Skip to content
Learni
View all tutorials
DevOps

How to Install and Use HashiCorp Vault in 2026

12 minBEGINNER
DevOpsSécuritéHashiCorp VaultGestion Secrets
Lire en français

Introduction

HashiCorp Vault is an essential open-source tool for centralized management of secrets, certificates, and identities. In a world where data breaches cost millions, Vault provides dynamic encryption, automatic key rotation, and comprehensive access auditing. Why use it in 2026? Cloud-native applications and microservices demand zero-trust security: Vault shines by integrating with Kubernetes, AWS, and Terraform.

This beginner tutorial takes you from the basics to practical use. You'll learn to install Vault in dev mode, initialize a cluster, store and retrieve secrets via CLI, and implement policies. By the end, you'll have a basic production-ready setup. Ideal for developers and ops who want to secure their APIs without excessive complexity. Estimated time: 20 minutes.

Prerequisites

  • System: Linux/macOS/Windows with WSL
  • Go 1.21+ installed (optional, for building from source)
  • Basic command-line knowledge
  • Free ports: 8200 (Vault), 8201 (cluster)
  • No HashiCorp account required for dev mode

Download and Install Vault

install-vault.sh
#!/bin/bash

# Download the latest stable version (check on https://developer.hashicorp.com/vault/install)
VAULT_VERSION="1.17.0"
OS=$(uname -s | tr '[:upper:]' '[:lower:]')
ARCH=$(uname -m)

if [ "$OS" = "darwin" ]; then
  OS="darwin"
fi

wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_${OS}_${ARCH}.zip
unzip vault_${VAULT_VERSION}_${OS}_${ARCH}.zip
sudo mv vault /usr/local/bin/
rm vault_${VAULT_VERSION}_${OS}_${ARCH}.zip LICENSE README.md

# Verify the installation
vault --version

This script downloads, extracts, and installs Vault into /usr/local/bin/. It automatically detects OS and architecture for universal compatibility. Pro tip: Always check the official site for the latest version to get critical security patches.

Understanding the Configuration File

Before starting Vault, create a minimal config file. Vault uses HCL (similar to JSON but more readable). In dev mode, everything is encrypted in memory (great for testing), but switch to persistent storage like Consul or Raft in production.

Create the Configuration File

vault.hcl
ui = true

listener "tcp" {
  address     = "127.0.0.1"
  tls_disable = true
  port        = 8200
}

storage "file" {
  path = "/tmp/vault/data"
}

seal "transit" {
  address = "127.0.0.1:8200"
  disable_clustering = true
}

api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"

This config enables the web UI, listens on localhost:8200 without TLS (dev only), and uses temporary file storage. The transit seal is for auto-unseal in production. Pitfall: Never use tls_disable=true in production to avoid MITM attacks.

Start Vault in Server Mode

start-vault.sh
#!/bin/bash

# Create necessary directories
mkdir -p /tmp/vault/data

# Start Vault with the config
vault server -config=vault.hcl &

# Wait for Vault to be ready
sleep 3

# Become root and initialize (simplified dev mode)
export VAULT_ADDR='http://127.0.0.1:8200'
vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json

# Unseal with the key
vault operator unseal $(vault operator unseal -address=$VAULT_ADDR -format=json | jq -r '.unseal_keys_b64[0]')

# Login with the root token
ROOT_TOKEN=$(cat cluster-keys.json | jq -r '.root_token')
vault login $ROOT_TOKEN

echo "Vault is ready! Root token: $ROOT_TOKEN"

This script starts Vault, initializes it with 1 share (dev only), unseals it, and logs in with the root token. Use jq to parse JSON. Caution: In production, use at least 5 shares and never hardcode the root token.

Store and Read Your First Secrets

Now interact with Vault via CLI. Secrets are stored in 'mounts' like kv-v2 for key-value pairs. It's like a safe: you get dynamic encryption without exposing credentials in plaintext.

Enable a Secrets Backend and Store Secrets

secrets.sh
#!/bin/bash

export VAULT_ADDR='http://127.0.0.1:8200'
ROOT_TOKEN="PASTE_YOUR_ROOT_TOKEN_HERE"  # Replace with your token
vault login $ROOT_TOKEN

# Enable KV v2 secrets engine at secret/
vault secrets enable -path=secret kv-v2

# Store a secret (API key example)
vault kv put secret/myapp/config api_key="sk-1234567890abcdef" db_url="postgres://user:pass@localhost:5432/prod"

# Read the secret
vault kv get secret/myapp/config

# List the keys
vault kv list secret/myapp/

Enable kv-v2 (versioned), store and read secrets. Paths are hierarchical like /secret/myapp/config. Pitfall: Always specify -version=1 for historical reads, and rotate API keys via Vault.

Create an Access Policy

myapp-policy.hcl
path "secret/data/myapp/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "secret/metadata/myapp/*" {
  capabilities = ["list", "delete"]
}

path "sys/leases/+/lookup" {
  capabilities = ["read", "list"]
}

This HCL policy grants read/write access to secret/myapp/. Capabilities control fine-grained operations. Apply it with vault policy write myapp myapp-policy.hcl. Avoid overly broad '*' wildcards for least-privilege principle.

Apply the Policy and Test

policy-test.sh
#!/bin/bash

export VAULT_ADDR='http://127.0.0.1:8200'

# Write the policy
vault policy write myapp-policy myapp-policy.hcl

# Create a token with the policy
TOKEN=$(vault token create -policy=myapp-policy -format=json | jq -r '.auth.client_token')

# Test with the new token
vault login $TOKEN
vault kv get secret/myapp/config

# Revoke the token after testing
vault token revoke $TOKEN

echo "Test successful!"

Create a policy-bound token, test access, and revoke it. This simulates user/app authentication. Major pitfall: Always revoke test tokens to prevent security leaks.

Access the Vault UI

Open http://127.0.0.1:8200 in your browser. Log in with the root token. Explore Secrets > secret/, Policies, and Audit Logs. The UI makes debugging easy for beginners.

Best Practices

  • Never use root token in production: Create ephemeral tokens/app roles.
  • Enable audit logging: vault audit enable file file_path=/var/log/vault_audit.log.
  • Use auto-unseal: With AWS KMS or GCP for zero-downtime.
  • Integrate with CI/CD: Store GitHub Actions creds in Vault.
  • Migrate to Raft storage: storage "raft" { path = "/opt/vault/data" } for HA.

Common Errors to Avoid

  • Vault sealed: Always run vault operator unseal after restart; check vault status.
  • Wrong VAULT_ADDR: Export it before any CLI command.
  • Forgot to mount: Use vault secrets list to check; enable before use.
  • Overly permissive policies: Test with vault token capabilities $TOKEN path.

Next Steps

Dive into advanced engines (PKI, DB creds). Check the official Vault docs. Explore our Learni DevOps and security training for HashiCorp certification paths.