# Working with the Vault ## Usage of the Vault It is used to **store and retrieve** private keys which are used to sign the verifiable credentials. ## Dependent service The below service is dependent on the vault - * Identity Service - [Identity Service APIs](/api-reference/credentialling-apis/identity-service-apis.md) ## Setting up the Vault Manually There are some steps followed to setup the vault ### Initialising the vault * It is a one time process * It can be done using cmd `vault operator init` inside vault container * The response has unseal keys in it and a root token which needs to be stored safely ### Unsealing the vault * Vault should be unsealed whenever it gets restarted or recreated while having the same volume or data * Use cmd `vault operator unseal` to unseal the vault * It should ask for unseal key * The key here should be from generated in the [#initialising-the-vault](#initialising-the-vault "mention") step * This unseal command should be run with 3 different keys to unseal * After unsealing the vault, the container should show `healthy` status ### Enable a key-value path kv * To enable a key value path kv of type kv-v2 , follow below steps * Login to the vault using the root token generated in the [#initialising-the-vault](#initialising-the-vault "mention") * cmd to login `vault login` inside the container vault, then run * `vault secrets enable -path=kv kv-v2` ### Use the root token for identity service to work Provide the value token to identity service environment variable `VAULT_TOKEN` ## Setting up the vault using the script All of the above steps are created into a bash script [here](https://github.com/Sunbird-RC/sunbird-rc-core/blob/main/setup_vault.sh). Run below command to setup the vault OR can check if you require docker-compose specific commands - ```bash bash setup_vault.sh docker-compose.yml vault ``` If you are using [sunbird-rc-core](https://github.com/Sunbird-RC/sunbird-rc-core) repository, then you can also use `make compose-init` to run the above cmd. ## Setting up the Vault in production - Guide to setup the vault for production can be found [here](https://github.com/Sunbird-RC/devops/blob/main/deploy-as-code/helm/v2/registryAndCredentialling/README.md#chart-version--0240-and-vault-image-hashicorpvault1131) ## Troubleshoot If the vault container is showing unhealthy - * Check if the Vault is initialised * Check if the Vault unsealed. * Check if the path of type \`kv-v2\` is created at \`kv\` If vault is showing `healthy` then there shouldn't be any issue with the vault. If identity-service is showing unhealthy or showing some error related to vault, then confirm if vault token is set[#use-the-root-token-for-identity-service-to-work](#use-the-root-token-for-identity-service-to-work "mention") --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rc.sunbird.org/use/developers-guide/credentialling-services/working-with-the-vault.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.