HashiCorp Vault is an open-source tool for managing secrets, encryption keys, and sensitive credentials with fine-grained access control and audit logging. This guide deploys Vault using Docker Compose with the Raft integrated storage backend and Traefik handling automatic HTTPS, then initializes and unseals the cluster. By the end, you'll have a production-grade Vault accessible securely at your domain.
Set Up the Directory Structure and Configuration
1. Create the project directory structure:
$ mkdir -p ~/vault/{config,data,logs,letsencrypt}
2. Set ownership for the data and log directories:
$ sudo chown -R 100:100 ~/vault/data ~/vault/logs
$ cd ~/vault
3. Create the Vault configuration file:
$ nano config/vault.hcl
ui = true
storage "raft" {
path = "/vault/data"
node_id = "node1"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = "true"
}
api_addr = "https://vault.example.com"
cluster_addr = "http://vault:8201"
disable_mlock = false
4. Create the environment file:
$ nano .env
VAULT_DOMAIN=vault.example.com
LETSENCRYPT_EMAIL=admin@example.com
Deploy with Docker Compose
1. Add your user to the Docker group:
$ sudo usermod -aG docker $USER
$ newgrp docker
2. Create the Docker Compose manifest:
$ nano docker-compose.yml
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
environment:
DOCKER_API_VERSION: "1.44"
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--certificatesresolvers.le.acme.httpchallenge=true"
- "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.le.acme.email=${LETSENCRYPT_EMAIL}"
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
vault:
image: hashicorp/vault:latest
container_name: vault
restart: unless-stopped
cap_add:
- IPC_LOCK
ports:
- "8200:8200"
volumes:
- ./config:/vault/config
- ./data:/vault/data
- ./logs:/vault/logs
environment:
VAULT_ADDR: "http://127.0.0.1:8200"
VAULT_API_ADDR: "http://127.0.0.1:8200"
command: server
labels:
- "traefik.enable=true"
- "traefik.http.routers.vault.rule=Host(`${VAULT_DOMAIN}`)"
- "traefik.http.routers.vault.entrypoints=websecure"
- "traefik.http.routers.vault.tls=true"
- "traefik.http.routers.vault.tls.certresolver=le"
- "traefik.http.services.vault.loadbalancer.server.port=8200"
3. Start the services:
$ docker compose up -d
4. Verify the services are running:
$ docker compose ps
Initialize and Unseal Vault
1. Initialize the Vault cluster:
$ docker exec -it vault vault operator init
Save the five unseal keys and the initial root token from the output in a secure location — they cannot be recovered.
2. Open the UI:
Navigate to https://vault.example.com in a browser.
3. Unseal the vault:
Enter any 3 of the 5 unseal keys, then authenticate with the initial root token.
Next Steps
Vault is running, initialized, and unsealed over HTTPS. From here you can:
- Enable secrets engines such as KV, database, or PKI
- Configure auth methods like AppRole, OIDC, or tokens for applications
- Set up audit devices and automate unsealing with auto-unseal
For the full guide with additional tips, visit the original article on Vultr Docs.
Top comments (0)