How to Install Vault on Ubuntu


Vault is a tool developed by HashiCorp for managing secrets and sensitive data. It provides a secure and centralized platform for storing, accessing, and controlling access to passwords, API keys, certificates, and other confidential information.

The following text explains how to install Vault on Ubuntu using three different approaches.

How to Install Vault on Ubuntu


  • Ubuntu system (this tutorial uses Ubuntu 22.04).
  • A user account with sudo privileges
  • Access to the terminal.

Install Vault on Ubuntu from the Official Git Repository

One way to install Vault is from the official Git repository. It contains the latest features, enhancements, and bug fixes that are not always available in the stable releases distributed through package managers. To get Vault via the Git repository, follow the steps in the sections below.

Step 1: Install and Configure Go

When installing Vault via the official Git repository, Go needs to be installed and properly configured.

Follow these steps:

1. Update system packages

sudo apt update
sudo apt update terminal output

2. Install Go:

sudo apt install golang
Terminal output for sudo apt install golang

3. Confirm the installation was successful:

go version
Terminal output for go version

4. Set up environment variables by editing the ~/.bashrc file. Open the file in a text editor and add the following lines:

echo 'export GOPATH="$HOME/go"' >> ~/.bashrc
echo 'export PATH="$PATH:/usr/local/go/bin:$GOPATH/bin"' >> ~/.bashrc
Editing .bashrc file in Vim

5. Save and exit the file.

6. Refresh the shell by running:

source ~/.bashrc

The command has no output

7. Verify GOPATH is correctly set by running:

echo $GOPATH
echo $GOPATH

The terminal returns the directory Go is installed in. GOPATH is an environment variable Go uses to specify the Go workspace root directory. The workspace contains the Go source code files, their compiled binaries, and other related files.

If the terminal returns an empty line, it means GOPATH is not set. Set it manually by adding the following line to the ~/.bashrc file:

export GOPATH="$HOME/go"
Add export GOPATH="$HOME/go" to .bashrc file in VIm

Save and exit the file and run source ~/.bashrc and echo $GOPATH again.

Step 2: Ensure Git is in the PATH

To verify Git is in the PATH, run the git --version command.

git --version
git --version terminal output

If Git is in the PATH, the terminal prints the version information. If git is not, the terminal returns an error message or shows no output.

Note: If Git is not installed, get Git on Ubuntu by running sudo apt install git.

If Git is installed but not in the PATH, add it by modifying the shell configuration file. Here's how to do it for the ~/.bashrc file:

1. Open the ~/.bashrc file in a text editor:

sudo vim ~/.bashrc

2. Add this line at the end of the file:

export PATH="$PATH:[/path/to/git/directory]"

In this case, [/path/to/git/directory] is /usr/bin/git. Therefore, the command is:

export PATH="$PATH:/usr/bin/git"
Adding Git to PATH in Vim

3. Save the file and exit.

4. Apply changes to the current shell session:

source ~/.bashrc

The command has no output.

5. Run the git --version command again.

git --version terminal output

The terminal prints the Git version output.

Step 3: Clone the Vault Repository

Cloning the Vault repository is essential as it allows users to obtain the Vault source code from the official GitHub repository. To do this, run the following command:

mkdir -p $GOPATH/src/ && cd $_<br>git clone<br>cd vault
mkdir -p $GOPATH/src/ && cd $_git clone vault terminal output

The command consists of the following:

Step 4: Bootstrap the Project

Bootstrapping includes fetching and compiling essential dependencies, libraries, and tools to construct the Vault binary. This ensures all prerequisites are set up correctly before moving forward with the build process.

Executing this step via the make bootstrap command guarantees the project is appropriately configured and ready for compilation. Run the following:

make bootstrap
make bootstrap terminal output

Step 5: Build Vault

Compile Vault for your system with the make dev command. The command stores the compiled program in a directory called bin.

make dev
make dev terminal output

Step 6: Confirm Vault Installation

Run vault to verify the program is successfully installed on the system

Terminal output for vault command

Install Vault on Ubuntu via Package Manager

Using a package manager to download and install Vault on Ubuntu offers a streamlined installation process. The process configures dependencies automatically and makes the installation process faster. The following text elaborates on installing Vault using the package manager.

Step 1: Update Local Package Index

Ensure the system's package manager is up-to-date by running the following command:

sudo apt update
terminal output for sudo apt update

Step 2: Install GPG

When installing Vault from a package manager, it's crucial to ensure the packages come from a trusted source. GPG helps by providing cryptographic signatures for packages to verify their authenticity.

If GPG is not already installed, install it using the following command:

sudo apt install gpg
sudo apt install gpg terminal output

Step 3: Download a Keyring

Download the HashiCorp keyring and save it as a GPG keyring file:

wget -O- | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
Downloading keyring terminal output

The command above does the following:

  • Downloads a keyring file from HashiCorp's website using the wget command.
  • Converts this file into a format easier for the system to use for security purposes with sudo gpg --dearmor -o.
  • Saves the converted keyring as a GPG keyring file named hashicorp-archive-keyring.gpg in the /usr/share/keyrings/ directory. Here, the package manager uses it to ensure the authenticity of HashiCorp's package during installation.

Step 4: Verify Keyring Authenticity

To confirm the downloaded keyring's authenticity, run the following:

gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint

Verifying keyring terminal output

The command instructs GPG to examine the specified keyring file and display the fingerprint associated with its keys.

Step 5: Add the HashiCorp Repository to the System's Package Sources List

This following command adds the HashiCorp repository to the system's list of package sources:

echo "deb [arch=$(dpkg --print-architecture) signed by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list

The command contains the following:

  • echo. Prints text to the terminal.
  • "deb [arch=$(dpkg --print-architecture) signed by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] $(lsb_release -cs) main". Specifies the repository's configuration details.
  • sudo tee /etc/apt/sources.list.d/hashicorp.list. Writes the echo command output to the file /etc/apt/sources.list.d/hashicorp.list. This ensures the package manager recognizes the HashiCorp repository as a valid source. 

The command has no output.

Once completed, update the package manager once more with sudo apt update.

Step 6: Install Vault

Use the following command to install Vault:

sudo apt install vault
sudo apt install vault terminal output

Following these steps ensures a smooth Vault installation on the Ubuntu system using the package manager. There is no need to configure Vault, unlike with the manual installation. Verify the installation is successful by executing:

vault command terminal output

Install Vault on Ubuntu via Binary Installation

While more complex, the binary method for Vault installation on Ubuntu offers flexibility, control, and ease of upgrade compared to other methods. The following steps explain how to install Vault on Ubuntu via the binary installation process.

Step 1: Install Consul

Consul is a scalable service discovery and configuration system. It offers features like service registration, health checks, and a distributed key-value store. Consul integration allows Vault to securely manage dynamic secrets and ensures reliable communication between Vault servers and clients.

To install Consul on Ubuntu, take the following steps:

1. Navigate to the official Consul webpage and click the Download button.

The browser takes you to the Download page with all the available packages.

2. Search for the Linux section and the Binary download subsection.

Binary download subsection

At the time of writing this article, the latest available version was 1.17.3. There are four available downloads for different system architectures.

3. Choose the download compatible with the system's architecture. In this example, it's AMD64.

4. Right-click the Download button and copy the link location, as it is needed in the next step.

copying download link address

5. Open the terminal and use the wget command to download the Consul package:

wget [copied Consul URL]

In this example, it is:

wget terminal output

6. Unzip the package with the command:

unzip consul terminal output

The command varies depending on the version. Make sure to use the correct version in the command.

Note: To download unzip software, use the command sudo apt install unzip –y.

7. Move the installation package by typing the following command:

sudo mv consul /usr/bin

The command has no output. However, it moves the Consul installation package to /usr/bin, which allows users to execute the Consul binary from any directory within the system without specifying its full path.

8. Verify the installation with the command:

consul terminal output

The output lists all available consul commands.

Step 2: Configure Consul

1. Create and open a new file with a text editor of choice. This example uses Vim:

sudo vim /etc/systemd/system/consul.service

2. Add the following content to the consul.service file:





ExecStart=/usr/bin/consul agent -server -ui -data-dir=/temp/consul -bootstrap-expect=1 -node=vault -bind= -config-dir=/etc/consul.d/

ExecReload=/bin/kill -HUP $MAINPID


consul.service configuration in vim

Note: In the ExecStart line, the -bind option should include your IP address. Make sure to add it.

The consul.service file content specifies its configuration and behavior and ensures it is automatically started during system boot. It includes:

  • [Unit]. Provides metadata about the unit, including a description and documentation link.
  • Description=Consul. Describes the service's purpose, which in this case is Consul.
  • Documentation= Provides a link to the documentation for Consul.
  • [Service]. Defines how the service is to be executed.
  • ExecStart=/usr/bin/consul agent. Specifies the command to start the Consul agent.
  • ExecReload=/bin/kill -HUP $MAINPID. Defines the command to reload the service configuration without stopping it completely.
  • LimitNOFILE=65536. Sets a limit on the number of open files the service has.
  • [Install]. Specifies how the service is to be installed.
  • Indicates the service starts automatically when the system reaches the multi-user target, which is a basic system initialization level.

3. Save and exit the file.

4. Create a configuration directory

sudo mkdir /etc/consul.d

5. The UI configuration file (ui.json) is used to customize various aspects of Consul's user interface, such as enabling or disabling specific features, defining ACL settings, configuring UI themes, etc.

Create a new .json file in the directory:

sudo vim /etc/consul.d/ui.json

5. Set up the Consul UI to listen on all available network interfaces ( for HTTP connections by adding the following to the newly created file:


"addresses": {

"http": ""


json file configuration

6. Save and exit the file.

7. Reload the system for the changes to take effect:

systemctl daemon-reload

The command has no output.

8. Start the service with:

systemctl start consul

9. Enable Consul with:

systemctl enable consul
systemctl enable consul terminal output

10. Verify the service is up and running with the journalctl command:

sudo journalctl -u consul
sudo journalctl -u consulterminal output

11. Open a web browser and navigate to the URL:


Consul online management platform

This opens HashiCorp's online management platform and displays available services. If Consul is listed as a service, you have successfully set up the software.

Step 3: Installing Vault on Ubuntu

With Consul in place, install Vault on the Ubuntu system.

1. Go to Vault's official website and click Download.

Vault website, download  button

2. Scroll down to the Linux section.

3. Find the Binary download subsection.

Find the Binary download

4. Choose the download compatible with the system architecture. In this example, it is AMD64.

2. Right-click the Download button and note the link location.

Vault download copying link adress

5. Using the wget command, download the package by pasting the link location copied in the previous step:

Download vault with wget

4. Unzip the package using the following command:

unzip vault terminal output

5. Move the package to the /usr/bin directory:

sudo mv vault /usr/bin

The command has no output

6. Check the installation using the following command:

vault terminal output

The output shows all available vault commands.

Step 4: Configure Vault

In binary Vault installation, configuring Vault is crucial because it allows users to set up Vault's behavior. Proper configuration ensures Vault operates securely and according to the user's specific requirements. Take the following steps to configure Vault:

1. Create a configuration directory

sudo mkdir /etc/vault

The command has no output.

2. Vault's configuration file, config.hcl, is written in HCL (HashiCorp Configuration Language). With a simpler syntax than JSON or YAML, HCL enhances flexibility and readability, which is particularly useful for specifying policies, authentication methods, secret engines, and other advanced settings in Vault.

Make a configuration file within the directory using a text editor. For instance, to create it with Vim, run:

sudo vim /etc/vault/config.hcl

3. Type or paste the following content into the file:

storage "consul" {
  address = ""
  path    = "vault/"

listener "tcp" {
  address     = "IP.ADDRESS.OF.SERVER:8200" # or "" to listen to everything
  tls_disable = 1

ui = true

For example:

vault config file in vim

The configuration file consists of:

  • storage "consul". Specifies that Vault uses Consul as its storage backend. It provides the Consul server address ( and the path where Vault's data is to be stored ("vault/").
  • listener "tcp". Defines how Vault listens for incoming connections. It specifies the address and port (IP.ADDRESS.OF.SERVER:8200) where Vault should listen to client requests. 
  • tls_disable=1.Indicates TLS (Transport Layer Security), which provides secure communication over a network, is disabled in this configuration. Disabling TLS simplifies the configuration and makes it easier to set up and manage Vault,
  • ui = true. Enables the Vault Web UI, allowing users to interact with Vault using a graphical interface.

Note: Make sure to replace "IP.ADDRESS.OF.SERVER" with the actual IP address of your server or "" if you want to listen to all available interfaces.

4. Save and exit the file.

5. Create a UNI (.uni) file. Vault typically uses HCL for more complex configurations and UNI for simpler, more straightforward configurations. To make a .uni file in Vim, execute:

sudo vim /etc/systemd/system/vault.service

6. Make sure the file content matches the one below:


ExecStart=/usr/bin/vault server -config=/etc/vault/config.hcl
ExecReload=/bin/kill -HUP $MAINPID

vault .uni configuration file

The configuration file is similar to the consul.service configuration file and consists of:

  • [Unit]. Shows metadata about the unit.
  • Description. Explains the unit purpose, which is running Vault.
  • Documentation. Establishes a link to additional documentation for Vault.
  • [Service]. Specifies how the service is to be executed and managed.
  • ExecStart. Determines the command to start the Vault server, including the path to the Vault binary and the configuration file location.
  • ExecReload. Defines the command to reload the service configuration without interrupting service.
  • LimitNOFILE. Sets the maximum number of open file descriptors the Vault process is allowed to use.
  • Restart. Specifies the conditions under which the service is to be restarted.
  • RestartSec. Sets the time to wait before restarting the service.
  • [Install]. Configures installation-related properties.
  • WantedBy. Specifies the target the service should start under. In this case, it's, which means Vault starts when the system enters the multi-user mode.

7. Save and exit the file.

8. Confirm the changes with:

systemctl daemon-reload

9. Start vault with:

systemctl start vault

10. Enable vault with:

systemctl enable vault
systemctl enable vault terminal output

11. Verify the vault status with:

systemctl status vault
systemctl status vault terminal output

The status shows the service is active (running).

12. Using a vault client, connect to the running service with the command:


The IP.ADDRESS.OF.VAULT is to be replaced with the actual IP address and the appropriate port number.

In this example, the command is:

export VAULT_ADDR=

The command has no output.

Step 5: Initialize Vault

As you have already installed Consul to serve as the back-end storage, initialize Vault manually for it to work correctly. Take the following steps:

1. Run the following command to see the current Vault status:

vault status
vault status terminal output

As in the image above, the output displays Vault is sealed and not initialized yet.

2. To change Vault's status, users need three keys. Find them by running the command:

vault operator init
vault operator init terminal output

The terminal returns five Unseal Keys as well as the Initial Root Token. Moreover, it explains that users need to supply at least three keys when the Vault package is resealed, restarted, or stopped. Otherwise, Vault remains sealed. Therefore, copy all five keys and paste them into a separate file.

3. Run the command:

vault operator unseal
vault operator unseal terminal output

4. Copy and paste the first key and hit Enter.

5. Repeat the command three times using the three keys. After the last one, the vault Sealed status changes to false.

vault operator init unsealed terminal output

6. The last step to unseal Vault is to run the following command with the Initial Root Token (listed with the Unseal Keys):

vault login [root_token]
vault login terminal output

7. Now, check the status again to verify the software has been initialized:

vault status
vault status initialized true terminal output


After reading this article, you know how to install Vault on Ubuntu using three different methods.

Next, protect your machine by learning about Linux security stats, tools, and best practices.

Was this article helpful?
Sara Zivanov
Sara Zivanov is a technical writer at phoenixNAP who is passionate about making high-tech concepts accessible to everyone. Her experience as a content writer and her background in Engineering and Project Management allows her to streamline complex processes and make them user-friendly through her content.
Next you should read
How to Install Hashicorp Vault on CentOS 7
December 17, 2019

If you need a management system that will store and protect your authentication and authorization data, you...
Read more
How To Install SSL Certificate on Apache for CentOS 7
September 15, 2019

Learn how to obtain and install SSL Certificates on Apache CentOS 7. The article explains how to use an...
Read more
21 Server Security Tips to Secure Your Server
January 11, 2023

Hackers are always on the lookout for server vulnerabilities. Minimize risks and be confident your data is...
Read more
Vagrant Tutorial: Everything a Beginner Needs To Know
April 17, 2019

Vagrant is a tool for configuring and deploying an exact image of a virtual operating system. It is often...
Read more