HashiCorp Vault is a secrets management tool that provides a centralized way to store, access, and distribute secrets such as API keys, passwords, certificates, and encryption keys. Vault handles leasing, key revocation, key rolling, and auditing. It supports multiple authentication methods and secrets engines, making it a standard choice for managing sensitive data in production environments.
This guide walks you through installing and configuring HashiCorp Vault 1.21 on Ubuntu 24.04 and Rocky Linux 10 (or RHEL 10). You will set up a production-ready Vault server with file storage backend, initialize and unseal the vault, enable authentication, store and retrieve secrets, and access the Vault web UI. By the end, you will have a working Vault instance ready for secrets management.
Prerequisites
Before you begin, make sure you have the following in place:
- A server running Ubuntu 24.04 or Rocky Linux 10 / RHEL 10
- Root or sudo access on the server
- A stable network connection
- A DNS name or static IP address for your Vault server (recommended for production)
- Ports 8200 (API/UI) open in your firewall
Step 1: Install HashiCorp Vault
HashiCorp provides official repositories for both Debian-based and RHEL-based distributions. Using the official repo ensures you get verified packages and straightforward upgrades.
Install Vault on Ubuntu 24.04
Add the HashiCorp GPG key and repository, then install Vault.
sudo apt update
sudo apt install -y gpg coreutils
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update
sudo apt install -y vaultInstall Vault on Rocky Linux 10 / RHEL 10
Add the HashiCorp YUM repository and install the package.
sudo dnf install -y dnf-plugins-core
sudo dnf config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
sudo dnf install -y vaultVerify Installation
Confirm Vault is installed correctly by checking the version.
vault --versionExpected output:
Vault v1.21.4 (xxx), built YYYY-MM-DDTHH:MM:SSZStep 2: Configure Vault Server
Vault reads its configuration from /etc/vault.d/vault.hcl. The default configuration that ships with the package uses a file-based storage backend, which works well for single-server deployments. For high-availability production clusters, consider using the Raft integrated storage backend instead. See the Vault seal/unseal documentation for more details on production architecture.
Back up the default configuration file, then create a new one.
sudo cp /etc/vault.d/vault.hcl /etc/vault.d/vault.hcl.bakWrite the Vault server configuration. Replace YOUR_SERVER_IP with the actual IP address or hostname of your server.
echo '[Unit]
' | sudo tee /dev/null
echo 'ui = true
storage "file" {
path = "/opt/vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
api_addr = "http://YOUR_SERVER_IP:8200"
cluster_addr = "https://YOUR_SERVER_IP:8201"' | sudo tee /etc/vault.d/vault.hclHere is what each setting does:
- ui = true – Enables the built-in web interface
- storage “file” – Uses local filesystem storage at /opt/vault/data
- listener “tcp” – Listens on all interfaces on port 8200. TLS is disabled here for initial setup; enable it for production use
- api_addr – The address Vault advertises to clients
- cluster_addr – Used for cluster communication if you scale to multiple nodes
Create the data directory and set proper ownership.
sudo mkdir -p /opt/vault/data
sudo chown -R vault:vault /opt/vault/data
sudo chown vault:vault /etc/vault.d/vault.hcl
sudo chmod 640 /etc/vault.d/vault.hclStep 3: Start and Enable Vault Service
Start the Vault service and enable it to start on boot.
sudo systemctl enable --now vaultCheck that the service is running.
sudo systemctl status vaultYou should see output showing the service is active and running:
● vault.service - "HashiCorp Vault - A tool for managing secrets"
Loaded: loaded (/usr/lib/systemd/system/vault.service; enabled; preset: disabled)
Active: active (running) since ...
Main PID: 12345 (vault)
Tasks: 8 (limit: ...)
Memory: 100.0M
CGroup: /system.slice/vault.service
└─12345 /usr/bin/vault server -config=/etc/vault.d/vault.hclSet the VAULT_ADDR environment variable so the Vault CLI knows where to connect. Add this to your shell profile to make it persistent.
export VAULT_ADDR='http://127.0.0.1:8200'
echo 'export VAULT_ADDR="http://127.0.0.1:8200"' | sudo tee -a /etc/profile.d/vault.shStep 4: Initialize and Unseal Vault
When Vault starts for the first time, it is in a sealed state and needs to be initialized. Initialization generates the encryption keys and root token. This step only happens once.
Initialize Vault
Run the operator init command. By default, Vault uses Shamir’s Secret Sharing and creates 5 key shares with a threshold of 3 (meaning 3 out of 5 keys are needed to unseal).
vault operator initThis produces output containing five unseal keys and an initial root token:
Unseal Key 1: xYz1234567890abcdefGHIJKLMNOPQRSTUVWXyz1234=
Unseal Key 2: AbC1234567890abcdefGHIJKLMNOPQRSTUVWXyz5678=
Unseal Key 3: DeF1234567890abcdefGHIJKLMNOPQRSTUVWXyz9012=
Unseal Key 4: GhI1234567890abcdefGHIJKLMNOPQRSTUVWXyz3456=
Unseal Key 5: JkL1234567890abcdefGHIJKLMNOPQRSTUVWXyz7890=
Initial Root Token: hvs.XXXXXXXXXXXXXXXXXXXXXXXX
Vault initialized with 5 key shares and a key threshold of 3.Save these keys and the root token in a secure location immediately. If you lose the unseal keys, you will not be able to unseal Vault and your data becomes inaccessible. Distribute the keys to different trusted individuals for security.
Unseal Vault
You need to provide 3 of the 5 unseal keys to unseal Vault. Run the unseal command three times, each time providing a different key.
vault operator unsealYou will be prompted to enter an unseal key. Repeat this command two more times with different keys. After the third key, the output shows Sealed: false, meaning Vault is now unsealed and operational.
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.21.4
Storage Type file
Cluster Name vault-cluster-xxxxxxxx
Cluster ID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
HA Enabled falseCheck the Vault status to confirm.
vault statusStep 5: Configure Vault Authentication
Vault supports multiple authentication methods. The root token should only be used for initial setup – after that, create proper authentication methods for users and applications.
Log in with the Root Token
Authenticate with the root token you received during initialization.
vault loginWhen prompted, paste your root token. This authenticates your CLI session.
Enable Userpass Authentication
The userpass auth method allows users to authenticate with a username and password. Enable it and create a user.
vault auth enable userpassYou should see:
Success! Enabled userpass auth method at: userpass/Create a policy file that grants read access to secrets. This controls what the user can do.
echo 'path "secret/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/metadata/*" {
capabilities = ["list"]
}' | sudo tee /etc/vault.d/user-policy.hclWrite the policy to Vault and create a user.
vault policy write user-policy /etc/vault.d/user-policy.hcl
vault write auth/userpass/users/admin password="StrongPassword123" policies="user-policy"Test the new login.
vault login -method=userpass username=adminWhen prompted, enter the password. On success, Vault displays a token with the assigned policies.
Enable AppRole Authentication (for Applications)
For automated systems and applications, AppRole is the recommended auth method. It uses a role ID and secret ID instead of passwords.
vault auth enable approle
vault write auth/approle/role/my-app token_policies="user-policy" token_ttl=1h token_max_ttl=4hRetrieve the role ID and generate a secret ID for your application.
vault read auth/approle/role/my-app/role-id
vault write -f auth/approle/role/my-app/secret-idStep 6: Store and Retrieve Secrets
Vault’s KV (key-value) secrets engine is the most common way to store static secrets. Version 2 of the KV engine is enabled by default at the secret/ path and supports versioning.
Enable the KV Secrets Engine
If the KV v2 engine is not already enabled, enable it. Log in with the root token first.
vault login
vault secrets enable -path=secret kv-v2Store a Secret
Write a secret to the KV store. This example stores database credentials.
vault kv put secret/database username="dbadmin" password="SuperSecret456" host="db.example.com" port="5432"Vault confirms the write operation:
======= Secret Path =======
secret/data/database
======= Metadata =======
Key Value
--- -----
created_time 2026-03-22T10:00:00.000000Z
custom_metadata
deletion_time n/a
destroyed false
version 1 Retrieve a Secret
Read back the secret you just stored.
vault kv get secret/databaseThis returns all key-value pairs stored at that path:
======= Secret Path =======
secret/data/database
======= Metadata =======
Key Value
--- -----
created_time 2026-03-22T10:00:00.000000Z
custom_metadata
deletion_time n/a
destroyed false
version 1
====== Data ======
Key Value
--- -----
host db.example.com
password SuperSecret456
port 5432
username dbadmin To get a specific field in JSON format (useful for scripting):
vault kv get -field=password secret/databaseDelete a Secret
Remove a secret when it is no longer needed.
vault kv delete secret/databaseStep 7: Configure Firewall
Open port 8200 in the firewall so clients can reach the Vault API and web UI.
Ubuntu 24.04 (UFW)
Allow port 8200 through UFW.
sudo ufw allow 8200/tcp
sudo ufw reload
sudo ufw statusRocky Linux 10 / RHEL 10 (firewalld)
Add a permanent firewall rule for Vault.
sudo firewall-cmd --permanent --add-port=8200/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-portsIf you are running a multi-node cluster, also open port 8201 for cluster communication.
Step 8: Access the Vault Web UI
With ui = true in the configuration, Vault provides a web interface for managing secrets, policies, and authentication. Open your browser and navigate to:
http://YOUR_SERVER_IP:8200/uiYou will see the Vault login screen. Use the root token or your userpass credentials to sign in. The UI provides a visual way to browse secrets, manage policies, and monitor Vault’s health. For production environments, you should place Vault behind a reverse proxy with TLS – check our guide on securing servers with SSL certificates for TLS setup guidance.
Common Vault CLI Commands Reference
Here is a quick reference table for the most frequently used Vault commands.
| Command | Description |
|---|---|
vault status | Check Vault seal status and cluster info |
vault operator init | Initialize a new Vault server |
vault operator unseal | Provide an unseal key to unseal Vault |
vault operator seal | Manually seal the Vault |
vault login | Authenticate to Vault |
vault token lookup | Display info about the current token |
vault kv put secret/path key=value | Store a secret |
vault kv get secret/path | Read a secret |
vault kv list secret/ | List all secrets at a path |
vault kv delete secret/path | Delete a secret |
vault secrets list | List enabled secrets engines |
vault auth list | List enabled auth methods |
vault policy list | List all policies |
vault policy read policy-name | Display a policy’s rules |
vault audit enable file file_path=/var/log/vault-audit.log | Enable file-based audit logging |
Conclusion
You have installed and configured HashiCorp Vault 1.21 on your Linux server. The setup covers the file storage backend, initialization, unsealing, user and application authentication, and secrets management. For production deployments, you should enable TLS on the listener, use the integrated Raft storage for high availability, set up auto-unseal with a cloud KMS, and enable audit logging. Vault integrates well with infrastructure tools like Terraform and Consul for a complete secrets management workflow. Refer to the Vault getting started tutorials for more advanced configurations.
