server command starts a Vault server that responds to API requests. By
default, Vault will start in a "sealed" state. The Vault cluster must be
initialized before use, usually by the
vault operator init command. Each Vault
server must also be unsealed using the
vault operator unseal command or the
API before the server can respond to requests.
For more information, please see:
operator initcommand for information on initializing a Vault server.
operator unsealcommand for information on providing unseal keys.
Vault configuration for the syntax and various configuration options for a Vault server.
Start a server with a configuration file:
$ vault server -config=/etc/vault/config.hcl
Run in "dev" mode with a custom initial root token:
$ vault server -dev -dev-root-token-id="root"
The following flags are available in addition to the standard set of flags included on all commands.
(string: "")- Path to a configuration file or directory of configuration files. This flag can be specified multiple times to load multiple configurations. If the path is a directory, all files which end in .hcl or .json are loaded.
(string: "info")- Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "err". This can also be specified via the VAULT_LOG_LEVEL environment variable.
(string: "standard")- Log format. Supported values are "standard" and "json". This can also be specified via the VAULT_LOG_FORMAT environment variable.
(bool: false)- (environment variable) Allow Vault to be started with builtin engines which have the
Pending Removaldeprecation state. This is a temporary stopgap in place in order to perform an upgrade and disable these engines. Once these engines are marked
Removed(in the next major release of Vault), the environment variable will no longer work and a downgrade must be performed in order to remove the offending engines. For more information, see the deprecation faq.
(bool: false)- Enable development mode. In this mode, Vault runs in-memory and starts unsealed. As the name implies, do not run "dev" mode in production.
(bool: false)- Enable TLS development mode. In this mode, Vault runs in-memory and starts unsealed with a generated TLS CA, certificate and key. As the name implies, do not run "dev" mode in production.
(string: "")- Directory where generated TLS files are created if
-dev-tlsis specified. If left unset, files are generated in a temporary directory.
(string: "127.0.0.1:8200")- Address to bind to in "dev" mode. This can also be specified via the
(string: "")- Initial root token. This only applies when running in "dev" mode. This can also be specified via the
Note: The token ID should not start with the
(string: "")- Do not persist the dev root token to the token helper (usually the local filesystem) for use in future requests. The token will only be displayed in the command output.
(string: "")- Directory from which plugins are allowed to be loaded. Only applies in "dev" mode, it will automatically register all the plugins in the provided directory.