Vault on OpenBSD

Page content

how to Install and run Hashicorp Vault on OpenBSD

in addition to [https://blog.stoege.net/categories/vault/](this Blog Entry), here some instructions for OpenBSD.

Requirements

  • VM with OpenBSD 7.2 (or older …) and root/doas permission
  • Domain, or at least a FQDN Name pointing to your VM
  • HTTP/HTTPS allowed from Internet (for Certificate Generation)
  • Nginx installed (pkg_add nginx)

Source

https://developer.hashicorp.com/vault/docs/get-started/developer-qs

Install Vault

all the Steps must be run as root (or with doas)

pkg_add vault

Vault Config

Backup the prev. Config before …

cp /etc/vault/vault.hcl /etc/vault/vault.hcl-$(date "+%s")

cat << 'EOF' > /etc/vault/vault.hcl

storage "file" {
  path            = "/var/vault/storage/"
}

ui                = "true"

listener "tcp" {
  address         = "127.0.0.1:8200"
  tls_disable = 1
}

api_addr          = "http://127.0.0.1:8200"
max_lease_ttl     = "10h"
default_lease_ttl = "10h"
disable_mlock     = "true"

EOF

Reverese Proxy with Nginx

cat << 'EOF' > /etc/nginx/sites/vault.your.domain.de.conf
#
# HTTP Server vault.your.domain.de
#
server {

    listen        80;
    listen        [::]:80;
    server_name   vault.your.domain.de;

    access_log    /var/log/nginx-nossl/vault.your.domain.de.log main;
    error_log     /var/log/nginx-nossl/vault.your.domain.de-error.log;

    location /.well-known/acme-challenge/ {
        rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
        root /acme;
    }

    location / {
        return 301    https://$host$request_uri;
    }
}
EOF

SSL Cert

you need a valid dns record pointing to your server …

cat << 'EOF' >> /etc/acme-client.conf  
domain vault.your.domain.de {
  domain key "/etc/ssl/private/vault.your.domain.de.key"
  domain full chain certificate "/etc/ssl/vault.your.domain.de.fullchain.pem"
  sign with letsencrypt
}
EOF

Restart nginx

rcctl restart nginx

Get SSL Cert

acme-client -D vault.your.domain.de

Enable HTTPS on Nginx

cat << 'EOF' >> /etc/nginx/sites/vault.your.domain.de.conf
#
# HTTPS Server vault.your.server.de
#
server {

    listen        443 ssl;
    listen        [::]:443 ssl;
    server_name   vault.your.server.de;

    access_log    /var/log/nginx/vault.your.server.de.log main;
    error_log     /var/log/nginx/vault.your.server.de-error.log;


    ssl_certificate_key         /etc/ssl/private/vault.your.server.de.key;
    ssl_certificate             /etc/ssl/vault.your.server.de.fullchain.pem;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";

    location / {
      proxy_pass http://127.0.0.1:8200;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
    }
}
EOF

Restart nginx

rcctl restart nginx

Enable and Start Vault

rcctl enable vault
rcctl start vault

Open Website, get Root Key and Create Unseal Keys

https://vault.your.server.de

sha256: 194d2bd91a70cf8a05bf2c7f82cbf57b6b182b7f7d5d47d4a489ad962608eccb