Package Details: vault 0.8.3-1

Git Clone URL: (read-only)
Package Base: vault
Description: A tool for managing secrets
Upstream URL:
Keywords: daemon secret storage
Licenses: MPL
Conflicts: vault-git
Submitter: None
Maintainer: aperez
Last Packager: aperez
Votes: 9
Popularity: 0.987789
First Submitted: 2012-01-30 10:44
Last Updated: 2017-09-19 17:17

Latest Comments

bastelfreak commented on 2017-11-23 22:55

Hi, this is my working PKGBUILD:

# contributor: Tim Meusel <>
pkgdesc='A tool for managing secrets'
arch=('i686' 'x86_64')
makedepends=('gox' 'go')

prepare () {
if [[ ! -r ${_srcpath} ]] ; then
mkdir -p "$(dirname "${_srcpath}")"
ln -s "$(pwd)/${pkgname}-${pkgver}" "${_srcpath}"

build () {
export GOPATH="${srcdir}:$(pwd)"
cd "${_srcpath}"
go generate $(go list ./... | grep -v vendor)
gox -verbose -osarch="$(go env GOOS)/$(go env GOARCH)" -output=_build/vault .

package () {
cd "${pkgname}-${pkgver}"
install -Dm755 _build/vault "${pkgdir}/usr/bin/vault"
install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
install -Dm644 "${srcdir}/vault.hcl" "${pkgdir}/etc/vault.hcl"
install -Dm644 "${srcdir}/vault.service" \
for file in ; do
install -Dm644 "${file}" "${pkgdir}/usr/share/doc/${pkgname}/${file}"

ainola commented on 2017-09-15 16:51

It might be worth adding in the config's comments that in order to actually connect to a cert-less vault instance, one must export VAULT_ADDR= Otherwise the vault client will default to an https connection and the following error will occur:

Get http: server gave HTTP response to HTTPS client.

Thanks for maintaining this package. :)

aperez commented on 2017-04-18 08:56

@BombStrike: The “setcap“ invocation is always done in the “vault.install” script. It seems more appropriate to do it only once as a post-installation action than every time the service gets started. Also, using the post-install script the “setcap” is effective also for people launching the daemon without using systemd.

BombStrike commented on 2017-04-18 02:09

Hi, another suggestion would also be to add the following lines to the [Service] block in the service file:

ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/bin/vault

This will allow vault to call mlock and prevent it from ever writing to any memory space that might be stored on disk (like swap).


aperez commented on 2017-04-17 13:31

@leothrix: Thanks again for suggesting improvements! Version 0.7.0-3 includes the change to have SIGHUP sent to Vault on reload.

leothrix commented on 2017-04-16 02:00

Hey, I've got another one for you! Per the Vault documentation:

The vault daemon supports reloading tls certificates and keys by acknowledging HUP signals. Thus the following [Service] stanza would be really useful for the packaged systemd unit:

ExecReload=/usr/bin/kill --signal HUP $MAINPID

(I think that's right, not sure whether to use /bin/kill for example.)

aperez commented on 2017-03-23 16:11

@leothrix: That makes total sense, I have just updated the package, and starting from version 0.7.0-2 the PKGBUILD has “backup=('etc/vault.hcl')”, which prevents the configuration file from being overwritten on package upgrades. Thanks for the suggestion!

leothrix commented on 2017-03-22 18:59

Could we get the vault.hcl config file marked to be backed up in the PKGBUILD? It overwrites my configuration on every upgrade, which is... less than ideal.

xiong.chiamiov commented on 2016-06-17 18:32

FYI there is now a low-traffic announce list:!forum/hashicorp-announce

aperez commented on 2015-10-22 10:08

@ainola: Good point. Somehow I was thinking that “godep” itself would have a dependes itself on “go”, but it has a makepends only. I have added the “go” dependency as suggested and pushed the changes. Thanks for the report!

All comments