Configure Piiano Vault to use TLS

Learn how to configure Piiano Vault to use the Transport Layer Security (TLS) cryptographic protocol to protect data in motion

note

If you're using the hosted version of Vault, TLS is implemented by default.

To configure Dev edition or the Server edition to use TLS (and listen as HTTPS), use one of these options:

1. Set the environment variable PVAULT_TLS_ENABLE to 1, set PVAULT_TLS_CERT_FILE to the TLS certificate location, and PVAULT_TLS_KEY_FILE to the private key location. For example, if running Vault Dev, add these flags to the docker run command:

   -v $(pwd):/certs -e \
   -e PVAULT_TLS_ENABLE=1 \
   -e PVAULT_TLS_CERT_FILE=/certs/pvault.crt \
   -e PVAULT_TLS_KEY_FILE=/certs/pvault.key \
   tip

   You can generate the key and self-signed certificate files with this command:

   openssl req -newkey rsa:2048 -keyout pvault.key -x509 -days 365 -out pvault.crt -subj "/CN=localhost/O=Piiano"

2. Set the environment variable PVAULT_TLS_SELFSIGNED to true to instruct Vault to generate and use a self-signed certificate that is valid for 1 year. The default toolchains do not trust this certificate. To accept the certificate, configure the client to allow insecure connections (for example, by running curl -k when using cURL).