In this post we going to install and run a vault server in dev mode
Hashicorp offers Vault in Linux, Mac and Windows and you can run vault in dev mode for testing as it writes all in memory, this means no changes will be persistent
Once you stop the dev server you loose the data
Vault, depending on the OS, have one or more ways to be installed, although Hashicorp recommends to update regularly I recommend to install manually in production for preventing someone with access to the server updates Vault. This is because you need a consistent version of vault to know everything is working properly, if the binary is upgrade without the knowledge, is possibly some of the commands can stop to work, or even you can loss the communication with a cluster.
We going to learn how to install it manually
If you update by accident Vault in production, you can loss compatibility and connectivity with the cluster
You need to remember that the Dev method is only recommended for testing purpose, is more insecure and is not recommended by any way running for production
Requirements:
- Linux commands basic knowledge
- Debian computer (In my case Ubuntu 20.04 aarch64)
- Basic Docker knowledge, you can see my other Docker post here
Hands-on
- Run a container with the latest ubuntu
docker container run -it -d --name ubuntu_vault_dev ubuntu /bin/bash
2. Connect to the container to install and run vault from there
docker container exec -it ubuntu_vault_dev /bin/bash
3. Now we need to install some tools we going to need later wget and unzip
apt update && apt install -y wget unzip
If you see an error, is possible that you need to use the command sudo in front in some distributions like ubuntu, if you are not using the ubuntu container, example: sudo apt update && sudo apt install wget -y
4. Now we need to know what architecture you are working on, you can use uname -m
to check it
uname -m
aarch64
In my case as I’m running the image in a Raspberry pi 4, my architecture is aarch64 (arm64)
5. Go to the Hasihcorp Vault download page here and we need to select the right binary and architecture to download

And instead on hitting the Download button do a right click on it and select “Copy Link Location”

6. Run the command wget and paste the link
wget https://releases.hashicorp.com/vault/1.5.4/vault_1.5.4_linux_arm64.zip
--2020-10-03 13:40:21-- https://releases.hashicorp.com/vault/1.5.4/vault_1.5.4_linux_arm64.zip
Resolving releases.hashicorp.com (releases.hashicorp.com)... 151.101.185.183, 2a04:4e42:53::439
Connecting to releases.hashicorp.com (releases.hashicorp.com)|151.101.185.183|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 48076803 (46M) [application/zip]
Saving to: ‘vault_1.5.4_linux_arm64.zip’
vault_1.5.4_linux_arm64.zip 100%[==================================================================>] 45.85M 9.31MB/s in 1m 40s
2020-10-03 13:42:01 (471 KB/s) - ‘vault_1.5.4_linux_arm64.zip’ saved [48076803/48076803]
7. When the download is finish unzip the file
unzip vault_1.5.4_linux_arm64.zip
8. Delete the zip file
rm vault_1.5.4_linux_arm64.zip
9. Test the vault binary
./vault version
Vault v1.5.4 (1a730771ec70149293efe91e1d283b10d255c6d1)
If you get an Exec format error, instead the version this means the binary is not for your architecture, you need to delete the binary and zip file and repeat from 5 step with the right architecture of your processor
./vault version
./vault: cannot execute binary file: Exec format error
10. Check the environment path to be able to execute everywhere, use the command echo $PATH
to know what are the path's directory
root@60af5e1b7139:/# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
11. Move the vault binary to a PATH environment folder, personally I prefer /usr/local/bin/ because is always empty (most of the time)
mv vault /usr/local/bin/
12. Check the installation
13. Now that everything is working, lets start the vault in dev mode
vault server -dev
14. You are going to get something like this
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variable:
$ export VAULT_ADDR='http://127.0.0.1:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: j8i4C8CelXhbDN8AyUb0jUP40db7HhrvIMUTzeZV8Oc=
Root Token: s.EXiJeOOc838l848XrdxioI6Q
Development mode should NOT be used in production installations!
Every time you start the vault server on dev mode, you will get and unseal key, and a root token
The root token is the access to your vault server, always look for it, when you initialized
15. Now the vault server is running in this terminal, connect to the docker container in a new terminal and check the server status
docker container exec -it ubuntu_vault_dev /bin/bash
vault status
16. You will get an error, this is normal
vault status
Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client
This is because we have not export the VAULT_ADDR, to do so, put the next command
17. Export the VAULT_ADDR
export VAULT_ADDR='http://127.0.0.1:8200'
18. Check the status again and we will get something like this
root@60af5e1b7139:/# vault status
Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client
root@60af5e1b7139:/# export VAULT_ADDR='http://127.0.0.1:8200'
root@60af5e1b7139:/# vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.5.4
Cluster Name vault-cluster-8c2a9073
Cluster ID 240d9b52-07ed-148d-3395-ea0e4eb082a3
HA Enabled false
Well done, the vault server in dev mode is working, we alredy check how to use a basic command to see the status of vault, when you run dev mode vault automatically export the VAULT_TOKEN variable and put the root token on it, this means that you can run any command that needs a high level authorization, lets test this
19. Run vault auth list
vault auth list
Path Type Accessor Description
---- ---- -------- -----------
token/ token auth_token_2f444c91 token based credentials
In a production server, you will not have permissions to run the last command and you will need to use an authenticate method with the correct permission
Remember Hashicorp Dev mode run in memory and all you do it will not be persistent, that means once you stop the server no data will be written
To stop the server you can just do a control + C command in the vault running terminal
For exit the container you only need to use the exit command
exit
For clean up after you finish tests, you need to stop the container, remove the container and remove the image in this order
docker container stop ubuntu_vault_dev
docker container rm ubuntu_vault_dev
docker image rm ubuntu:latest
References:
- Hashicorp Vault official install guide
- Hashicorp Vault getting started guide
- Hashicorp Vault Dev Mode