Manually install a Vault binary

Install Vault using a compiled binary.

Before you start

You must have a valid Vault binary. You can download and unzip a precompiled binary or build a local instance of Vault from source code.

Step 1: Configure the environment

Set the VAULT_DATA environment variable to your preferred Vault data directory. For example, /opt/vault/data:
```
export VAULT_DATA=/opt/vault/data
```
Set the VAULT_CONFIG environment variable to your preferred Vault configuration directory. For example, /etc/vault.d:
```
export VAULT_CONFIG=/etc/vault.d
```

Move the Vault binary to /usr/bin:

$ sudo mv PATH/TO/VAULT/BINARY /usr/bin/

Ensure the Vault binary can use mlock() to run as a non-root user:
```
$ sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
```
See the support article Vault and mlock() for more information.
Create your Vault data directory:
```
 $ sudo mkdir -p ${VAULT_DATA}
```
Create your Vault configuration directory:
```
$ sudo mkdir -p ${VAULT_CONFIG}
```

Best practice

We recommend storing Vault data and Vault logs on different volumes than the operating system.

Run Powershell as Administrator.
Set a VAULT_HOME environment variable to your preferred Vault home directory. For example, c:\Program Files\Vault:
```
$env:VAULT_HOME = "${env:ProgramFiles}\Vault"
```

Create the Vault home directory:

New-Item -ItemType Directory -Path "${env:VAULT_HOME}"

Create the Vault data directory. For example, c:\Program Files\Vault\Data:
```
New-Item -ItemType Directory -Path "${env:VAULT_HOME}/Data"
```
Create the Vault configuration directory. For example, c:\Program Files\Vault\Config:
```
New-Item -ItemType Directory -Path "${env:VAULT_HOME}/Config"
```
Create the Vault logs directory. For example, c:\Program Files\Vault\Logs:
```
New-Item -ItemType Directory -Path "${env:VAULT_HOME}/Logs"
```

Move the Vault binary to your Vault directory:

Move-Item                      `
  -Path <PATH/TO/VAULT/BINARY> `
  -Destination ${env:VAULT_HOME}\vault.exe

Add the Vault home directory to the system Path variable.

Step 2: Configure user permissions

Create a system user called vault to run Vault when your Vault data directory as home and nologin as the shell:
```
$ sudo useradd --system --home ${VAULT_DATA} --shell /sbin/nologin vault
```
Change directory ownership of your data directory to the vault user:
```
$ sudo chown vault:vault ${VAULT_DATA}
```
Grant the vault user full permission on the data directory, search permission for the group, and deny access to others:
```
$ sudo chmod -R 750 ${VAULT_DATA}
```

Create an access rule to grant the Local System user access to the Vault directory and related files:

$SystemAccessRule = 
  New-Object System.Security.AccessControl.FileSystemAccessRule(
    "SYSTEM",
    "FullControl",
    "ContainerInherit,Objectinherit",
    "none",
    "Allow"
  )

Create an access rule to grant yourself access to the Vault directory and related files so you can test your Vault installation:
```
$myUsername = Get-CimInstance -Class Win32_Computersystem |    `
              Select-Object UserName | foreach {$_.UserName} ; `
$AdminAccessRule =
  New-Object System.Security.AccessControl.FileSystemAccessRule(
    "$myUsername",
    "FullControl",
    "ContainerInherit,Objectinherit",
    "none",
    "Allow"
  )
```
Create additional access rules for human users if needed
If you expect other accounts to start and run the Vault server, you must create and apply access rules for those users as well. While users can run the Vault CLI without explicit access, if they try to start the Vault server, the process will fail with a permission denied error.

Update permissions on the env:VAULT_HOME directory:

$ACLObject = Get-ACL ${env:VAULT_HOME} ;       `
$ACLObject.AddAccessRule($AdminAccessRule) ;   `
$ACLObject.AddAccessRule($SystemAccessRule) ;  `
Set-Acl ${env:VAULT_HOME} $ACLObject

Step 3: Create a basic configuration file

Create a basic Vault configuration file for testing and development.

Always enable TLS for production

The sample configuration below disables TLS for simplicity and is not appropriate for production use. Refer to the configuration documentation for a full list of supported parameters.

Create a file called vault.hcl under your configuration directory:

 $ sudo tee ${VAULT_CONFIG}/vault.hcl <<EOF
 ui            = true
 cluster_addr  = "http://127.0.0.1:8201"
 api_addr      = "https://127.0.0.1:8200"
 disable_mlock = true

 storage "raft" {
   path    = "${VAULT_DATA}"
   node_id = "127.0.0.1"
 }

 listener "tcp" {
   address       = "0.0.0.0:8200"
   cluster_address = "0.0.0.0:8201"
   tls_disable = 1
 }
 EOF

Change ownership and permissions on the Vault configuration file.

$ sudo chown vault:vault "${VAULT_CONFIG}/vault.hcl" && \
  sudo chmod 640 "${VAULT_CONFIG}/vault.hcl"

Create a file called vault.hcl under your configuration directory:

@"
ui            = true
cluster_addr  = "http://127.0.0.1:8201"
api_addr      = "https://127.0.0.1:8200"
disable_mlock = true

storage "raft" {
  path    = "$(${env:VAULT_HOME}.Replace('\','\\'))\\Data"
  node_id = "127.0.0.1"
}

listener "tcp" {
  address       = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_disable = 1
}
"@ | Out-File -FilePath ${env:VAULT_HOME}/Config/vault.hcl -Encoding ascii

The double backslashes (\\) are not an error

You must escape the Windows path character in your Vault configuration file or the Vault server will fail with an error claiming the file contains invalid characters.

Step 4: Verify your installation

To confirm your Vault installation, use the help option with the Vault CLI to confirm the CLI is accessible and bring up the server in development mode to confirm you can run the binary.

Bring up the help menu in the Vault CLI:
```
$ vault -h
```
Use the Vault CLI to bring up a Vault server in development mode:
```
$ vault server -dev -config ${VAULT_CONFIG}/vault.hcl
```

Start a new Powershell session without Administrator permission.
Bring up the help menu in the Vault CLI:
```
vault -h
```
Use the Vault CLI to bring up a Vault server in development mode:
```
vault server -dev -config ${env:VAULT_HOME}\Config\vault.hcl
```

The following tutorials provide additional guidance for installing Vault and production cluster deployment: