Install Vault

System preparation

  1. Open the following firewall ports for incoming Vault connections:

    # sudo firewall-cmd --permanent --add-port=8200/tcp
    # sudo firewall-cmd --permanent --add-port=8201/tcp
    # sudo firewall-cmd --reload
  2. Install open-vm-tools:

    # sudo yum install open-vm-tools unzip opensc

Create Vault user and group

  1. Create the Vault group:

    # sudo groupadd --system vault
  2. Create the Vault user:

    # sudo useradd --system --shell /sbin/nologin --gid vault vault
  3. Add the Vault user to the nShield nfast group:

    # sudo usermod --append --groups nfast vault

Install Vault

  1. Download the Vault package from HashiCorp at https://releases.hashicorp.com/vault/, ensuring that it is the binary file for Enterprise with HSM support:

    # cd Downloads
    
    # wget https://releases.hashicorp.com/vault/1.19.0+ent.hsm/vault_1.19.0+ent.hsm_linux_amd64.zip
    --2025-04-04 10:56:18--  https://releases.hashicorp.com/vault/1.19.0+ent.hsm/vault_1.19.0+ent.hsm_linux_amd64.zip
    Resolving releases.hashicorp.com (releases.hashicorp.com)... 18.160.181.50, 18.160.181.55, 18.160.181.20, ...
    Connecting to releases.hashicorp.com (releases.hashicorp.com)|18.160.181.50|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 165452931 (158M) [application/zip]
    Saving to: ‘vault_1.19.0+ent.hsm_linux_amd64.zip’
    
    vault_1.19.0+ent.hsm_linux_amd6 100%[=====================================================>] 157.79M  27.7MB/s    in 6.8s
    
    2025-04-04 10:56:34 (23.3 MB/s) - ‘vault_1.19.0+ent.hsm_linux_amd64.zip’ saved [165452931/165452931]
  2. Unzip the binary file and extract it to the working directory on the host machine, for example /usr/local/bin. There should only be a single binary file named vault.

    # unzip vault_1.19.0+ent.hsm_linux_amd64.zip -d /usr/local/bin
    Archive:  vault_1.19.0+ent.hsm_linux_amd64.zip
    replace /usr/local/bin/EULA.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
      inflating: /usr/local/bin/EULA.txt
    replace /usr/local/bin/vault? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
      inflating: /usr/local/bin/vault
    replace /usr/local/bin/TermsOfEvaluation.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
      inflating: /usr/local/bin/TermsOfEvaluation.txt
  3. Set Vault permissions:

    # sudo chmod 755 /usr/local/bin/vault
    # sudo setcap cap_ipc_lock=+ep /usr/local/bin/vault
    # ls -la /usr/local/bin/vault
    -rwxr-xr-x. 1 root root 397524552 Sep 22 17:22 /usr/local/bin/vault
  4. Add the Vault binary file to the path:

    # sudo vi /etc/profile.d/vault.sh

    Add the following information to vault.sh and restart the system. The VAULT_ADDR variable allows Vault to be accessed from a web browser via the web user interface (web UI).

    # HashiCorp Vault Enterprise path variable
    export PATH="$PATH:/usr/local/bin"
    export VAULT_ADDR=http://127.0.0.1:8200
  5. Create the Vault data directories:

    # sudo mkdir --parents /opt/vault/data
    # sudo mkdir --parents /opt/vault/data/hsm
    # sudo mkdir --parents /opt/vault/logs
    # sudo chmod --recursive 750 /opt/vault
    # sudo chown --recursive vault:vault /opt/vault
  6. Reboot the server:

    # reboot
  7. Confirm the binary file is available:

    # vault version
    Vault v1.19.0+ent.hsm (838f2be3861a749e52d97bbacf275a472bec8ccb), built 2025-03-04T12:36:26Z (cgo)

Install Vault license

  1. Create a directory for the Vault license and configuration files:

    # sudo mkdir /etc/vault
  2. Three options are given in the Install a HashiCorp Enterprise License page of the online documentation for enabling an enterprise license, as well as a procedure to request a trail license. For this guide, create a file containing the enterprise license key:

    # cat /etc/vault/license.hclic
    02MV4UU43B...

Create a configuration file

Create a /etc/vault/config.hcl configuration file to enable Vault to be run as a service. See also Vault commands.

An example configuration file with OCS protection is shown below. The pin is the passphrase entered when the OCS was created in section install-entrust-hsm.adoc#create-ocs.

# PKCS#11 Seal, Entrust nShield Integration
seal "pkcs11" {
lib = "/opt/nfast/toolkits/pkcs11/libcknfast.so"
slot = "761406614"
pin = "xxxxxxx"
key_label = "vault_v1_ocs"
hmac_key_label = "vault_hmac_v1_ocs"
# Vault is commanding HSM to generate keys if these don't already exists
generate_key = true
}

# Vault listener with TLS disabled
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}

# Storage
storage "raft" {
   path = "/opt/vault/data/hsm"
   node_id = "vault"
}

ui = true

# License file
license_path = "/etc/vault/license.hclic"

disable_mlock = false
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"

# Managed Key Library
kms_library "pkcs11" {
name = "hsm1" # This can be re-named to anything you like
library = "/opt/nfast/toolkits/pkcs11/libcknfast.so" #PKCS11 Library Location
}

In this example:

  • The slot and pin parameters will change according to the protection selected. See section create-vault-encryption-keys.adoc#find-slot-value.

  • The entropy seal mode is set to augmentation. This leverages the HSM for augmenting system entropy via the PKCS #11 protocol.

  • The seal wrap is enabled. By enabling seal wrap, Vault wraps your secrets with an extra layer of encryption leveraging the HSM encryption and decryption.

  • Notice the path to the license file.

Create and configure Vault directories

  1. Create file /etc/sysconfig/vault:

    # sudo touch /etc/sysconfig/vault
  2. Create a service file:

    # vi /etc/systemd/system/vault.service
  3. Add the following information to the service file:

    If deploying on a server with more than two CPUs, you may increase the value of Environment=GOMAXPROCS accordingly.
    [Unit]
    Description="HashiCorp Vault"
    Requires=network-online.target
    After=network-online.target nc_hardserver.service
    ConditionFileNotEmpty=/etc/vault/config.hcl
    [Service]
    User=vault
    Group=vault
    EnvironmentFile=/etc/sysconfig/vault
    ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.hcl
    StandardOutput=/opt/vault/logs/output.log
    StandardError=/opt/vault/logs/error.log
    ExecReload=/bin/kill --signal -HUP $MAINPID
    KillMode=process
    Restart=on-failure
    RestartSec=5
    TimeoutStopSec=30
    StartLimitInterval=60
    StartLimitBurst=3
    AmbientCapabilities=CAP_IPC_LOCK
    LimitNOFILE=65536
    LimitMEMLOCK=infinity
    [Install]
    WantedBy=multi-user.target
  4. If you are setting paths different from the default, edit the following lines in /etc/systemd/system/vault.service. Also change the location of the configuration file config.hcl accordingly:

    ConditionFileNotEmpty=/etc/vault/config.hcl
    EnvironmentFile=-/etc/sysconfig/vault
    ExecStart=/opt/vault/bin/vault server -config=/etc/vault/config.hcl
    StandardOutput=/opt/vault/logs/output.log
    StandardError=/opt/vault/logs/error.log

Enable Vault

Enable Vault:

# systemctl enable vault.service