Overview
This guide explains how to deploy HashiCorp Vault in High Availability (HA) mode using Raft storage.
Vault HA cluster:
-
One node acts as Leader
-
Other nodes act as Standby replicas
-
Automatic failover
-
Secure secret management with TLS encryption
Architecture Components
Before deploying Vault, ensure the following infrastructure:
-
HAProxy → Load Balancer
-
Keepalived → Failover mechanism
-
Virtual IP (VIP) → Single stable endpoint
This ensures clients always connect to a consistent endpoint.
Ports Used
-
8200 → Vault API
-
8201 → Cluster communication
Prerequisites
-
Minimum 3 Linux servers
-
Network connectivity between nodes
-
Root / sudo access
-
Internet access
-
Basic Linux knowledge
Phase 1 — Create Vault User
sudo useradd --system --home /etc/vault.d --shell /bin/false vault
id vault
Phase 2 — Create Required Directories
sudo mkdir -p /etc/vault.d
sudo mkdir -p /opt/vault/data
sudo mkdir -p /etc/vault.d/tls
sudo mkdir -p /var/log/vault
sudo chown -R vault:vault /etc/vault.d
sudo chown -R vault:vault /opt/vault
sudo chown vault:vault /var/log/vault
sudo chmod 750 /var/log/vault
Phase 3 — Install Vault
sudo apt update
sudo apt install unzip -y
cd /tmp
wget https://releases.hashicorp.com/vault/<version>/vault_<version>_linux_amd64.zip
unzip vault_<version>_linux_amd64.zip
sudo mv vault /usr/local/bin/
sudo chmod +x /usr/local/bin/vault
vault --version
which vault
Phase 4 — Generate TLS Certificates
mkdir ~/vault-tls
cd ~/vault-tls
openssl genrsa -out vault-ca.key 4096
openssl req -x509 -new -nodes \
-key vault-ca.key \
-out vault-ca.crt \
-days 3650
openssl genrsa -out vault.key 2048
Phase 5 — Install TLS Certificates
sudo cp vault.crt vault.key vault-ca.crt /etc/vault.d/tls/
sudo chown vault:vault /etc/vault.d/tls/*
sudo chmod 600 /etc/vault.d/tls/vault.key
Phase 6 — Trust Certificate Authority
sudo cp /etc/vault.d/tls/vault-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
Phase 7 — Configure Vault
File:
/etc/vault.d/vault.hcl
ui = true
cluster_name = "vault-cluster"
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_cert_file = "/etc/vault.d/tls/vault.crt"
tls_key_file = "/etc/vault.d/tls/vault.key"
}
storage "raft" {
path = "/opt/vault/data"
node_id = "node-1"
}
api_addr = "https://<VIP>:8200"
cluster_addr = "https://<node-ip>:8201"
disable_mlock = true
sudo chown vault:vault /etc/vault.d/vault.hcl
sudo chmod 640 /etc/vault.d/vault.hcl
Phase 8 — Create Systemd Service
File:
/etc/systemd/system/vault.service
[Unit]
Description=HashiCorp Vault
After=network-online.target
[Service]
User=vault
Group=vault
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
Restart=on-failure
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable vault
sudo systemctl start vault
sudo systemctl status vault
Phase 9 — Initialize Vault
export VAULT_ADDR=https://<VIP>:8200
export VAULT_CACERT=/etc/vault.d/tls/vault-ca.crt
vault operator init
Save securely:
-
Unseal keys
-
Root token
Phase 10 — Unseal Vault
vault operator unseal
vault operator unseal
vault operator unseal
vault status
Phase 11 — Join Additional Nodes
vault operator raft join https://<VIP>:8200
Then unseal each node:
vault operator unseal
vault operator unseal
vault operator unseal
Phase 12 — Verify Cluster
vault operator raft list-peers
Phase 13 — Enable Audit Logging
vault audit enable file file_path=/var/log/vault/audit.log
vault audit list
Phase 14 — Configure Log Rotation
File:
/etc/logrotate.d/vault
/var/log/vault/audit.log {
daily
rotate 7
compress
missingok
notifempty
}
Common Commands
vault status
vault operator raft list-peers
vault operator unseal
vault operator raft snapshot save backup.snap
Important Notes
-
Store unseal keys securely
-
Protect root token
-
Vault seals after reboot
-
Must manually unseal after restart
-
Renew TLS certificates before expiry
Conclusion
This setup provides:
-
High availability Vault cluster
-
Secure secret storage
-
Fault tolerance with automatic failover
-
Production-ready architecture using Raft backend