Run Vault as a service

Instead of starting your Vault server manually from the command line, you can configure a service to start Vault automatically.

Before you start

You must install Vault. You can use a package manager or install a binary manually.

Step 1: Create a new service

Example tested on Ubuntu 22.04

The following service definition is a simpler version of the vault.service example in the Vault GitHub repo: vault/.release/linux/package/usr/lib/systemd/system/vault.service

Set the VAULT_CONFIG environment variable to your Vault configuration directory. The default configuration directory is /etc/vault.d:
```
$ VAULT_CONFIG=/etc/vault.d
```
Confirm the path to your Vault binary: $ VAULT_BINARY=$(which vault)

Create a systemd service called vault.service that uses the Vault binary:

$ sudo tee /lib/systemd/system/vault.service <<EOF
[Unit]
Description="HashiCorp Vault"
Documentation="https://developer.hashicorp.com/vault/docs"
ConditionFileNotEmpty="${VAULT_CONFIG}/vault.hcl"

[Service]
User=vault
Group=vault
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=${VAULT_BINARY} server -config=${VAULT_CONFIG}/vault.hcl
ExecReload=/bin/kill --signal HUP
KillMode=process
KillSignal=SIGINT

[Install]
WantedBy=multi-user.target
EOF

Change the permissions on /lib/systemd/system/vault.service to 644:
```
$ sudo chmod 644 /lib/systemd/system/vault.service
```

The Windows binary for Vault does not support the Windows Service Application API. To run Vault as a service, you must use a Windows service wrapper. You can use whatever wrapper is appropriate for your environment, but the easiest we have found is nssm.

Download and install nssm manually or install the package with Chocolatey:
```
choco install nssm
```
Set a VAULT_HOME environment variable to your preferred Vault home directory. For example, c:\Program Files\Vault:
```
$env:VAULT_HOME = "${env:ProgramFiles}\Vault"
```

Use nssm to create a new Windows service:

nssm install MS_VAULT "${env:VAULT_HOME}\vault.exe"

Set the working directory for your Vault installation:

nssm set MS_VAULT AppDirectory "${env:VAULT_HOME}" ; `
nssm set MS_VAULT AppParameters "server -config Config\vault.hcl"

Define the runtime parameters for Vault, including the -config flag with the relative path to your Vault configuration file, for example Config\vault.hcl:
```
nssm set MS_VAULT AppDirectory "${env:VAULT_HOME}" ; `
nssm set MS_VAULT AppParameters "server -config Config\vault.hcl"
```

Set the display name and description for the "Services" management console:

nssm set MS_VAULT DisplayName "Vault Service" ; `
nssm set MS_VAULT Description "Vault server running as a service"

Set the startup type for your service. We recommend setting startup to "Manual" until you confirm the service is working as expected:
```
nssm set MS_VAULT Start SERVICE_DEMAND_START
```

Configure the service to pipe information from stdout and stderr to files under your logging directory, for example ${env:VAULT_HOME}\Logs:

nssm set MS_VAULT AppStdout "${env:VAULT_HOME}\Logs\vault-stdout.log" ; `
nssm set MS_VAULT AppStderr "${env:VAULT_HOME}\Logs\vault-error.log"

Optionally, you can use the AppEnvironmentExtra parameter to set relevant variables for the service environment. For example, to set the VAULT_ADDR environment variable:
```
nssm set MS_VAULT AppEnvironmentExtra `$env:VAULT_ADDR=https://localhost:8200
```

Confirm your Vault service settings with nssm:

nssm dump MS_VAULT | Foreach {$_ -replace '.+nssm\.exe ',''}

Step 2: Start the new service

Reload the systemd configuration:
```
$ sudo systemctl daemon-reload
```
Start the Vault service:
```
$ sudo systemctl start vault.service
```

Verify the service status:

   $ systemctl status vault.service

   vault.service - "HashiCorp Vault"
      Loaded: loaded (/lib/systemd/system/vault.service; disabled; vendor preset: enabled)
      Active: active (running) since Thu 2024-09-05 13:58:45 UTC; 4s ago
         Docs: https://developer.hashicorp.com/vault/docs
      Main PID: 3145 (vault)
         Tasks: 8 (limit: 2241)
      Memory: 23.6M
         CPU: 200ms
      CGroup: /system.slice/vault.service
               └─3145 /usr/bin/vault server -config=/etc/vault.d/vault.hcl

Use Powershell commands or wrapper commands to manage your service

Once you create the service, you can control it using standard *-Service cmdlets or the relevant commands for the associated wrapper. For example, to control the service with nssm use nssm start MS_VAULT.

Start the Vault service::
```
Start-Service -Name MS_VAULT
```

Confirm service status:

Get-Service -Name MS_VAULT

Status   Name               DisplayName
------   ----               -----------
Running  MS_VAULT           Vault Service

Step 3: Verify the service is running

To confirm the service is running and your Vault service is available, open the Vault GUI in a browser at the default address: http://localhost:8200

The following tutorials provide additional guidance for installing Vault and production cluster deployment:

Run Vault as a service

Before you start

Step 1: Create a new service

Step 2: Start the new service

Step 3: Verify the service is running

Related tutorials