How to Install Hashicorp Vault on ubuntu 20.04

Hashicorp Vault is a free and open source tool. It helps to manage & securely storing password & accessing secrets.We can easily create, update, read and delete secrets, authenticate & unseal.It provides web interface to interact with Vault.


Install Hashicorp Vault on ubuntu

Update the System.

apt-get update

Download the vault zip file.


Extract the downloaded file.

apt-get install unzip

Move the extracted file to /usr/bin/.

mv vault /usr/bin

Create a directory /etc/vault for configuration.

mkdir /etc/vault

Create a new file.

vim /etc/vault/config.hcl

Add the following lines:

storage "consul" {
  address = "" or
  path    = "vault/"
listener "tcp" {
 address     = "server-ip:8200" or
 tls_disable = 1
ui = true

Create a vault service file.

vim /etc/systemd/system/vault.service

Add the following lines:

ExecStart=/usr/bin/vault server -config=/etc/vault/config.hcl
ExecReload=/bin/kill -HUP $MAINPID

Reload,Start & Enable the Vault Service:

systemctl daemon-reload
systemctl start vault
systemctl enable vault

Enable Vault service for CLI.

export VAULT_ADDR=http://server-ip:8200

Initialize the vault service.

vault operator init

Here is the command output:

Unseal Key 1: Dhmn4caf16eRA1v8Hi9xNA6axGITpREcM/Q4c6UCulfH
Unseal Key 2: mQ9nD8KIU9HW9hiLY/ASxO6Kpkn13kBPxHFLW5U+HzrJ
Unseal Key 3: VjoY8HTLpDjK9IgQ9wJf1NvonerDxngTP8JpXCzckjkz
Unseal Key 4: SCKLcgP2gQgVjOi+FrjNO+lzKnFWZA3LBGfe2y6qHSr2
Unseal Key 5: NlOvc4aqYNsEyERfEuflDyS9L+GseFA/OK1YG/nkThy+

Initial Root Token: s.4F3cE2EbHZaWAuW90BPmowur

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

Access Hashicorp web-interface


Here is the output:

  • Copy the Unseal key from Ternimal.
  • Paste the key for unseal the vault.
  • Click on Unseal.


Fig 1


  • When Initialize the vault service,we get Taken number.
  • Copy the Initial Root Taken number from terminal.
  • Paste the Token number.
  • Click on Sign in.


Fig 2


  • Now Hashicorp vault is Ready.
  • We needs to add secrets so click on cubbyhole.


Fig. 3


  • Click on Create Secret.


Fig. 4


  • Provide the Secret Path.
  • Secret data like key & Value.
  • Click on Save.


Fig. 5


  • New Secret data is successfully added.


Fig. 6


  • Now Add a new secret engine.
  • Click on Enable New Engine.


Fig. 3


  • Select Secret Engine.Choose Consul.
  • Click on Next.


Fig. 7


  • Click on Enable the Engine.


Fig. 8


  • Now New Secret Engine is Ready.


Fig. 5


Leave a Reply