How to Set Up Vault for Secrets Management

How to Set Up Vault for Secrets Management

Vault provides centralized secrets management, allowing your Breeze applications to securely access API keys, database credentials, and certificates without hardcoding them.

Installation

Download and install Vault:

curl -fsSL https://releases.hashicorp.com/vault/1.15.4/vault_1.15.4_linux_amd64.zip -o vault.zip
unzip vault.zip
sudo mv vault /usr/local/bin/
vault --version

Server Configuration

Create /etc/vault.d/vault.hcl:

storage "file" {
  path = "/opt/vault/data"
}

listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = 1
}

api_addr = "http://127.0.0.1:8200"
ui       = true

Initialize and Unseal

sudo mkdir -p /opt/vault/data
vault server -config=/etc/vault.d/vault.hcl &
export VAULT_ADDR='http://127.0.0.1:8200'
vault operator init -key-shares=3 -key-threshold=2
vault operator unseal  # run with 2 of 3 keys

Storing and Retrieving Secrets

vault login <root_token>
vault secrets enable -path=myapp kv-v2
vault kv put myapp/db username="dbuser" password="securepass"
vault kv get myapp/db

Application Integration

• Use AppRole auth for machine-to-machine access
• Set short TTLs on dynamic secrets
• Enable audit logging: vault audit enable file file_path=/var/log/vault-audit.log

Vault eliminates secret sprawl and provides full audit trails for sensitive data on your Breeze.