Start a local Vault dev server, talk to it with the CLI, and store and read your first secret — the hands-on foundation, with no cloud and no production setup to wrestle.
Why: HashiCorp Vault is a dedicated server for secrets — it stores them encrypted, controls who can read each one, audits every access, and can generate short-lived credentials on demand. Note: this is NOT the same as "Ansible Vault", which only encrypts files. They share a name and nothing else. This course is about HashiCorp Vault, the secrets server.
app / human / CI ──authenticate──▶ Vault ──▶ encrypted storage
◀──token + secret── ──▶ audit log (who read what)
──▶ can MINT short-lived creds
(HashiCorp Vault = a secrets server. Ansible Vault = file encryption. Different.)Why: Vault in production is sealed, clustered, and backed by storage — too much to set up while learning. The dev server runs entirely in memory, starts unsealed, and prints a root token. It is wiped when you stop it, so it is perfect for practice. Note: never use -dev for anything real.
Start an in-memory dev server (leave this running in one terminal)
vault server -devIt prints two things you need — copy them: Unseal Key: ... (dev mode auto-unseals; ignore) Root Token: hvs.... (you'll log in with this)
Why: the CLI talks to Vault over HTTP, so it needs to know the address. In a SECOND terminal, set VAULT_ADDR to the dev server, then vault status confirms the connection. "Sealed: false" means it is ready — the dev server unseals itself automatically.
In a new terminal: tell the CLI where Vault is
export VAULT_ADDR='http://127.0.0.1:8200'Confirm it's up and unsealed
vault statusWhy: every request to Vault carries a token that says who you are and what you may do. For now, log in with the root token the dev server printed (root can do anything — fine for learning, never for production). Real auth methods come in a later lesson.
Authenticate with the root token from the dev server output
vault login hvs.YOURTOKENHEREConfirm who you are
vault token lookupWhy: the simplest thing Vault does is store key-value secrets. The dev server pre-mounts a KV store at secret/. Write a few keys to a path, then read them back. This is the core loop; the next lesson goes deep on the KV engine.
Store a secret at secret/myapp with two keys
vault kv put secret/myapp username=admin password=s3cr3tRead it back
vault kv get secret/myappRead just one field (handy for scripts)
vault kv get -field=password secret/myapp