. See section create-vault-encryption-keys.adoc#find-slot-value.

  • The entropy seal mode is set to augmentation. This leverages the HSM for augmenting system entropy via the PKCS #11 protocol.

  • The seal wrap is enabled. By enabling seal wrap, Vault wraps your secrets with an extra layer of encryption leveraging the HSM encryption and decryption.

  • Notice the path to the license file.

Create and configure Vault directories

  1. Create file /etc/sysconfig/vault:

    # sudo touch /etc/sysconfig/vault

  2. Create a service file:

    # vi /etc/systemd/system/vault.service

  3. Add the following information to the service file:

    If deploying on a server with more than two CPUs, you may increase the value of Environment=GOMAXPROCS accordingly. 
    [Unit]
Description="HashiCorp Vault"
Requires=network-online.target
After=network-online.target nc_hardserver.service
ConditionFileNotEmpty=/etc/vault/config.hcl
[Service]
User=vault
Group=vault
EnvironmentFile=/etc/sysconfig/vault
ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.hcl
StandardOutput=/opt/vault/logs/output.log
StandardError=/opt/vault/logs/error.log
ExecReload=/bin/kill --signal -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitBurst=3
AmbientCapabilities=CAP_IPC_LOCK
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target

  4. If you are setting paths different from the default, edit the following lines in /etc/systemd/system/vault.service. Also change the location of the configuration file config.hcl accordingly:

    ConditionFileNotEmpty=/etc/vault/config.hcl
EnvironmentFile=-/etc/sysconfig/vault
ExecStart=/opt/vault/bin/vault server -config=/etc/vault/config.hcl
StandardOutput=/opt/vault/logs/output.log
StandardError=/opt/vault/logs/error.log

Enable Vault

Enable Vault:

# systemctl enable vault.service