$docker.recipes

HashiCorp Vault

intermediate

Secrets management and data protection platform.

[i]Overview

HashiCorp Vault is an enterprise-grade secrets management platform designed to secure, store, and tightly control access to tokens, passwords, certificates, API keys, and other sensitive data in modern computing environments. Originally developed by HashiCorp in 2015, Vault has become the de facto standard for secrets management across cloud-native and traditional infrastructure, offering dynamic secrets generation, encryption as a service, and comprehensive audit logging capabilities that address the growing complexity of managing secrets at scale. This Docker configuration deploys Vault in development mode with automatic unsealing and root token authentication, making it immediately accessible for testing secrets workflows, evaluating encryption capabilities, and prototyping secrets management strategies. The setup includes persistent storage for secrets data and audit logs, along with the necessary IPC_LOCK capability that allows Vault to prevent sensitive data from being swapped to disk, ensuring memory-resident secrets remain secure. This deployment is ideal for development teams building applications that require centralized secrets management, security engineers evaluating Vault's capabilities, and organizations planning production Vault implementations. The development mode configuration provides immediate access to Vault's full feature set including multiple secrets engines, authentication methods, and policy-based access controls, making it perfect for proof-of-concepts and local development workflows before transitioning to production-hardened deployments.

[*]Key Features

  • [+]Dynamic secrets generation with automatic rotation for databases, cloud providers, and SSH access
  • [+]Encryption as a service providing centralized cryptographic operations without exposing keys
  • [+]Multiple secrets engines including key-value store, PKI certificate authority, and transit encryption
  • [+]Policy-based access control with fine-grained permissions and identity-based authentication
  • [+]Comprehensive audit logging tracking all secret access and administrative operations
  • [+]Leasing and renewal system with automatic secret expiration and revocation capabilities
  • [+]Web UI and CLI access for both interactive management and programmatic integration
  • [+]Development mode with automatic unsealing and root token for immediate testing access

[#]Common Use Cases

  • [1]Application secrets management for microservices requiring database credentials and API keys
  • [2]Database credential rotation implementing zero-downtime password changes for production systems
  • [3]PKI certificate authority for issuing and managing TLS certificates in container environments
  • [4]Encryption key management for applications requiring field-level data encryption
  • [5]Development environment secrets sharing across team members without hardcoded credentials
  • [6]CI/CD pipeline integration for secure deployment credential management
  • [7]Multi-cloud secrets synchronization across AWS, Azure, and Google Cloud Platform services

[!]Prerequisites

  • [!]Minimum 512MB RAM allocated to Docker (Vault development mode baseline requirement)
  • [!]Port 8200 available for Vault API and web interface access
  • [!]VAULT_TOKEN environment variable configured for root authentication access
  • [!]Basic understanding of secrets management concepts and JSON/CLI interaction patterns
  • [!]Docker host with IPC_LOCK capability support for memory protection features
[!]

WARNING: For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

[$]docker-compose.yml

[docker-compose.yml]
1services: 
2  vault: 
3    image: hashicorp/vault:latest
4    container_name: vault
5    restart: unless-stopped
6    cap_add: 
7      - IPC_LOCK
8    ports: 
9      - "8200:8200"
10    environment: 
11      VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN}
12      VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
13    volumes: 
14      - vault_data:/vault/file
15      - vault_logs:/vault/logs
16
17volumes: 
18  vault_data: 
19  vault_logs:

[$].env Template

[.env]
1VAULT_TOKEN=myroot
2# Development mode - use proper storage backend for production

[i]Usage Notes

  1. [1]Docs: https://developer.hashicorp.com/vault/docs
  2. [2]Access UI at http://localhost:8200 - login with VAULT_TOKEN
  3. [3]Dev mode auto-unseals with root token - NOT for production
  4. [4]Enable secrets engines: vault secrets enable -path=secret kv-v2
  5. [5]Store secrets: vault kv put secret/myapp password=secret123
  6. [6]Auth methods: AppRole, Kubernetes, LDAP, OIDC available

[>]Quick Start

[terminal]
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  vault:
5    image: hashicorp/vault:latest
6    container_name: vault
7    restart: unless-stopped
8    cap_add:
9      - IPC_LOCK
10    ports:
11      - "8200:8200"
12    environment:
13      VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN}
14      VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
15    volumes:
16      - vault_data:/vault/file
17      - vault_logs:/vault/logs
18
19volumes:
20  vault_data:
21  vault_logs:
22EOF
23
24# 2. Create the .env file
25cat > .env << 'EOF'
26VAULT_TOKEN=myroot
27# Development mode - use proper storage backend for production
28EOF
29
30# 3. Start the services
31docker compose up -d
32
33# 4. View logs
34docker compose logs -f

[>]One-Liner

Run this command to download and set up the recipe in one step:

[terminal]
1curl -fsSL https://docker.recipes/api/recipes/vault/run | bash

[?]Troubleshooting

  • [!]Error 'permission denied' on startup: Ensure Docker has IPC_LOCK capability with --cap-add=IPC_LOCK flag
  • [!]Vault sealed state preventing access: Development mode auto-unseals, check VAULT_DEV_ROOT_TOKEN_ID environment variable
  • [!]Connection refused on localhost:8200: Verify port mapping and VAULT_DEV_LISTEN_ADDRESS set to 0.0.0.0:8200
  • [!]Token authentication failures: Confirm VAULT_TOKEN environment variable matches VAULT_DEV_ROOT_TOKEN_ID value
  • [!]Secrets not persisting between restarts: Check vault_data volume mount and ensure proper write permissions
  • [!]High memory usage warnings: Allocate additional RAM as Vault loads secrets engines and maintains audit logs in memory

Community Notes

Loading...
Loading notes...

## Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

## Components

vault

## Tags

#vault#hashicorp#secrets#security

## Category

DevOps & CI/CD

## Related