Set unseal keys on dev mode

Hi guys!

I want to know if we can set the unseal keys on dev mode for Vault. The reason is that we’re using vault locally to apply some local tests, we create a container in dev mode, but when the container is stopped o killed the unseal key changes, and all of the passwords that we store in the database could not be decrypted. That causes we need to clean the database and create new users to start to use the application.

Let me know how can I work locally with vault avoiding those extra steps. Thanks guys!

You can’t set the key (you can set the root token) but I’ve done this in setup scripts/tests:

$ nohup vault server -dev &
$ appending output to nohup.out
$ VAULT_TOKEN=$(grep "Unseal Key:" nohup.out | awk -F': ' '{print $2}')
$ echo $VAULT_TOKEN
ABCDEll/nc/ruQa0LBP8lyG5YiNBcXXHH+w8h1jHnXX=

Restarting the container not only gives you a new unseal key but it also resets the data store to be blank, so there is no database to decrypt. Dev mode stores everything in memory, so a restart will wipe everything, as described at Dev Server Mode | Vault by HashiCorp

docker run -d -p 8200:8200 -p 8201:8201 \
  --cap-add=IPC_LOCK \
  -v $PWD/.data/vault:/vault/data \
  -v $PWD/vault/config:/vault/config \
  -e VAULT_DEV_ROOT_TOKEN_ID='00000000-0000-0000-0000-000000000000' \
  -e VAULT_DEV_LISTEN_ADDRESS='0.0.0.0:8200' \
  -e VAULT_ADDR='https://0.0.0.0:8201' \
  -e VAULT_API_ADDR='https://0.0.0.0:8200' \
  -e VAULT_LOCAL_CONFIG='{"listener": [{"tcp":{"address": "0.0.0.0:8201","tls_disable":"1"}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h"}, "ui": true}' \
  -e VAULT_DEV_ROOT_TOKEN_ID='00000000-0000-0000-0000-000000000000' \
  -e VAULT_TOKEN='00000000-0000-0000-0000-000000000000' \
  -it vault:latest \
  server -dev -dev-root-token-id="00000000-0000-0000-0000-000000000000"

This is the docker image that we used, we are setting the vault token, but when we kill the pod or restarted the master key and the other keys change, and the existing data in the database (passwords) could be decrypted. I’m trying to be more optimal in the way that we work locally.

Thanks for your response, I’m looking for a way to avoid that behavior since is very noisy need to store a new user because the password of the oldest users could be decrypted. We don’t have enough budget to run a vault server for a development environment, then we need to use that docker image to work locally.