OpenBao — Community-Driven Open Source Secrets Manager

Introduction

OpenBao is a community-maintained fork of HashiCorp Vault, created under the Linux Foundation after Vault moved to the Business Source License. It offers secrets management, dynamic credentials, encryption as a service, and identity-based access control, all under a truly open-source MPL-2.0 license.

What OpenBao Does

• Stores, generates, and rotates secrets like API keys, passwords, and certificates
• Issues dynamic credentials for databases, cloud providers, and SSH
• Provides encryption as a service via the Transit secrets engine
• Enforces identity-based access policies for fine-grained authorization
• Supports automatic unsealing with cloud KMS or Shamir key shares

Architecture Overview

OpenBao uses a client-server model where the server manages secret engines, authentication methods, and policies. Data is encrypted at rest using an AES-256 barrier key that is unsealed at startup. Backends are pluggable: storage can be Raft (integrated), Consul, or file-based. Secret engines and auth methods are mounted at paths and handle their own logic for generating, storing, or validating credentials.

Self-Hosting & Configuration

• Install via package managers, Docker, or download a static binary from the releases page
• Production mode requires a storage backend (Raft for single-cluster, Consul for multi-DC)
• Configure the server via an HCL config file specifying listeners, storage, and TLS settings
• Initialize the server with bao operator init and unseal with key shares or auto-unseal
• Use the bao CLI or HTTP API to manage secrets, policies, and auth methods

Key Features

• API-compatible with HashiCorp Vault for straightforward migration
• Dynamic secrets for PostgreSQL, MySQL, AWS, Azure, and other backends
• Transit engine for application-layer encryption without storing keys in app code
• Leasing and automatic revocation of short-lived credentials
• High availability with Raft-based integrated storage

Comparison with Similar Tools

• HashiCorp Vault — The upstream project now under BSL; OpenBao offers the same features under MPL-2.0
• Infisical — Developer-focused secrets platform; OpenBao provides broader enterprise features like dynamic credentials
• SOPS — File-level secret encryption; OpenBao is a centralized server for runtime secret access
• AWS Secrets Manager — Cloud-native managed service; OpenBao is self-hosted and cloud-agnostic

FAQ

Q: Is OpenBao compatible with Vault? A: Yes. OpenBao maintains API compatibility with Vault, so existing clients, Terraform providers, and integrations work with minimal changes.

Q: Why was OpenBao created? A: HashiCorp changed Vault's license from MPL-2.0 to BSL in 2023. OpenBao was forked under the Linux Foundation to keep a truly open-source alternative available.

Q: Can I migrate from Vault to OpenBao? A: In most cases, migrating involves swapping the binary and updating references from vault to bao. Storage backends and configurations are compatible.

Q: Does OpenBao support auto-unseal? A: Yes. It supports auto-unseal via AWS KMS, Azure Key Vault, GCP Cloud KMS, and Transit-based unsealing.

Sources

• https://github.com/openbao/openbao
• https://openbao.org/docs/