You can configure Vault to execute as a Windows service using either the standard Windows SC tool / sc.exe or with the third party community-developed NSSM tool.
This guide will focus on providing an example of Vault service creation using NSSM in both GUI and command line modes.
All examples in this guide use the cmd.exe interpreter.
The example values used in this guide are detailed as follows.
Example Vault Configuration
This guide uses a minimalistic Vault configuration using the filesystem storage backend as configuration of this particular backend requires a file path value that needs some clarification regarding its handling.
Here is the example:
storage "file" {
path = "/vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}- Filesystem based storage backend
- You must use Unix style path for the value of
path; Vault will use the correct Windows path based on the provided path. For our example configuration, Vault data files will be written toC:\vault\data.
- You must use Unix style path for the value of
- Listening on all available network interfaces on the default port TCP/8200
- No TLS enabled
NOTE: This is a simple example and not intended to be used as guidance for a production configuration.
Paths and Environment Variables
The examples in this guide presume the following to be true:
- Vault data will be stored at
C:\vault\data - Vault configuration will be located at
C:\vault\config - The
VAULT_ADDRenvironment variable has been set as a user-level Windows environment variable with a value ofhttp://localhost:8200
Please review these values carefully and set them where necessary; be sure to use your own values where appropriate.
NOTE: For certain uses, paths must be specified as Unix style paths and cannot be Windows style paths. These examples are specifically called out where necessary in the relevant sections of this guide.
NSSM
NSSM offers a simple UI for building the service definition, but can also be scripted or operated from the command line. Here is an example of configuring a Vault service using NSSM.
Begin by issuing the command from a command shell invoked as an Administrator user (using cmd.exe here):
C:\Windows\System32> nssm install vaultYou’ll be greeted with a small GUI window for configuring the service:
Application
Here you’ll want to set the correct values for Path and Arguments here and then proceed to the Details tab.
Details
Here, you’ll want to set a helpful Display Name but leave the rest of the settings at their default values.
Log on
These settings should be left at their default values.
Dependencies
These settings should be left at their default values.
Process
These settings can be left at their default values or you could raise the priority to something higher or adjust CPU affinity if Vault is or is not the primary system service.
Shutdown
These settings should be left at their default values.
Exit actions
These settings should be left at their default values.
I/O
These settings should be left at their default values.
File rotation
These settings should be left at their default values.
Once you’ve finished with the settings, select Install service.
The service should then be installed successfully. You can now manage the service with either nssm commands or the standard Services settings.
Here is an example of starting Vault with nssm from a cmd.exe shell:
Add Vault Service with Command Line
Here is a basic example of adding the Vault service using nssm directly from the cmd.exe shell, without using the UI. Ensure that the cmd.exe is opened as an Administrator and execute a command like the following:
C:\Windows\System32> nssm install vault c:\\bin\vault.exe "server -config=/vault/config/server.hcl"The -config option should match the actual path to your Vault’s configuration file, and it must be specified as a Unix style path, not a Windows style path.
See the NSSM Managing services from the command line documentation for more options.