Vault works well on FreeBSD, but there are a couple of quirks to be aware of. This guide will help take care of those.
Installing Vault
Follow the normal install method:
pkg install vault
Settings for use in Jail
Using vault in a jail requires the option allow.mlock to be set.
Using ezjail and a jail called vault just modify the config file
/usr/local/etc/ezjail/vault on the host and set:
jail_vault_parameters="allow.mlock=1"
Configuring Vault
First off enable Vault and set syslog output:
sysrc vault_enable="YES"
sysrc vault_syslog_output_enable="YES"
Then create the config file with some basic settings in
/usr/local/etc/vault.hcl:
listener "tcp" {
address = "10.10.0.33:8200"
tls_disable = 1
}
storage "raft" {
path = "/var/db/vault"
node_id = "v"
}
cluster_addr = "http://10.10.0.33:8201"
api_addr = "http://10.10.0.33:8200"
ui = true
Note that in this case TLS is disabled since it will be used to create a root CA.
Then start Vault
service vault start
And inspect the log for any information:
tail -30 /var/log/daemon.log
Initialize Vault
To initialize vault, run:
env VAULT_ADDR=http://10.10.0.33:8200 vault operator init
Once Vault has initialized it will print a bunch of keys that need to be saved in a secure location. Ideally in an offline store and kept in a safe.