diff --git a/.kitchen.yml b/.kitchen.yml
index 3956e76..bbc52cb 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -10,6 +10,10 @@ verifier:
 
 provisioner:
   name: salt_solo
+  salt_install: bootstrap
+  salt_bootstrap_url: https://bootstrap.saltstack.com
+  salt_bootstrap_options: -p git -p curl stable 2016.11
+  salt_version: latest
   log_level: debug
   require_chef: false
   formula: vault
@@ -24,6 +28,8 @@ platforms:
       pid_one_command: /usr/lib/systemd/systemd
   - name: amazonlinux
     driver_config:
+      provision_command:
+        - yum install -y epel-release
       image: amazonlinux:latest
       platform: rhel
       run_command: /sbin/init
diff --git a/README.rst b/README.rst
index 7526526..7cef76d 100644
--- a/README.rst
+++ b/README.rst
@@ -32,7 +32,7 @@ To use it, just include *vault.server* in your *top.sls*, and configure it using
     listen_protocol: tcp
     listen_port: 8200
     listen_address: 0.0.0.0
-    strict_tls: 0
+    tls_disable: 0
     default_lease_ttl: 24h
     max_lease_ttl: 24h
     self_signed_cert:
diff --git a/pillar.example b/pillar.example
index 4e67e56..c2bd59e 100644
--- a/pillar.example
+++ b/pillar.example
@@ -3,7 +3,7 @@ vault:
   listen_protocol: tcp
   listen_port: 8200
   listen_address: 0.0.0.0
-  strict_tls: 0
+  tls_disable: 0
   tls_cert_file: {}
   tls_key_file: {}
   default_lease_ttl: 4380h
@@ -14,3 +14,5 @@ vault:
   dev_mode: true
   service:
     type: upstart
+  user: root
+  group: root
diff --git a/vault/defaults.yaml b/vault/defaults.yaml
index 5dc73dc..1cdfef3 100644
--- a/vault/defaults.yaml
+++ b/vault/defaults.yaml
@@ -3,7 +3,7 @@ vault:
   listen_protocol: tcp
   listen_port: 8200
   listen_address: 0.0.0.0
-  strict_tls: 0
+  tls_disable: 0
   service: upstart
   tls_cert_file: {}
   tls_key_file: {}
@@ -15,3 +15,5 @@ vault:
   dev_mode: true
   service:
     type: systemd
+  user: root
+  group: root
diff --git a/vault/files/server.hcl.jinja b/vault/files/server.hcl.jinja
index 41355f5..528f415 100644
--- a/vault/files/server.hcl.jinja
+++ b/vault/files/server.hcl.jinja
@@ -7,7 +7,7 @@ backend "s3" {
 
 listener "{{ vault.listen_protocol }}" {
   address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
-  tls_disable = {{ vault.strict_tls }}
+  tls_disable = {{ vault.tls_disable }}
 {% if vault.self_signed_cert.enabled %}
   tls_cert_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}.pem"
   tls_key_file = "/etc/vault/{{ vault.self_signed_cert.hostname }}-nopass.key"
diff --git a/vault/files/vault_systemd.service.jinja b/vault/files/vault_systemd.service.jinja
index 7042a30..a6417b7 100644
--- a/vault/files/vault_systemd.service.jinja
+++ b/vault/files/vault_systemd.service.jinja
@@ -8,3 +8,5 @@ After=network-online.target consul.service
 EnvironmentFile=-/etc/sysconfig/vault
 Restart=on-failure
 ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %}
+User={{ vault.user }}
+Group={{ vault.group }}
diff --git a/vault/init.sls b/vault/init.sls
index 045d200..6e4958d 100644
--- a/vault/init.sls
+++ b/vault/init.sls
@@ -13,8 +13,14 @@ download vault:
 
 install vault:
   cmd.run:
-    - name:  unzip /tmp/vault.zip -d /usr/local/bin &&  chmod 0755 /usr/local/bin/vault &&  chown root:root /usr/local/bin/vault
+    - name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault
     - require:
       - cmd: download vault
       - pkg: unzip
     - unless: test -e /usr/local/bin/vault
+
+vault set cap mlock:
+  cmd.run:
+    - name: "setcap cap_ipc_lock=+ep /usr/local/bin/vault"
+    - onchanges:
+      - cmd: install vault