Vault on OpenBSD

Page content

how to Install and run Hashicorp Vault on OpenBSD

in addition to [](this Blog Entry), here some instructions for OpenBSD.


  • VM with OpenBSD 7.2 (or older …) and root/doas permission
  • Domain, or at least a FQDN Name pointing to your VM
  • HTTP/HTTPS allowed from Internet (for Certificate Generation)
  • Nginx installed (pkg_add nginx)


Install Vault

all the Steps must be run as root (or with doas)

pkg_add vault

Vault Config

Backup the prev. Config before …

cp /etc/vault/vault.hcl /etc/vault/vault.hcl-$(date "+%s")

cat << 'EOF' > /etc/vault/vault.hcl

storage "file" {
  path            = "/var/vault/storage/"

ui                = "true"

listener "tcp" {
  address         = ""
  tls_disable = 1

api_addr          = ""
max_lease_ttl     = "10h"
default_lease_ttl = "10h"
disable_mlock     = "true"


Reverese Proxy with Nginx

cat << 'EOF' > /etc/nginx/sites/
# HTTP Server
server {

    listen        80;
    listen        [::]:80;

    access_log    /var/log/nginx-nossl/ main;
    error_log     /var/log/nginx-nossl/;

    location /.well-known/acme-challenge/ {
        rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
        root /acme;

    location / {
        return 301    https://$host$request_uri;

SSL Cert

you need a valid dns record pointing to your server …

cat << 'EOF' >> /etc/acme-client.conf  
domain {
  domain key "/etc/ssl/private/"
  domain full chain certificate "/etc/ssl/"
  sign with letsencrypt

Restart nginx

rcctl restart nginx

Get SSL Cert

acme-client -D

Enable HTTPS on Nginx

cat << 'EOF' >> /etc/nginx/sites/
# HTTPS Server
server {

    listen        443 ssl;
    listen        [::]:443 ssl;

    access_log    /var/log/nginx/ main;
    error_log     /var/log/nginx/;

    ssl_certificate_key         /etc/ssl/private/;
    ssl_certificate             /etc/ssl/;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";

    location / {
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;

Restart nginx

rcctl restart nginx

Enable and Start Vault

rcctl enable vault
rcctl start vault

Open Website, get Root Key and Create Unseal Keys

Any Comments ?

sha256: 194d2bd91a70cf8a05bf2c7f82cbf57b6b182b7f7d5d47d4a489ad962608eccb