docker.recipes

HashiCorp Vault

intermediate

Secrets management and data protection platform.

Overview

HashiCorp Vault is an enterprise-grade secrets management platform designed to secure, store, and tightly control access to tokens, passwords, certificates, API keys, and other sensitive data in modern computing environments. Originally developed by HashiCorp in 2015, Vault has become the de facto standard for secrets management across cloud-native and traditional infrastructure, offering dynamic secrets generation, encryption as a service, and comprehensive audit logging capabilities that address the growing complexity of managing secrets at scale. This Docker configuration deploys Vault in development mode with automatic unsealing and root token authentication, making it immediately accessible for testing secrets workflows, evaluating encryption capabilities, and prototyping secrets management strategies. The setup includes persistent storage for secrets data and audit logs, along with the necessary IPC_LOCK capability that allows Vault to prevent sensitive data from being swapped to disk, ensuring memory-resident secrets remain secure. This deployment is ideal for development teams building applications that require centralized secrets management, security engineers evaluating Vault's capabilities, and organizations planning production Vault implementations. The development mode configuration provides immediate access to Vault's full feature set including multiple secrets engines, authentication methods, and policy-based access controls, making it perfect for proof-of-concepts and local development workflows before transitioning to production-hardened deployments.

Key Features

  • Dynamic secrets generation with automatic rotation for databases, cloud providers, and SSH access
  • Encryption as a service providing centralized cryptographic operations without exposing keys
  • Multiple secrets engines including key-value store, PKI certificate authority, and transit encryption
  • Policy-based access control with fine-grained permissions and identity-based authentication
  • Comprehensive audit logging tracking all secret access and administrative operations
  • Leasing and renewal system with automatic secret expiration and revocation capabilities
  • Web UI and CLI access for both interactive management and programmatic integration
  • Development mode with automatic unsealing and root token for immediate testing access

Common Use Cases

  • 1Application secrets management for microservices requiring database credentials and API keys
  • 2Database credential rotation implementing zero-downtime password changes for production systems
  • 3PKI certificate authority for issuing and managing TLS certificates in container environments
  • 4Encryption key management for applications requiring field-level data encryption
  • 5Development environment secrets sharing across team members without hardcoded credentials
  • 6CI/CD pipeline integration for secure deployment credential management
  • 7Multi-cloud secrets synchronization across AWS, Azure, and Google Cloud Platform services

Prerequisites

  • Minimum 512MB RAM allocated to Docker (Vault development mode baseline requirement)
  • Port 8200 available for Vault API and web interface access
  • VAULT_TOKEN environment variable configured for root authentication access
  • Basic understanding of secrets management concepts and JSON/CLI interaction patterns
  • Docker host with IPC_LOCK capability support for memory protection features

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  vault: 
3    image: hashicorp/vault:latest
4    container_name: vault
5    restart: unless-stopped
6    cap_add: 
7      - IPC_LOCK
8    ports: 
9      - "8200:8200"
10    environment: 
11      VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN}
12      VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
13    volumes: 
14      - vault_data:/vault/file
15      - vault_logs:/vault/logs
16
17volumes: 
18  vault_data: 
19  vault_logs:

.env Template

.env
1VAULT_TOKEN=myroot
2# Development mode - use proper storage backend for production

Usage Notes

  1. 1Docs: https://developer.hashicorp.com/vault/docs
  2. 2Access UI at http://localhost:8200 - login with VAULT_TOKEN
  3. 3Dev mode auto-unseals with root token - NOT for production
  4. 4Enable secrets engines: vault secrets enable -path=secret kv-v2
  5. 5Store secrets: vault kv put secret/myapp password=secret123
  6. 6Auth methods: AppRole, Kubernetes, LDAP, OIDC available

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  vault:
5    image: hashicorp/vault:latest
6    container_name: vault
7    restart: unless-stopped
8    cap_add:
9      - IPC_LOCK
10    ports:
11      - "8200:8200"
12    environment:
13      VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN}
14      VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
15    volumes:
16      - vault_data:/vault/file
17      - vault_logs:/vault/logs
18
19volumes:
20  vault_data:
21  vault_logs:
22EOF
23
24# 2. Create the .env file
25cat > .env << 'EOF'
26VAULT_TOKEN=myroot
27# Development mode - use proper storage backend for production
28EOF
29
30# 3. Start the services
31docker compose up -d
32
33# 4. View logs
34docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/vault/run | bash

Troubleshooting

  • Error 'permission denied' on startup: Ensure Docker has IPC_LOCK capability with --cap-add=IPC_LOCK flag
  • Vault sealed state preventing access: Development mode auto-unseals, check VAULT_DEV_ROOT_TOKEN_ID environment variable
  • Connection refused on localhost:8200: Verify port mapping and VAULT_DEV_LISTEN_ADDRESS set to 0.0.0.0:8200
  • Token authentication failures: Confirm VAULT_TOKEN environment variable matches VAULT_DEV_ROOT_TOKEN_ID value
  • Secrets not persisting between restarts: Check vault_data volume mount and ensure proper write permissions
  • High memory usage warnings: Allocate additional RAM as Vault loads secrets engines and maintains audit logs in memory

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

vault

Tags

#vault#hashicorp#secrets#security

Category

DevOps & CI/CD

Related Recipes

Ad Space