Starting the Server
With Vault installed, the next step is to start a Vault server.
Vault operates as a client-server application. The Vault server is the only piece of the Vault architecture that interacts with the data storage and backends. All operations done via the Vault CLI interact with the server over a TLS connection.
In this tutorial, you will start and interact with the Vault server running in development mode.
Starting the Dev Server
Use the
-help
flag to list available command options forvault server
.Scroll down to the Dev Options section.
TLS option
If you are running Vault 1.12.0 or later, you can enable TLS with a dev server using the
-dev-tls
flag.Start a Vault server in development mode (dev server). The dev server is a built-in, pre-configured server that is not very secure but useful for playing with Vault locally. Later in the Deploy Vault tutorial, you will configure and start a non-dev server.
Example output:
You should see output similar to that above. Notice that Unseal Key and Root Token values are displayed.
The dev server stores all its data in-memory (but still encrypted), listens on
localhost
without TLS, and automatically unseals and shows you the unseal key and root access key.Insecure operation
Do not run a Vault dev server in production. This approach is only used here to simplify the unsealing process for this demonstration.
Set environment variables
Launch a new terminal session.
Copy and run the
export VAULT_ADDR ...
command from the terminal output. This will configure the Vault client to talk to the dev server.Vault CLI determines which Vault servers to send requests using the
VAULT_ADDR
environment variable.Save the unseal key somewhere. Don't worry about how to save this securely. For now, just save it anywhere.
Set the
VAULT_TOKEN
environment variable value to the generated Root Token value displayed in the terminal output.Example:
To interact with Vault, you must provide a valid token. Setting this environment variable is a way to provide the token to Vault via CLI. Later, in the Authentication tutorial, you will learn to use the
vault login <token_value>
command to authenticate with Vault.
If you wish to run a Vault dev server with TLS enabled, use the -dev-tls
flag
instead of -dev
.
Example output:
The VAULT_ADDR
is set to use HTTPS protocol.
Set the TLS certificate location with VAULT_CACERT
.
Set the VAULT_TOKEN
.
Verify the Server is Running
Verify the server is running by running the vault status
command. If it ran
successfully, the output should look like the following:
If the output looks different, restart the dev server and try again. The only reason these would ever be different is if you're running a dev server from going through this tutorial previously.
You will learn more about the status output in the Deploy Vault tutorial.
The configure Vault tutorial goes into more detail about Vault configuration.
Next
Congratulations! You've started your first Vault server.
You can continue with the Your First Secret tutorial, where you will learn how to store secrets in Vault.