Configure client connections to use TLS
Learn how to protect data in motion by configuring Piiano Vault to connect to clients using the Transport Layer Security (TLS) cryptographic protocol
The hosted version of Vault is secured by TLS.
To configure the Dev edition or Server edition to use TLS (and listen as HTTPS) for client connections, you can generate a certificate or ask Vault to do so.
Self-generated certificate
Set the environment variable PVAULT_TLS_ENABLE to 1, PVAULT_TLS_CERT_FILE to the TLS certificate location, and PVAULT_TLS_KEY_FILE to the private key location.
For example, if running Vault Dev, add these flags to the docker run command:
-v $(pwd):/certs -e \
-e PVAULT_TLS_ENABLE=1 \
-e PVAULT_TLS_CERT_FILE=/certs/pvault.crt \
-e PVAULT_TLS_KEY_FILE=/certs/pvault.key \
You can generate the key and self-signed certificate files with this command:
openssl req -newkey rsa:2048 -keyout pvault.key -x509 -days 365 -out pvault.crt -subj "/CN=localhost/O=Piiano"
Vault-generated certificate
Set the environment variable PVAULT_TLS_SELFSIGNED to true to instruct Vault to generate and use a self-signed certificate that is valid for 1 year.
The default toolchains do not trust this certificate. To accept the certificate, configure the client to allow insecure connections (for example, by running curl -k when using cURL).