The security/vault port
vault-1.18.2 – secure secret storage (cvsweb github mirror)
Description
Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Understanding who is accessing what secrets is already very difficult and platform-specific. Adding on key rolling, secure storage, and detailed audit logs is almost impossible without a custom solution. This is where Vault steps in.WWW: https://www.vaultproject.io/
Readme
+----------------------------------------------------------------------- | Running ${PKGSTEM} on OpenBSD +----------------------------------------------------------------------- Default Vault locations ======================= configuration: ${SYSCONFDIR}/vault/vault.hcl logs: /var/log/vault/ plugins: ${LOCALSTATEDIR}/vault/plugins/ storage: ${LOCALSTATEDIR}/vault/storage/ Default configuration ===================== Default storage engine ---------------------- For more info on integrated Raft storage backend, see: check https://www.vaultproject.io/docs/concepts/integrated-storage disable_mlock option -------------------- Without this option, "vault operator init" will SIGSEGV. Since OpenBSD encrypts swap by default, this fixes the problem with leaking plaintext secrets via swap thus setting disable_mlock=true considered harmless. Initializing Vault ================== Check the following ${SYSCONFDIR}/vault/vault.hcl configuration options: api_addr cluster_addr cluster_name listener address listener cluster_address storage node_id and set to the real cluster/node addresses/names for cluster/client communications. Enable and start Vault server: # rcctl enable vault && rcctl start vault Set environment variable appropriately: $ export VAULT_ADDR="http://localhost:8200" Initialize Vault: $ vault operator init Unseal Vault: $ vault operator unseal For more information on Vault server deployment, see: https://learn.hashicorp.com/vault/getting-started/deploy Note, that Vault server supports PGP, GPG and Keybase for unseal keys, for more info, see: https://www.vaultproject.io/docs/concepts/pgp-gpg-keybase.html Auditing Vault operations -------------------------- To enable writing audit logs to /var/log/vault/, run $ vault audit enable file file_path=/var/log/vault/audit.log mode=0640 Logging ------- Vault server uses logger(1) to log to syslogd(8) with daemon.info facility/level and tag "vault". If you want to use a separate file for Vault server logs, add the following lines to the top of ${SYSCONFDIR}/syslog.conf: !!vault *.* /var/log/vault/vault.log !* create logfile: # install -Do _vault -g _vault -m 0640 /dev/null /var/log/vault/vault.log and restart syslogd(8): # rcctl reload syslogd For log rotation, adjust/add the following lines to /etc/newsyslog.conf: /var/log/vault/audit.log _vault:_vault 640 7 * $D23 Z "rcctl reload vault" /var/log/vault/vault.log _vault:_vault 640 7 * $D23 Z
Maintainer
Pavel Korovin
Only for arches
aarch64 amd64 arm i386 riscv64
Broken
on i386: /usr/local/go/pkg/tool/openbsd_386/link: mapping output file failed: cannot allocate memory
Categories
Build dependencies
Files
- /etc/rc.d/vault
- /etc/rc.d/vault_agent
- /etc/vault/
- /etc/vault/agent.hcl
- /etc/vault/vault.hcl
- /usr/local/bin/vault
- /usr/local/share/doc/pkg-readmes/vault
- /usr/local/share/examples/vault/
- /usr/local/share/examples/vault/agent.hcl
- /usr/local/share/examples/vault/vault.hcl
- /var/log/vault/
- /var/vault/
- /var/vault/plugins/
- /var/vault/storage/
- @extraunexec rm -rf /var/log/vault/*
- @extraunexec rm -rf /var/vault/{plugins,storage}/*
- @newgroup _vault:772
- @newuser _vault:772:_vault::HashiCorp Vault:/nonexistent:/sbin/nologin