This is the snap for Vault, "A tool for securely accessing secrets". It works on Ubuntu, Fedora, Debian, and other major Linux distributions.
sudo snap install vault
The snap provides the vault CLI client:
export VAULT_ADDR="http://127.0.0.1:8200"
vault statusThe snap also includes a vaultd daemon for running a local Vault server. It is
disabled by default and will not start automatically on install.
The daemon uses the configuration at /var/snap/vault/common/vault.hcl, which is
populated with a default config on first install (see Configuration).
Modify that file as needed, then start the daemon:
sudo snap start vault.vaultdTo stop or restart the daemon:
sudo snap stop vault.vaultd
sudo snap restart vault.vaultdThe daemon supports reload (SIGHUP) to pick up configuration changes without a full restart:
sudo snap restart --reload vault.vaultdRefer to the Vault operator commands documentation for initialisation and other operations once the server is running.
The default vault.hcl at /var/snap/vault/common/vault.hcl:
ui = true
disable_mlock = true
storage "file" {
path = "/var/snap/vault/common/data"
}
# HTTP listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}| Option | Description |
|---|---|
ui |
Enables the built-in web UI at http://<host>:8200/ui |
disable_mlock |
Stops Vault from executing the mlock syscall, which prevents data swaps from memory to disk |
storage "file" |
Stores Vault's data on disk at /var/snap/vault/common/data. |
listener "tcp" |
Listens on all interfaces on port 8200, with TLS disabled by default |
For advanced configuration options, refer to the Vault configuration documentation.
To run Vault over HTTPS, replace tls_disable = 1 in vault.hcl with the paths
to your certificate and key:
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/var/snap/vault/common/tls/vault.crt"
tls_key_file = "/var/snap/vault/common/tls/vault.key"
}Then set VAULT_ADDR accordingly:
export VAULT_ADDR="https://127.0.0.1:8200"See the TCP listener documentation for the full list of TLS options.
Environment variables can be set in /var/snap/vault/common/vault.env and will be sourced
before Vault starts.
The snap is published for the following architectures: amd64, arm64,
and s390x.
The built-in web UI is included only on amd64 and arm64. On s390x,
Node.js is not available for building the frontend assets, so Vault is
compiled without the ui build tag. The ui = true option in vault.hcl
will have no effect on that platform.
