OpenBao

OpenBao is an identity-based secrets and encryption management system designed to securely store and manage sensitive data such as API encryption keys, passwords, and certificates. Originally created as a community fork of HashiCorp Vault following the BSL license change, it is now maintained by the Linux Foundation under open governance principles.

The system provides encryption services gated by authentication and authorization methods, accessible through a web UI, CLI, or HTTP API. OpenBao validates and authorizes clients before granting access to secrets, creating a centralized and auditable approach to credential management.

Key capabilities

OpenBao offers secure secret storage with encryption at rest, ensuring raw storage access alone cannot compromise secrets. Dynamic secrets can be generated on-demand for systems like Kubernetes and SQL databases, with automatic revocation after lease expiration. The platform provides encryption-as-a-service with centralized key management, simplifying data protection across clouds and datacenters without requiring custom encryption implementations.

The leasing and renewal system associates all secrets with time-limited leases that automatically revoke upon expiration. Built-in revocation supports both individual secrets and entire trees of secrets, enabling rapid response during security incidents and streamlined key rotation.

Architecture and workflow

The core workflow consists of four stages: authentication against supported methods, validation against third-party trusted sources, authorization via policy-based access control, and finally access to secrets through issued tokens. Policies provide a declarative way to grant or forbid access to specific paths and operations.

Deployment options

OpenBao supports multiple installation methods including package managers (Homebrew, FreeBSD pkg, Linux distributions), container registries (GitHub Container Registry, Quay, Docker Hub), precompiled binaries, Helm charts for Kubernetes, and compilation from source. Both Alpine Linux and RHEL UBI base images are available.

Limitations

• Smaller community compared to the original HashiCorp Vault, resulting in fewer third-party integrations and plugins
• Some enterprise features from Vault Enterprise are not available in the open-source fork
• Migration from Vault requires careful planning due to potential API differences over time
• Documentation and community resources are less extensive than the established Vault ecosystem
• Plugin ecosystem is still maturing compared to the original project's marketplace