How to Install Hashicorp Vault on Ubuntu 18.04

Vault is a management system for sensitive information. It stores, controls, and protects the data you use for authentication or authorization processes.

Vault restricts and manages access to “sensitive secrets” including passwords, certificates, or APIs. It also provides data encryption, on-demand secrets, and revocation. In this tutorial learn how to install and configure Vault on Ubuntu 18.04, as well as how to set up Consul.

• Ubuntu 18.04
• A user account with sudo privileges
• Access to a terminal window/command-line (Ctrl-Alt-T)

Consul is a highly scalable and distributed service discovery and configuration system. You can coordinate Consul Storage as a back-end to Vault to ensure the software is highly available and fault-tolerant.

The first step is to install and configure Consul on Ubuntu 18.04.

1. Start by navigating to the official Consul webpage and clicking on the Download icon.

2. The browser then takes you to the Download page with all the available packages. Search for the Linux section and right-click on the 32 or 64-bit version. Copy the link location, as you will need it in the next step.

3. Open the terminal (Ctrl+Alt+T) and use the wget command to download the Consul package:

wget https://releases.hashicorp.com/consul/1.6.1/consul_1.6.1_linux_amd64.zip

4. Next, unzip the package with the command:

unzip consul_1.6.1_linux_amd64.zip

5. Then, move the installation package by typing the following command:

sudo mv consul /usr/bin

6. End by verifying the installation with the command:

consul

The output should list all available consul commands, as in the image below:

1. Create and open a new file with:

sudo nano /etc/system/system/consul.service

2. Add the following content to the consul.service file:

[Unit]
Description=Consul
Documentation=https://www.consul.io/
[Service]
ExecStart=/usr/bin/consul agent –server –ui –data-dir=/temp/consul –bootstrap-expect=1 –node=vault –bind=IP.ADDRESS.OF.SERVER –config-dir=/etc/consul.d/
ExecReload=/bin/kill –HUP $MAINPID
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target

3. Save and exit the file.

4. Then, move on to creating a configuration directory and adding a new .json file in it:

sudo mkdir /etc/consul.d

nano /etc/consul.d/ui.json

5. To set up the ui to connect to anything, add the following content to the newly created file:

{

“addresses”: {

“http”: “0.0.0.0”

}

}

6. Make sure to save before exiting the file.

7. For the changes to take place, you have to reload, start, and enable the consul service.

Reload the system with the command:

systemctl daemon-reload

Run the command for starting the service:

systemctl start consul

Then, enable it by using:

systemctl enable consul

Verify that the service is up and running with the command:

journalctl –f –u consul

Followed by opening a web browser and navigating to the URL:

vault.admintome.lab:8500/ui/

This opens HashiCorp’s online management platform, and displays available services. If you see consul as a service, you have successfully set up the software.

With Consul in place, move on to installing Vault on your Ubuntu 18.04 system.

1. Go to Vault’s official website, click on Download, and find the available package for Linux distributions.

2. Right-click on the Download icon and copy the link location.

3. Using the wget command, download the package by pasting the link location copied in the previous step:

wget https://releases.hashicorp.com/vault/1.2.3/vault_1.2.3_linux_amd64.zip

4. Next, unzip the package using the following command:

unzip vault_1.2.3_linux_amd64.zip

5. Then, move the package to the /usr/bin directory:

mv vault /usr/bin

6. Check the installation using the following command:

vault

As a result, a list of all available vault commands should appear, as in the image below:

1. Start by creating a configuration directory and a file within it:

sudo nano /etc/vault/config.hcl

2. Then, type or paste the following content in the file:

storage “consul” {
address = “127.0.0.1:8500”
path = “vault/”
}
listener “tcp” {
address = ”IP.ADDRESS.OF.SERVER” [or “0.0.0.0” to listen to everything]
tls_disable = 1
}
ui = true

3. Again, save and exit the file.

4. Next, you need to create a UNI (.uni) file, a commonly used extension for configuration files. The easiest way to do this is to copy Consul’s configuration file and modify the specifications to suit Vault.

Duplicate the existing service configuration file under a new name with the command:

cp /etc/system.system/consul.service /etc/system/system/vault.service

5. Open the new vault.service file:

vim /etc/system/system/vault.service

6. Make sure the content of the file matches the one below. Essentially, you’ll need to change all Consul specific values with the appropriate Vault ones.

[Unit]
Description=Vault
Documentation=https://www.vault.io/

[Service]
ExecStart=/usr/bin/vault server –config=/etc/vault/config.hcl
ExecReload=/bin/kill –HUP $MAINPID
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

7. After saving the file, exit back to the terminal shell and launch the service with the following commands:

systemctl daemon-reload

systemctl start vault

systemctl enable vault

systemctl status vault

The status should show the service is active (running).

8. Using a vault client, connect to the running service with the command:

export VAULT_ADDR=http://IP.ADDRESS.OF.VAULT:CLIENT

As you have already installed Consul to serve as the back-end storage, you’ll now need to initialize Vault manually for it to work correctly.

1. First, run the following command to see current Vault status:

vault status

As in the image above, the output displays that Vault is sealed and not initialized yet.

2. To change its status, you need three (3) keys you can find by running the command:

vault operator init

The terminal will return five (5) Unseal Keys as well as an Initial Root Token. Also, it explains that anytime the Vault package is re-sealed, restarted, or stopped, you will need to supply at least three (3) of these keys.

If you do not provide the specified keys, Vault will remain sealed. Therefore, copy all five keys and paste them in a separate file.

3. Once you have at least 3 unseal keys, run the command:

vault operator unseal

4. Copy and paste the first key, and hit Enter.

5. Repeat the same procedure for the Unseal Key 2 and 3.

6. The last step to unseal Vault is to run the following command with the Initial Root Token (listed with the Unseal Keys):

vault login [root_token]

7. Now, check the status again to verify that the software has been initialized:

vault status

This article walked you through installing Vault on Ubuntu 18.04. We also covered, configuring, initializing Vault, and outlined how to run Consul as a back-end storage service.