Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Description=vault server consul.service
ExecStart=/usr/local/sbin/vault server $OPTIONS -config=/etc/vault.d
ExecStartPost=/bin/bash -c "for key in $KEYS; do /usr/local/sbin/vault unseal $CERT $key; done"
Copy link

bweston92 commented Jul 14, 2016

Thank you!

Copy link

mohamedhaleem commented Feb 22, 2017

can you share the setup of the EnvironmentFile (/etc/sysconfig/vault) ?

Copy link

JanisOrlovs commented Jul 10, 2017

I could suggest, that best practice is to run vault under specific non-administrative user

Copy link

bramswenson commented Nov 12, 2017

Your unseal keys should never be variables in your environment. Unsealing is meant to be the one and only manual process. What you are doing is extremely unsafe. You may know this already, but just in case, the details are here: hashicorp/vault#72

Note: Unsealing makes the process of automating a Vault install difficult. Automated tools can easily install, configure, and start Vault, but unsealing it is a very manual process. We have plans in the future to make it easier. For the time being, the best method is to manually unseal multiple Vault servers in HA mode. Use a tool such as Consul to make sure you only query Vault servers that are unsealed.

Copy link

bramswenson commented Nov 12, 2017

Also, this file would not safely stop vault on shutdown.

This would be much safer...

ExecStop=/full/path/to/vault step-down

Copy link

okeddie commented Dec 30, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment