OpenBao is the open-source, production-grade secrets management backend at the heart of Kubermatic SecureGuard. It was forked from HashiCorp Vault to provide a completely open, community-driven cryptographic engine.
In plain English: OpenBao is a high-security vault for your secrets — like a bank vault, but for passwords, API keys, and certificates. Instead of scattering credentials across config files and .env files, you store them in one encrypted, audited place and hand out access carefully. Apps don’t open the vault themselves; ESO fetches what they need on their behalf (see ESO Basics).
Unfamiliar with a term below (KV engine, auth method, unsealing)? The Glossary defines each in one line.
OpenBao is optional — it’s an opinionated default, not a requirement. SecureGuard bundles OpenBao so teams without an existing vault get a complete stack out of the box. If you already run a secrets backend, you don’t need OpenBao at all: SecureGuard manages ESO, and ESO works with many providers — AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, HashiCorp Vault, and others. Just point your SecretStore/ClusterSecretStore resources at your provider and disable the bundled OpenBao (--set openbao.enabled=false). The rest of this page applies only if you choose to use OpenBao as your backend.
OpenBao provides a centralized, highly secure vault for managing sensitive data tightly. It effectively removes secrets from application source code, configuration files, and basic Kubernetes secrets until they are explicitly needed.
To effectively operate OpenBao within SecureGuard, you must understand three core concepts:
Secret Engines are the components inside OpenBao where data is either stored, generated, or encrypted.
secret/data/database/postgres/password).Auth methods represent how users or machines prove their identity to OpenBao.
kubernetes auth method — dashboard users do not authenticate to OpenBao directly.Every request to OpenBao, whether it is a read from ESO or a write from a developer, is securely logged. These Audit Devices output JSON-formatted logs directly to stdout, syslog, or a file, which can then be ingested by tools like Elasticsearch or Splunk for compliance and anomaly detection.
Within the SecureGuard ecosystem, OpenBao acts purely as the Central Vault. It handles:
By default, an OpenBao server starts in a Sealed state. It knows where to find the encrypted data, but it does not know how to decrypt it because it lacks the master key.
When clustered for High Availability (HA) using Integrated Raft Storage, only one OpenBao node is the “Active” node processing writes, while the others serve as “Standbys”. If the active node fails, another node instantly takes over, guaranteeing virtually zero downtime for your secret synchronization.