Run Vault in stateless mode
Learn how to set up and run Piiano Vault in stateless mode using a container
If you're using the hosted version of Vault, there is no set up for using stateless mode. Once you have specified your collections and IAM integration, you simply call the relevant APIs. For example, passing either fields
or encrypted
to the encrypt REST API.
Where you want to encrypt PII data stored in an existing infrastructure, you can run Vault in stateless mode to take advantage of its encryption and hashing features without the need to include and maintain a PostgreSQL database.
In stateless mode, Vault runs without a backing data store, removing the need to maintain a PostgreSQL database. Its operations are limited to those that provide encryption and hashing features. The lack of a backing store means you must provide the system, IAM, collection, and secrets configuration information for Vault in static files. Except for configuration environment variables, these configuration details cannot be updated while Vault is running.
When testing Vault in stateless mode, you can use the binary version. This option provides simplified set up, easy command line interaction, and simplifies testing in a CI or CD environment.
The container version of Vault is recommended for stateless workloads in production. The binary version is supplied mostly for testing, CI, and local development purposes. Contact us if you wish to use the binary version in production.
Register to get your license key
Install the container version
To start, install the container version of Vault. Follow the get started guide or appropriate instructions for your environment.
Create Vault configuration files
In stateless mode, Vault does not include the default IAM configuration file needed to start Vault.
Either create this file and, optionally, a system configuration file manually. Alternatively, use the binary version of Vault to re-create the default IAM and system configuration files. When preparing the IAM file, remember to add your users.
Store these files as pvault.iam.toml
, for the IAM configuration, and pvault.system.toml
, for the system configuration, in the Docker container's /etc/pvault/conf.d
directory.
Define data types, bundles, and collections,
When Vault encrypts data, it uses information about the external files defined in collection schemas. You define these collections to Vault in a file containing PVSchemas. If you also have custom data types, you can include a file to define these too.
Name your PVSchema file pvault.collections.pvschema
and, if you need it, the file containing custom data type details pvault.types.toml
. Store these files in the /etc/pvault/conf.d
directory.
Without the specification of at least one collection, Vault does not start.
Create secrets and tokens
Vault uses a number of secrets to undertake encryption and provide user access to the REST API and CLI. As Vault has no storage in stateless mode, these details must be generate and store locally.
To do this, run Vault like this, setting PVAULT_DEVMODE
appropriately depending on whether you want to run development or production mode:
docker run --rm \
--name pvault-server \
-e PVAULT_GENERATE_SECRETS=true \
-e PVAULT_BACKING_STORE=none \
-e PVAULT_DEVMODE=true \
-e PVAULT_SERVICE_LICENSE={LICENSE_KEY} \
-v $(pwd)/pvault-conf:/etc/pvault/conf.d \
piiano/pvault-server:1.14.0
Vault starts and generates secrets and user tokens.
In development mode, the secrets are stored in a file called pvault.secrets.json
and the tokens in api_tokens.txt
in the /etc/pvault/conf.d
directory.
In production mode, the secrets are stored in a file called pvault.secrets.json
in the /etc/pvault/conf.d
directory and the tokens are output to stdout
.
Do not edit the pvault.secrets.json
file. Altering the secret values could prevent Vault from starting or mean Vault cannot decrypt data.
In development mode Vault continues running after generation, whereas, in production mode, Vault shuts down after completing generation.
Vault is now available to execute any of the crypto REST API operations or CLI commands. You can also perform read operations in the control side, and set and clear configuration variables for the session.
For testing purposes, you might find it more convenient to use the binary version of Vault.
Starting Vault in stateless mode
You start Vault in stateless mode like this, setting PVAULT_DEVMODE
appropriately depending on whether you want to run development or production mode:
docker run --rm \
--name pvault-server \
-e PVAULT_BACKING_STORE=none \
-e PVAULT_DEVMODE=true \
-e PVAULT_SERVICE_LICENSE={LICENSE_KEY} \
-v :/etc/pvault/conf.d \
piiano/pvault-server:1.14.0
Updating configuration details
Add users
If you need to add users, update the pvault.iam.toml
file with the new user details and run Vault with the -e
flag set to PVAULT_GENERATE_SECRETS=true
. Vault updates the secrets file with a hash of the users' tokens and outputs the users' tokens to file or stdout
depending on the edition.
If you misplace a user's token, the recommended approach to obtaining a new token is to:
- remove the user details from the
pvault.iam.toml
file. - run Vault with the
-e
flag set toPVAULT_GENERATE_SECRETS=true
(which removes the hash of the user's token from the secrets file and, for developement mode, the user from the tokens file). - add the user's details back to the
pvault.iam.toml
file. - run Vault with the
-e
flag set toPVAULT_GENERATE_SECRETS=true
to update the secrets file and user tokens.
Add or updating collections
If you need to add or update collections, update the PVSchema file with the new or updated collection details and run Vault with the -e
flag set to PVAULT_GENERATE_SECRETS=true
. Vault updates the secrets file with secrets relevant to the collections.