1.下载Vault v1.2.1。
wget https://releases.hashicorp.com/vault/1.2.1/vault_1.2.1_linux_amd64.zip
注:不同版本的Vault语法不同。
2.将Vault v1.2.1解压到指定目录/opt/software/vault,并配置环境变量。
unzip vault_1.2.1_linux_amd64.zip -d /opt/software/vault/
export PATH=$PATH:/opt/software/vault
3.设置Vault的访问地址,并忽略证书验证。
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_SKIP_VERIFY=false
4.使用nohup启动Vault Server,并保存Vault的日志。
其中要设置启动时的配置文件vault.hcl,内容如下所示:
disable_mlock = true
backend "file" {
path = "/root/vault/data"
redirect_addr = "http://127.0.0.1:8200"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
配置文件中指定Vault的后端存储使用文件,不使用tls
启动Vault后,详细打印启动时的日志,设置打印日志的级别为trace,命令如下所示:
nohup vault server -config=vault.hcl -log-level=trace >vault.log 2>&1 &
5.初始化Vault Server,会生成unseal key和root token
vault operator init -key-shares=1 -key-threshold=1
显示如下:
Unseal Key 1: vhgKMW2YDiSVFzZ3ZPZsNcJbzomHHlKDA7sErX4ZL0M=
Initial Root Token: s.GnVJZ7lf98mZhYDXxbKlGsqC
Vault initialized with 1 key shares and a key threshold of 1. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 1 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 1 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
vault operator unseal vhgKMW2YDiSVFzZ3ZPZsNcJbzomHHlKDA7sErX4ZL0M=
vault login s.GnVJZ7lf98mZhYDXxbKlGsqC
6.Vault Server启动完成。