In this article, I will take you through the steps to install Hashicorp vault on Ubuntu 20.04 LTS but before that let me ask you a question - Do you think Security is an important aspect when you shift your Infrastructure from on-premise environment to a Dynamic Environment ? To me, it is an utmost important thing to worry about. But don't worry, here comes the Hashicorp Vault for our rescue. Hashicorp Vault is used to secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API. We will see the steps to install this application on Ubuntu 20.04 LTS in below section. More about Hashicorp Vault.

How to Install Hashicorp Vault on Ubuntu 20.04 LTS

Also Read: 23 Practical gpg Command Examples to Manage Your Keys in Linux

Step 1: Prerequisites

a) You should have a running Ubuntu 20.04 LTS Server.

b) You should have sudo or root access to run privileged commands.

c) You should have apt or apt-get utility installed in your Server.

d) You should also have curl, apt-key and apt-add-repository utility installed in your Server.

Step 2: Add GPG Key

First you need to add the Hashicorp GPG Key using curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - command as shown below.

root@localhost:~# curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
OK

Step 3: Add Repository

To download the vault package from the Hashicorp repository, you need to first add this repository to /etc/apt/sources.list file. This can be done by using an utility called apt-add-repository. You can run below command to add the Repository information.

root@localhost:~# apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
Hit:1 http://in.archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://in.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:3 https://packages.microsoft.com/repos/edge stable InRelease [7,343 B]
Get:4 https://apt.releases.hashicorp.com focal InRelease [4,419 B]
Get:5 http://in.archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]
Get:6 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:7 https://packages.microsoft.com/repos/edge stable/main amd64 Packages [7,859 B]
Ign:8 http://ppa.launchpad.net/oguzhaninan/stacer/ubuntu focal InRelease
Get:9 https://apt.releases.hashicorp.com focal/main amd64 Packages [34.5 kB]
Get:10 http://in.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1,294 kB]
Get:11 http://ppa.launchpad.net/micahflee/ppa/ubuntu focal InRelease [17.5 kB]
Get:12 http://in.archive.ubuntu.com/ubuntu focal-updates/main i386 Packages [550 kB]
Get:13 http://in.archive.ubuntu.com/ubuntu focal-updates/main Translation-en [269 kB]

Step 4: Update Your Server

After adding repository, you can update the Server by using apt update or apt-get update command. This command will also update the package cache with packages from Hashicorp repository.

root@localhost:~# apt update
Hit:1 http://in.archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://in.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Hit:3 https://apt.releases.hashicorp.com focal InRelease
Get:4 http://in.archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]
Hit:5 https://packages.microsoft.com/repos/edge stable InRelease
Get:6 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Ign:7 http://ppa.launchpad.net/oguzhaninan/stacer/ubuntu focal InRelease
Get:8 http://in.archive.ubuntu.com/ubuntu focal-updates/main amd64 DEP-11 Metadata [283 kB]
Get:9 http://ppa.launchpad.net/micahflee/ppa/ubuntu focal InRelease [17.5 kB]

Step 5: Install Vault

Next step is to install Vault application by using apt install vault -y command as shown below. This will download and install the vault package from newly added repository.

root@localhost:~# apt install vault -y
Reading package lists... Done
Building dependency tree
The following NEW packages will be installed:
vault
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 66.7 MB of archives.
After this operation, 179 MB of additional disk space will be used.
Get:1 https://apt.releases.hashicorp.com focal/main amd64 vault amd64 1.8.4 [66.7 MB]
Fetched 66.7 MB in 12s (5,452 kB/s)
Selecting previously unselected package vault.
(Reading database ... 199918 files and directories currently installed.)
Preparing to unpack .../archives/vault_1.8.4_amd64.deb ...
Unpacking vault (1.8.4) ...
Setting up vault (1.8.4) ...
Generating Vault TLS key and self-signed certificate...
Generating a RSA private key
.............................................................++++
.......++++
writing new private key to 'tls.key'
-----
Vault TLS key and self-signed certificate have been generated in '/opt/vault/tls'.

Step 6: Check Vault version

You can check the current installed version of vault application by using vault --version command as shown below. As you can see current version is 1.8.4.

root@localhost:~# vault --version
Vault v1.8.4 (925bc650ad1d997e84fbb832f302a6bfe0105bbb)

Step 7: Check Vault Configuration

After vault installation, by default you should see below configuration which has HTTPS Listener address set to 0.0.0.0:8200. This configuration allows us to access the Vault UI using locally set IP Address. So I will leave the configuration as it is. But if you want you can modify the configuration based on your requirements.

root@localhost:~# nano /etc/vault.d/vault.hcl
# Full configuration options can be found at https://www.vaultproject.io/docs/configuration

ui = true

#mlock = true
#disable_mlock = true

storage "file" {
path = "/opt/vault/data"
}

#storage "consul" {
# address = "127.0.0.1:8500"
# path = "vault"
#}

# HTTP listener
#listener "tcp" {
# address = "127.0.0.1:8200"
# tls_disable = 1
#}

# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/vault/tls/tls.crt"
tls_key_file = "/opt/vault/tls/tls.key"
}
............................................

Step 8: Start Vault Service

After setting up the required configuration, you can now start the vault service by using systemctl start vault command and then check the status by using systemctl status vault command as shown below.

root@localhost:~# systemctl start vault
root@localhost:~# systemctl status vault
● vault.service - "HashiCorp Vault - A tool for managing secrets"
Loaded: loaded (/lib/systemd/system/vault.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2021-10-21 11:51:31 IST; 5s ago
Docs: https://www.vaultproject.io/docs/
Main PID: 5346 (vault)
Tasks: 7 (limit: 2312)
Memory: 173.8M
CGroup: /system.slice/vault.service
└─5346 /usr/bin/vault server -config=/etc/vault.d/vault.hcl

Oct 21 11:51:34 localhost vault[5346]: Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", >
Oct 21 11:51:34 localhost vault[5346]: Log Level: info
Oct 21 11:51:34 localhost vault[5346]: Mlock: supported: true, enabled: true
Oct 21 11:51:34 localhost vault[5346]: Recovery Mode: false
Oct 21 11:51:34 localhost vault[5346]: Storage: file
Oct 21 11:51:34 localhost vault[5346]: Version: Vault v1.8.4
Oct 21 11:51:34 localhost vault[5346]: Version Sha: 925bc650ad1d997e84fbb832f302a6bfe0105bbb
Oct 21 11:51:34 localhost vault[5346]: ==> Vault server started! Log data will stream in below:
Oct 21 11:51:34 localhost vault[5346]: 2021-10-21T11:51:32.256+0530 [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=""

You can also enable the service by using systemctl enable vault command.

root@localhost:~# systemctl enable vault
Created symlink /etc/systemd/system/multi-user.target.wants/vault.service → /lib/systemd/system/vault.service.

Step 9: Access Vault UI

You can now open Web Browser and use https://<your_ip_address>:8200 URL to access the Vault UI Page. Since my local IP Address is 192.168.29.113 so I am using https://192.168.29.113:8200 URL to access the Page. It could be different for you.