Skip to content

canonical/snap-vault

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

163 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

vault

Vault
Vault

This is the snap for Vault, "A tool for securely accessing secrets". It works on Ubuntu, Fedora, Debian, and other major Linux distributions.

Install

sudo snap install vault

(Don't have snapd installed?)

Usage

Client

The snap provides the vault CLI client:

export VAULT_ADDR="http://127.0.0.1:8200"
vault status

Running a local Vault server

The snap also includes a vaultd daemon for running a local Vault server. It is disabled by default and will not start automatically on install.

The daemon uses the configuration at /var/snap/vault/common/vault.hcl, which is populated with a default config on first install (see Configuration). Modify that file as needed, then start the daemon:

sudo snap start vault.vaultd

To stop or restart the daemon:

sudo snap stop vault.vaultd
sudo snap restart vault.vaultd

The daemon supports reload (SIGHUP) to pick up configuration changes without a full restart:

sudo snap restart --reload vault.vaultd

Refer to the Vault operator commands documentation for initialisation and other operations once the server is running.

Configuration

The default vault.hcl at /var/snap/vault/common/vault.hcl:

ui = true

disable_mlock = true

storage "file" {
  path = "/var/snap/vault/common/data"
}

# HTTP listener
listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}
Option Description
ui Enables the built-in web UI at http://<host>:8200/ui
disable_mlock Stops Vault from executing the mlock syscall, which prevents data swaps from memory to disk
storage "file" Stores Vault's data on disk at /var/snap/vault/common/data.
listener "tcp" Listens on all interfaces on port 8200, with TLS disabled by default

For advanced configuration options, refer to the Vault configuration documentation.

Enabling TLS

To run Vault over HTTPS, replace tls_disable = 1 in vault.hcl with the paths to your certificate and key:

listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/var/snap/vault/common/tls/vault.crt"
  tls_key_file  = "/var/snap/vault/common/tls/vault.key"
}

Then set VAULT_ADDR accordingly:

export VAULT_ADDR="https://127.0.0.1:8200"

See the TCP listener documentation for the full list of TLS options.

Environment variables

Environment variables can be set in /var/snap/vault/common/vault.env and will be sourced before Vault starts.

Platforms

The snap is published for the following architectures: amd64, arm64, and s390x.

The built-in web UI is included only on amd64 and arm64. On s390x, Node.js is not available for building the frontend assets, so Vault is compiled without the ui build tag. The ui = true option in vault.hcl will have no effect on that platform.

Further reading

About

A snap for Vault that is a tool for securely accessing secrets

Topics

Resources

License

Contributing

Security policy

Stars

Watchers

Forks

Contributors