OpenBao
In its own words, OpenBao is "an identity-based secrets and encryption management system."
OpenBao stores secrets securely, provides identity-based access to the secrets, renews and rotates them, allows generating dynamic secrets, and provides detailed access and audit logs. OpenBao emerged as a fork of HashiCorp Vault.
Use case: auto-unseal your vault
OpenBao stores secrets in encrypted form. When OpenBao starts, the vault needs to be "unsealed" before it can be used. Unsealing decrypts the keys that encrypt the secrets.
Traditionally, HashiCorp Vault, and now its fork OpenBao, have used Shamir's secret sharing to protect the key that unlocks the vault. However, this has the disadvantage that multiple human operators need to come together to manually unseal the vault. This can cause availability issues when the vault restarts at unplanned times.
To address this, OpenBao has introduced auto-unsealing. In this setup, the key needed to unseal the vault is stored in an HSM or a KMS. Thus, you can now use your Securosys Primus HSM or CloudHSM to automatically unseal your OpenBao vault when it starts.
Benefits
- Use auto-unsealing to automatically unseal your vault when OpenBao starts. No need for manual unsealing by a human operator.
- Protect the keys needed to unseal the vault with the strong physical protections of an HSM.
Getting started
For details on how to install and configure the integration of your Securosys HSM with OpenBao, see the OpenBao documentation.