Starting the Vault Sever in Development Mode
Vault follows a client-server architecture. The Vault server has exclusive access to storage and secrets. All client requests go through the Vault server's API. Vault client requests can be sent to the Vault server's API using HTTP or the Vault command-line client, which is a wrapper around HTTP requests. The Vault server includes a development mode that performs several initialization steps to let you start working with Vault immediately. Development mode is not suitable for production because it does not provide the highest levels of security. However, it is sufficient for the purpose of the Lab, which is not focused on bootstrapping Vault servers.
In this Lab Step, you will start a Vault server in development mode and perform a few commands to verify its functionality.
1. Enter the following command to start a Vault server in development mode using default configuration values:
Copy codevault server -dev
The output begins by stating several configuration properties. In development mode, the server listens over tcp with tls disabled. TLS encrypts the secrets in transit and should always be enabled in production. The development server is also using in-memory (inmem) Storage, which would usually be replaced by a more durable storage option
The yellow WARNING! explains that you are running in dev mode. The server is unsealed, meaning it has constructed the master key needed for encryption operations, and the root token is already authenticated to the CLI, meaning you can perform any operation using the CLI.
2. Open a new terminal by clicking the + tab to the right of the current terminal tab, and clicking New Terminal:
The Vault server is running in the foreground in the original tab. You can leave the Vault server's tab alone, and check its output stream at any point to view any server information messages.
3. Enter the following to set the Vault server address environment variable for the Vault CLI:
Copy codeexport VAULT_ADDR='http://127.0.0.1:8200'
This command is provided in the Vault server's output. Even though the default host and port (
127.0.0.1:8200) are being used, the CLI defaults to using HTTPS instead of HTTP. Because TLS is disabled, you need to specify
http:// as the protocol.
4. Check the status of the Vault server using the Vault CLI client:
Copy codevault status
You can confirm that the server is unsealed (Sealed is false).
In this Lab Step, you started a Vault server in development mode, and understood when it is acceptable for using development mode. You also used the Vault CLI client to connect to the Vault server, and confirm it is running and ready to work with.