Setting Up Hashicorp Vault on FreeBSD

Vault works well on FreeBSD, but there are a couple of quirks to be aware of. This guide will help take care of those.

Installing Vault

Follow the normal install method:

pkg install vault

Settings for use in Jail

Using vault in a jail requires the option allow.mlock to be set.

Using ezjail and a jail called vault just modify the config file /usr/local/etc/ezjail/vault on the host and set:

jail_vault_parameters="allow.mlock=1"

Configuring Vault

First off enable Vault and set syslog output:

sysrc vault_enable="YES"
sysrc vault_syslog_output_enable="YES"

Then create the config file with some basic settings in /usr/local/etc/vault.hcl:

listener "tcp" {
  address = "10.10.0.33:8200"
  tls_disable = 1
}

storage "raft" {
  path = "/var/db/vault"
  node_id = "v"
}

cluster_addr = "http://10.10.0.33:8201"
api_addr = "http://10.10.0.33:8200"
ui = true

Note that in this case TLS is disabled since it will be used to create a root CA.

Then start Vault

service vault start

And inspect the log for any information:

tail -30 /var/log/daemon.log

Initialize Vault

To initialize vault, run:

env VAULT_ADDR=http://10.10.0.33:8200 vault operator init

Once Vault has initialized it will print a bunch of keys that need to be saved in a secure location. Ideally in an offline store and kept in a safe.