Manually install a Vault binary

1. Set the VAULT_DATA environment variable to your preferred Vault data directory. For example, /opt/vault/data:

   export VAULT_DATA=/opt/vault/data
   

   Copy

2. Set the VAULT_CONFIG environment variable to your preferred Vault configuration directory. For example, /etc/vault.d:

   export VAULT_CONFIG=/etc/vault.d
   

   Copy

3. Move the Vault binary to /usr/bin:

   $ sudo mv PATH/TO/VAULT/BINARY /usr/bin/
   

   Copy

4. Ensure the Vault binary can use mlock() to run as a non-root user:

   $ sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
   

   Copy

   See the support article Vault and mlock() for more information.

5. Create your Vault data directory:

    $ sudo mkdir -p ${VAULT_DATA}
   

   Copy

6. Create your Vault configuration directory:

   $ sudo mkdir -p ${VAULT_CONFIG}
   

   Copy

1. Run Powershell as Administrator.

2. Set a VAULT_HOME environment variable to your preferred Vault home directory. For example, c:\Program Files\Vault:

   $env:VAULT_HOME = "${env:ProgramFiles}\Vault"
   

   Copy

3. Create the Vault home directory:

   New-Item -ItemType Directory -Path "${env:VAULT_HOME}"
   

   Copy

4. Create the Vault data directory. For example, c:\Program Files\Vault\Data:

   New-Item -ItemType Directory -Path "${env:VAULT_HOME}/Data"
   

   Copy

5. Create the Vault configuration directory. For example, c:\Program Files\Vault\Config:

   New-Item -ItemType Directory -Path "${env:VAULT_HOME}/Config"
   

   Copy

6. Create the Vault logs directory. For example, c:\Program Files\Vault\Logs:

   New-Item -ItemType Directory -Path "${env:VAULT_HOME}/Logs"
   

   Copy

7. Move the Vault binary to your Vault directory:

   Move-Item                      `
     -Path <PATH/TO/VAULT/BINARY> `
     -Destination ${env:VAULT_HOME}\vault.exe
   

   Copy

8. Add the Vault home directory to the system Path variable.

   

1. Create a system user called vault to run Vault when your Vault data directory as home and nologin as the shell:

   $ sudo useradd --system --home ${VAULT_DATA} --shell /sbin/nologin vault
   

   Copy

2. Change directory ownership of your data directory to the vault user:

   $ sudo chown vault:vault ${VAULT_DATA}
   

   Copy

3. Grant the vault user full permission on the data directory, search permission for the group, and deny access to others:

   $ sudo chmod -R 750 ${VAULT_DATA}
   

   Copy

1. Create an access rule to grant the Local System user access to the Vault directory and related files:

   $SystemAccessRule = 
     New-Object System.Security.AccessControl.FileSystemAccessRule(
       "SYSTEM",
       "FullControl",
       "ContainerInherit,Objectinherit",
       "none",
       "Allow"
     )
   

   Copy

2. Create an access rule to grant yourself access to the Vault directory and related files so you can test your Vault installation:

   $myUsername = Get-CimInstance -Class Win32_Computersystem |    `
                 Select-Object UserName | foreach {$_.UserName} ; `
   $AdminAccessRule =
     New-Object System.Security.AccessControl.FileSystemAccessRule(
       "$myUsername",
       "FullControl",
       "ContainerInherit,Objectinherit",
       "none",
       "Allow"
     )
   

   Copy

   Create additional access rules for human users if needed

   If you expect other accounts to start and run the Vault server, you must create and apply access rules for those users as well. While users can run the Vault CLI without explicit access, if they try to start the Vault server, the process will fail with a permission denied error.

3. Update permissions on the env:VAULT_HOME directory:

   $ACLObject = Get-ACL ${env:VAULT_HOME} ;       `
   $ACLObject.AddAccessRule($AdminAccessRule) ;   `
   $ACLObject.AddAccessRule($SystemAccessRule) ;  `
   Set-Acl ${env:VAULT_HOME} $ACLObject
   

   Copy

1. Create a file called vault.hcl under your configuration directory:

    $ sudo tee ${VAULT_CONFIG}/vault.hcl <<EOF
    ui            = true
    cluster_addr  = "http://127.0.0.1:8201"
    api_addr      = "https://127.0.0.1:8200"
    disable_mlock = true
   
    storage "raft" {
      path    = "${VAULT_DATA}"
      node_id = "127.0.0.1"
    }
   
    listener "tcp" {
      address       = "0.0.0.0:8200"
      cluster_address = "0.0.0.0:8201"
      tls_disable = 1
    }
    EOF
   

   Copy

2. Change ownership and permissions on the Vault configuration file.

   $ sudo chown vault:vault "${VAULT_CONFIG}/vault.hcl" && \
     sudo chmod 640 "${VAULT_CONFIG}/vault.hcl"
   

   Copy

Create a file called vault.hcl under your configuration directory:

@"
ui            = true
cluster_addr  = "http://127.0.0.1:8201"
api_addr      = "https://127.0.0.1:8200"
disable_mlock = true

storage "raft" {
  path    = "$(${env:VAULT_HOME}.Replace('\','\\'))\\Data"
  node_id = "127.0.0.1"
}

listener "tcp" {
  address       = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_disable = 1
}
"@ | Out-File -FilePath ${env:VAULT_HOME}/Config/vault.hcl -Encoding ascii

1. Bring up the help menu in the Vault CLI:

   $ vault -h
   

   Copy

2. Use the Vault CLI to bring up a Vault server in development mode:

   $ vault server -dev -config ${VAULT_CONFIG}/vault.hcl
   

   Copy

1. Start a new Powershell session without Administrator permission.

2. Bring up the help menu in the Vault CLI:

   vault -h
   

   Copy

3. Use the Vault CLI to bring up a Vault server in development mode:

   vault server -dev -config ${env:VAULT_HOME}\Config\vault.hcl
   

   Copy