# OpenBao — Community-Driven Open Source Secrets Manager > OpenBao is an open-source fork of HashiCorp Vault created after the license change to BSL. It provides the same secrets management, encryption as a service, and identity-based access capabilities under the MPL-2.0 license, maintained by the Linux Foundation. ## Install Save in your project root: # OpenBao — Community-Driven Open Source Secrets Manager ## Quick Use ```bash # Install and start a dev server brew install openbao bao server -dev # In another terminal: export BAO_ADDR=http://127.0.0.1:8200 bao kv put secret/myapp username=admin password=s3cret bao kv get secret/myapp ``` ## Introduction OpenBao is a community-maintained fork of HashiCorp Vault, created under the Linux Foundation after Vault moved to the Business Source License. It offers secrets management, dynamic credentials, encryption as a service, and identity-based access control, all under a truly open-source MPL-2.0 license. ## What OpenBao Does - Stores, generates, and rotates secrets like API keys, passwords, and certificates - Issues dynamic credentials for databases, cloud providers, and SSH - Provides encryption as a service via the Transit secrets engine - Enforces identity-based access policies for fine-grained authorization - Supports automatic unsealing with cloud KMS or Shamir key shares ## Architecture Overview OpenBao uses a client-server model where the server manages secret engines, authentication methods, and policies. Data is encrypted at rest using an AES-256 barrier key that is unsealed at startup. Backends are pluggable: storage can be Raft (integrated), Consul, or file-based. Secret engines and auth methods are mounted at paths and handle their own logic for generating, storing, or validating credentials. ## Self-Hosting & Configuration - Install via package managers, Docker, or download a static binary from the releases page - Production mode requires a storage backend (Raft for single-cluster, Consul for multi-DC) - Configure the server via an HCL config file specifying listeners, storage, and TLS settings - Initialize the server with `bao operator init` and unseal with key shares or auto-unseal - Use the `bao` CLI or HTTP API to manage secrets, policies, and auth methods ## Key Features - API-compatible with HashiCorp Vault for straightforward migration - Dynamic secrets for PostgreSQL, MySQL, AWS, Azure, and other backends - Transit engine for application-layer encryption without storing keys in app code - Leasing and automatic revocation of short-lived credentials - High availability with Raft-based integrated storage ## Comparison with Similar Tools - **HashiCorp Vault** — The upstream project now under BSL; OpenBao offers the same features under MPL-2.0 - **Infisical** — Developer-focused secrets platform; OpenBao provides broader enterprise features like dynamic credentials - **SOPS** — File-level secret encryption; OpenBao is a centralized server for runtime secret access - **AWS Secrets Manager** — Cloud-native managed service; OpenBao is self-hosted and cloud-agnostic ## FAQ **Q: Is OpenBao compatible with Vault?** A: Yes. OpenBao maintains API compatibility with Vault, so existing clients, Terraform providers, and integrations work with minimal changes. **Q: Why was OpenBao created?** A: HashiCorp changed Vault's license from MPL-2.0 to BSL in 2023. OpenBao was forked under the Linux Foundation to keep a truly open-source alternative available. **Q: Can I migrate from Vault to OpenBao?** A: In most cases, migrating involves swapping the binary and updating references from `vault` to `bao`. Storage backends and configurations are compatible. **Q: Does OpenBao support auto-unseal?** A: Yes. It supports auto-unseal via AWS KMS, Azure Key Vault, GCP Cloud KMS, and Transit-based unsealing. ## Sources - https://github.com/openbao/openbao - https://openbao.org/docs/ --- Source: https://tokrepo.com/en/workflows/55b0ad2d-4106-11f1-9bc6-00163e2b0d79 Author: AI Open Source