OpenBao Production Architecture Guide

Overview

OpenBao is an open-source fork of HashiCorp Vault, maintained by the Linux Foundation. It was created in December 2023 after HashiCorp switched Vault (and other products) from MPL to the BSL (Business Source License). OpenBao continues under the MPL 2.0 license.

It provides the same core capabilities: secrets management, encryption as a service, identity-based access, and dynamic credentials. For customers who want Vault's capabilities without BSL licensing concerns, OpenBao is the answer.

Positioning

OpenBao is what you recommend when a customer needs Vault but (a) can't accept BSL licensing, (b) doesn't want vendor lock-in to HashiCorp/IBM, or (c) wants to avoid per-cluster Enterprise licensing costs. The trade-off is that you lose some Enterprise-only features and formal vendor support.

Architecture

OpenBao's architecture is identical to Vault's (it's a fork). Understanding it is about understanding the seal/unseal model and how secrets flow.

Component	Role	Notes
Bao Server	Core process	Handles API requests, manages secrets engines, performs encryption
Storage Backend	Persistent storage	Encrypted data at rest. Raft (integrated), PostgreSQL, file, or in-memory.
Seal/Unseal	Master key management	Shamir's secret sharing or auto-unseal via cloud KMS
Auth Methods	Identity verification	LDAP, OIDC, AppRole, Kubernetes, TLS certs, etc.
Secrets Engines	Secret generation/storage	KV, PKI, database, AWS, Azure, SSH, Transit, etc.
Audit Devices	Audit logging	File, syslog, socket. Every request/response logged.

Seal / Unseal Model

This is the most important concept to explain to customers. It's what makes Bao/Vault unique compared to other secret stores.

How the seal works

All data in the storage backend is encrypted with an encryption key
The encryption key is itself encrypted by the master key
The master key is split into key shares (Shamir's Secret Sharing) distributed to key holders
On startup, Bao is sealed — it cannot read its own data
Key holders provide their shares to unseal Bao (threshold, e.g., 3 of 5)
Once unsealed, the master key is held in memory only — never written to disk

Shamir's Secret Sharing

Default initialization creates 5 key shares with a threshold of 3. This means:

5 different people each receive one key share
Any 3 of the 5 must provide their shares to unseal
No single person (or 2 people) can unseal alone
You can lose up to 2 key shares and still unseal

# Initialize with custom key shares
bao operator init -key-shares=5 -key-threshold=3

# Unseal (run 3 times with different keys)
bao operator unseal    # enter key share 1
bao operator unseal    # enter key share 2
bao operator unseal    # enter key share 3
# => Sealed: false

Auto-unseal

Production Recommendation

Auto-unseal is almost always what you want in production. Manual unseal with Shamir keys means someone has to be available to unseal after every restart, crash, or upgrade. Configure auto-unseal via a cloud KMS.

Auto-unseal configuration in bao.hcl. Supported providers: AWS KMS, Azure Key Vault, GCP Cloud KMS, OCI KMS, AliCloud KMS, PKCS#11 HSM, Transit, and KMIP:

# AWS KMS auto-unseal
seal "awskms" {
  region     = "us-east-1"
  kms_key_id = "alias/bao-unseal"
}

# Azure Key Vault auto-unseal
seal "azurekeyvault" {
  tenant_id  = "00000000-0000-0000-0000-000000000000"
  vault_name = "bao-unseal-vault"
  key_name   = "bao-unseal-key"
}

# Transit auto-unseal (another Bao/Vault instance)
seal "transit" {
  address         = "https://other-bao.example.com:8200"
  token           = "hvs.XXXXXXXXX"
  key_name        = "autounseal"
  mount_path      = "transit/"
}

# PKCS#11 HSM auto-unseal (added in OpenBao 2.2.0)
seal "pkcs11" {
  lib         = "/usr/lib/softhsm/libsofthsm2.so"
  slot        = "0"
  pin         = "1234"
  key_label   = "bao-unseal-key"
  mechanism   = "0x1087"  # CKM_AES_GCM
}

With auto-unseal, Shamir key shares become recovery keys instead. They're used for operations like generating a new root token, but not for unsealing. The KMS key handles unseal automatically on startup.

Critical

If you lose access to the KMS key (deleted, permissions revoked, account locked), Bao cannot unseal. The KMS key is as critical as the unseal keys. Ensure it has deletion protection enabled and that multiple people have access to the cloud account.

Deployment Models

Simple Single Server

One Bao server with integrated Raft storage. Simple to deploy and operate.

Pros: Minimal infrastructure, fast to deploy
Cons: Single point of failure, no redundancy
Best for: Dev, small teams, non-critical secrets

Recommended Raft Cluster

3 or 5 Bao nodes using integrated Raft storage for consensus.

Pros: HA, no external dependencies, built-in replication
Cons: Needs low-latency network between nodes
Best for: Most production deployments

External PostgreSQL-backed

Bao servers using PostgreSQL as the storage backend with HA support.

Pros: Leverages existing DB infrastructure, familiar ops tooling
Cons: External dependency, requires PostgreSQL 9.5+
Best for: Orgs with strong PostgreSQL expertise and existing clusters

Cloud-Native Kubernetes

Deploy via Helm chart or operator on K8s. Bao runs as a StatefulSet.

Pros: Fits K8s-native workflows, easy scaling
Cons: PV management, K8s adds failure modes
Best for: Teams with mature K8s platforms

Recommendation

Default to Raft for most deployments. It has been production-stable for years and eliminates external dependencies. Consider PostgreSQL if the customer has strong existing PostgreSQL infrastructure and wants to use familiar backup/monitoring tooling.

Minimal production config

# /etc/bao.d/bao.hcl
storage "raft" {
  path    = "/opt/bao/data"
  node_id = "bao-1"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_cert_file = "/opt/bao/tls/cert.pem"
  tls_key_file  = "/opt/bao/tls/key.pem"
}

api_addr     = "https://bao-1.example.com:8200"
cluster_addr = "https://bao-1.example.com:8201"

seal "awskms" {
  region     = "us-east-1"
  kms_key_id = "alias/bao-unseal"
}

ui = true
# Note: disable_mlock was removed in OpenBao 2.0.
# Setting it to false will cause an error. Omit it entirely.

High Availability

How HA works

In an OpenBao cluster:

One node is the active leader — handles all reads and writes
Other nodes are standbys — they forward requests to the leader
If the leader fails, Raft elects a new leader (typically within seconds)
With standby read support (available since OpenBao 2.5.0), standby nodes can serve read requests locally without forwarding to the leader. Disable with disable_standby_reads=true if needed.

Cluster sizing

Nodes	Fault Tolerance	Use Case
3	1 node failure	Standard production
5	2 node failures	High-criticality, multi-AZ

Odd Numbers Only

Never run 2 or 4 nodes. Raft requires a majority quorum. With 2 nodes, losing 1 loses quorum. With 4 nodes, you still only tolerate 1 failure (same as 3), but pay for an extra node. Always 3 or 5.

Network requirements

Cluster nodes need low-latency connectivity (< 10ms RTT)
Raft uses TCP port 8201 for cluster communication
API listens on TCP port 8200
Cross-region clusters are not recommended — Raft performance degrades with latency
For multi-region, use separate clusters with replication (Vault Enterprise feature — not yet in OpenBao)

Joining a new node to the cluster

# On the new node, after starting bao:
bao operator raft join https://bao-1.example.com:8200

# Verify cluster membership
bao operator raft list-peers

# Expected output:
# Node     Address                  State       Voter
# ----     -------                  -----       -----
# bao-1    bao-1.example.com:8201   leader      true
# bao-2    bao-2.example.com:8201   follower    true
# bao-3    bao-3.example.com:8201   follower    true

Storage

Integrated Raft storage

Data stored in /opt/bao/data (or wherever you configure it)
All data is encrypted at rest — the raw Raft data is useless without the unseal keys
Use SSDs. Raft is write-heavy (every operation is a replicated log entry)
Typical storage: 1-10 GB for most deployments. PKI with millions of certs can grow larger.
Raft snapshots happen automatically; you should also take explicit snapshots for backup

PostgreSQL storage

OpenBao also supports PostgreSQL as an external storage backend (the only supported external database). It provides HA support and is production-ready:

storage "postgresql" {
  connection_url = "postgres://bao:password@pg.example.com:5432/bao?sslmode=verify-full"
  ha_enabled     = true
  table          = "bao_kv_store"
  ha_table       = "bao_ha_locks"
}

Requires PostgreSQL 9.5+; SSL connection attempted by default
Supports paginated lists and transactional storage
Good option if the customer already has mature PostgreSQL operations (backup, monitoring, HA via Patroni/repmgr)
Unlike Raft, data is not replicated by Bao — rely on PostgreSQL replication for redundancy

Other backends

File — stores data on local filesystem. No HA support. Suitable for development/testing only.
In-memory — all data lost on restart. Development and experimentation only.

Storage considerations

With Raft, storage is replicated across all cluster nodes automatically
Monitor disk I/O latency — slow disks cause Raft leader elections and instability
Autopilot (built-in) handles dead server cleanup and stable server promotion

No Consul

Unlike HashiCorp Vault, OpenBao does not support Consul as a storage backend. If migrating from a Consul-backed Vault deployment, plan to move to Raft or PostgreSQL storage.

Sizing

Bao is lightweight. A production cluster node typically needs 2-4 vCPU, 4-8 GB RAM, 20-50 GB SSD. The main resource bottleneck is I/O latency, not capacity. Over-provisioning on fast storage is cheap insurance.

Secrets Engines

Secrets engines are the core of what Bao does. Each engine is mounted at a path and handles a specific type of secret.

Most Common KV (Key-Value)

Static secret storage. V2 provides versioning, soft-delete, and metadata. The simplest engine and usually where customers start.

bao kv put secret/myapp \
  db_password=hunter2 \
  api_key=sk_live_xxx

Dynamic Database

Generates short-lived database credentials on demand. Supports PostgreSQL, MySQL, MongoDB, MSSQL, Oracle. Credentials auto-expire — no more shared, long-lived DB passwords.

bao read database/creds/readonly
# => username: v-app-readonly-xxxx
# => password: A1B2C3D4-random
# => ttl: 1h

Encryption Transit

Encryption as a service. Applications send plaintext, get ciphertext back. The encryption key never leaves Bao. Supports AES-GCM, ChaCha20-Poly1305, RSA, ECDSA, Ed25519, and HMAC. Key versioning and rotation built in.

Infrastructure PKI

Full certificate authority. Issues X.509 certs with configurable TTLs. Intermediate CA model recommended. Can replace expensive commercial CA for internal services.

Cloud AWS / Azure / GCP

Generates dynamic cloud credentials (IAM users, STS tokens, service principals). Short-lived, automatically revoked. Eliminates static cloud keys in config files.

Access SSH

Signed SSH certificates or dynamic SSH keys. Eliminates authorized_keys management. Signed certs are the recommended approach — no server-side configuration needed per user.

Consultant Tip

Start with KV to get secrets out of config files and environment variables. Then move to dynamic database credentials — this is where the real security value is. PKI and Transit come later when the team is comfortable with the workflow.

Auth Methods

Auth methods verify identity and map it to policies. Every request to Bao must be authenticated.

Method	Use Case	Notes
AppRole	Machine-to-machine	Role ID + Secret ID. Most common for applications. Secret ID can be rotated.
Kubernetes	K8s workloads	Pod service account tokens. Seamless for K8s-native apps. Use with the Bao Agent sidecar or CSI provider.
LDAP	Human users via AD	Bind to existing directory. Map LDAP groups to Bao policies.
OIDC	Human users via SSO	Keycloak, Azure AD, Okta, etc. Browser-based redirect flow.
TLS Certificates	Mutual TLS auth	Client presents a certificate. Good for services with existing PKI.
Token	Direct token auth	Always enabled. Root token used for initial setup only — revoke after configuring other auth methods.
Userpass	Simple username/password	Dev/test only. Never use in production without MFA.

Root Token

The root token generated during initialization has unlimited privileges. Use it only for initial setup (enabling auth methods, configuring policies), then revoke it. Generate a new root token via bao operator generate-root only when needed for emergency operations.

Policy basics

Policies define what a token can access. They follow the principle of least privilege:

# policy: app-readonly.hcl
path "secret/data/myapp/*" {
  capabilities = ["read", "list"]
}

path "database/creds/myapp-readonly" {
  capabilities = ["read"]
}

# Apply policy
bao policy write app-readonly app-readonly.hcl

Backups

Raft snapshots

The primary backup mechanism. A Raft snapshot captures the entire state of the cluster:

# Manual snapshot
bao operator raft snapshot save \
  /backup/bao-$(date +%Y%m%d-%H%M).snap

# Automated via cron (every 6 hours)
0 */6 * * * /usr/local/bin/bao operator raft snapshot save \
  /backup/bao-$(date +\%Y\%m\%d-\%H\%M).snap 2>&1 | logger -t bao-backup

What to back up

Primary Raft Snapshots

Contains all secrets, policies, auth configs, mounted engines — the entire state. Encrypted with the master key, so useless without unseal keys.

Critical Unseal / Recovery Keys

Without these, snapshots are useless. Store in a physically separate, secure location. Some customers use safe deposit boxes or hardware security modules.

Also Backup Configuration

Config file (/etc/bao.d/bao.hcl) — not in snapshots
TLS certificates for API and cluster
Auto-unseal KMS key access
Systemd unit file customizations

Strategy Retention

Snapshots every 6 hours minimum
Ship off-box (S3, separate server)
Retain 7 days minimum
Test restore quarterly

Keys to the Kingdom

The unseal keys (or auto-unseal KMS access) are the most critical thing to protect. If you lose the unseal keys AND the auto-unseal KMS access, all data is permanently irrecoverable. There is no recovery path — the encryption is real.

Restore procedure

# Restore replaces ALL data in the cluster
bao operator raft snapshot restore backup.snap

# For a fresh cluster restore:
# 1. Start a single Bao node
# 2. Initialize (or auto-unseal)
# 3. Restore snapshot
bao operator raft snapshot restore -force backup.snap
# 4. Join other nodes to the cluster

Snapshot restore replaces ALL data — any secrets written after the snapshot are lost. This is an all-or-nothing operation.

Upgrades & Rollbacks

OpenBao upgrades follow the same pattern as Vault. The process is straightforward but must be done carefully.

Upgrade process (Raft cluster)

Read the changelog — check for breaking changes, deprecations, and required migration steps
Take a Raft snapshot: bao operator raft snapshot save backup.snap
Upgrade standby nodes first — one at a time, verify each joins the cluster
Upgrade the leader last — this triggers a leader election
Verify: check seal status, cluster members, run a read/write test

# Take snapshot before starting
bao operator raft snapshot save pre-upgrade-$(date +%Y%m%d).snap

# On each standby node (one at a time):
sudo systemctl stop bao
sudo dpkg -i bao_x.y.z_amd64.deb    # or rpm, or replace binary
sudo systemctl start bao
bao status                            # verify unsealed and raft peer

# After all standbys are upgraded, step down the leader:
bao operator step-down
# The upgraded standbys will elect a new leader

# Upgrade the old leader (now a standby):
sudo systemctl stop bao
sudo dpkg -i bao_x.y.z_amd64.deb
sudo systemctl start bao
bao operator raft list-peers          # verify all nodes healthy

Version Skipping

Large version jumps are supported (e.g., 2.0.0 → 2.5.0), but you must review the upgrade notes for all intervening versions. They may describe additional steps or configuration changes required before, during, or after the upgrade.

Rollbacks

Rollbacks are possible and better-supported than in GitLab or Keycloak:

Patch Versions Binary Swap

If no data schema changes occurred: stop Bao, replace binary with old version, start. This usually works for patch versions. Fast and simple.

Major/Minor Snapshot Restore

If schema changes occurred: restore from the Raft snapshot taken before the upgrade. Replaces ALL data — anything written after the snapshot is lost.

Always Take a Snapshot

Unlike GitLab, Bao rollbacks via snapshot are well-supported and fast. But only if you actually took the snapshot. Make it the first step of every upgrade.

Monitoring

OpenBao exposes metrics via a Prometheus endpoint at /v1/sys/metrics?format=prometheus (requires a token with appropriate permissions). Note: metric names default to the vault.* prefix (inherited from the Vault codebase). This can be changed via the metrics_prefix setting in the telemetry stanza.

Key metrics & alerting

Metric	Alert Threshold	Why
vault.core.unsealed	= 0	Node is sealed; can't serve requests
vault.raft.leader.lastContact	> 500ms	Cluster communication issues; risk of leader election
vault.raft.commitTime	> 25ms (p99)	Storage is slow; operations will queue
vault.expire.num_leases	> 100,000	Lease explosion; often a misconfigured app requesting new creds every request
vault.runtime.alloc_bytes	Trending up	Memory leak or excessive lease count
vault.audit.log_response	Errors > 0	Audit device failure — Bao will STOP ALL requests
vault.core.leadership_setup	Frequent changes	Leadership instability; investigate network or disk issues
vault.token.count	> 50,000	Token sprawl; apps may not be revoking tokens properly

Critical Behavior

If all audit devices fail, Bao will stop processing all requests. This is a security feature — it prevents unaudited access. Configure multiple audit devices for redundancy (e.g., file + syslog). Make sure audit log destinations are reliable.

Enabling metrics

# In bao.hcl
telemetry {
  prometheus_retention_time = "30s"
  disable_hostname = true
}

# Scrape with Prometheus:
# - job_name: 'bao'
#   metrics_path: '/v1/sys/metrics'
#   params:
#     format: ['prometheus']
#   bearer_token: 'hvs.METRICS_TOKEN'
#   static_configs:
#     - targets: ['bao-1:8200', 'bao-2:8200', 'bao-3:8200']

Health checks

/v1/sys/health — returns 200 if initialized, unsealed, and active. Returns 429 for standby, 501 for not initialized, 503 for sealed. Status codes are customizable via query parameters (standbycode, activecode, etc.).
Use ?standbyok=true for load balancer health checks that should include standby nodes
/v1/sys/seal-status — detailed seal status without authentication

Security Hardening

Bao holds your most sensitive data. Default configuration is not production-ready.

TLS Encrypt Everything

API listener: TLS required (never disable in production). Cluster traffic: encrypted by default with Raft. Client→Bao: TLS 1.2+ only. Use certificates from a trusted CA, not self-signed.

Audit Enable Immediately

Enable audit devices before anything else. Every request and response is logged with HMAC'd sensitive values. Configure at least two audit backends for redundancy.

bao audit enable file \
  file_path=/var/log/bao/audit.log
bao audit enable syslog

Root Token Revoke After Setup

Use root token only for initial configuration. Then revoke it. Generate a new one via bao operator generate-root when needed for emergency operations. Never store the root token in a file.

Policies Least Privilege

Default deny. Grant only the specific paths and capabilities needed. Use path templating ({{identity.entity.id}}) for per-entity access. Review policies quarterly.

Operational hardening

mlock: Removed in OpenBao 2.0. The disable_mlock setting is no longer functional — setting it to false will cause a startup error. OpenBao relies on OS-level memory protections instead. Use encrypted swap or disable swap entirely on Bao nodes.
Firewall: Only expose port 8200 to clients. Port 8201 (cluster) should only be accessible between Bao nodes.
Lease TTLs: Set aggressive default and max TTLs. Short-lived credentials limit blast radius. Default TTL of 1h, max of 24h is a good starting point.
Token TTLs: Same principle. Use periodic tokens for long-running services that can renew, not long-lived tokens.
UI: Disable in production if not needed (ui = false). If enabled, restrict to internal networks via the load balancer.
Response wrapping: Use -wrap-ttl for secret zero delivery. The wrapped token can only be unwrapped once.

Licensing & Support

Aspect	OpenBao	HashiCorp Vault
License	MPL 2.0 (truly open source)	BSL 1.1 (source-available, restrictions)
Cost	Free	Free (Community) / $$$$ (Enterprise, per-cluster)
Vendor Support	Community only (GitHub, mailing lists)	Paid support from HashiCorp/IBM
Enterprise Features	Namespaces (GA since 2.3.1), standby reads (2.5.0), PKCS#11 HSM (2.2.0)	Namespaces, Sentinel, replication, HSM
Governance	Linux Foundation, community-driven	HashiCorp/IBM

What OpenBao is missing (vs. Vault Enterprise)

Shipped Recently Delivered

Namespaces — multi-tenancy isolation (GA since v2.3.1, June 2025)
Standby Read Support — standby nodes serve read requests locally (v2.5.0)
PKCS#11 HSM Auto-unseal — hardware security module support via PKCS#11 (v2.2.0)

Not Yet Still Missing

Performance Replication — cross-region read replicas
Disaster Recovery Replication — cross-region DR
Sentinel Policies — fine-grained policy-as-code
Control Groups — multi-party approval for secret access

Sales Positioning

For most customers, the remaining missing Enterprise features don't matter. KV secrets, PKI, database dynamic credentials, Kubernetes auth, Transit encryption, namespaces, and HSM unsealing — all work in OpenBao. The main gap is cross-region replication (performance and DR), which only matters for global deployments.

Migration from Vault

If the customer is migrating from HashiCorp Vault:

API is compatible — clients using the Vault HTTP API work with OpenBao (change the address)
CLI is bao instead of vault but accepts the same commands
Configuration files use the same HCL syntax
Data migration: take a Vault Raft snapshot, restore into OpenBao (version compatibility matters)
Plugins/auth methods: most community plugins work. Enterprise-only features won't.

Consultant's Checklist

Before proposing an OpenBao deployment, get answers to these:

What secrets need managing? — Static KV? Dynamic DB creds? PKI? Encryption?
How many applications/services will authenticate? — Determines auth method strategy
What's the deployment platform? — VMs, Kubernetes, cloud? Determines auth methods and deployment model
RTO/RPO requirements? — Determines cluster size and backup frequency
Multi-region requirements? — If yes, OpenBao may not be sufficient today. Consider Vault Enterprise or architect around the limitation.
Compliance requirements? — Audit logging, HSM requirements, secret rotation policies
Existing HashiCorp Vault deployment? — Migration path needed?
Who operates it? — Determines automation and runbook depth
Auto-unseal strategy? — Which cloud KMS, or transit unseal from another instance?
Secret zero problem? — How do applications get their initial Bao credentials? (The hardest question in secrets management)

Raft Consensus Protocol

Distributed consensus made understandable — the backbone of OpenBao's integrated storage

What is Raft?

Raft is a distributed consensus protocol designed as a more understandable alternative to Paxos. It was introduced in a 2014 paper by Diego Ongaro and John Ousterhout with the explicit goal of being easier to implement and reason about. Raft guarantees that a cluster of nodes agrees on a sequence of state changes, even when some nodes fail or network partitions occur.

In OpenBao, Raft serves as the recommended integrated storage backend, requiring no external dependencies. Every secret, policy, auth configuration, and audit entry is stored as a replicated log entry in the Raft cluster.

How Raft works

Raft divides consensus into three subproblems: leader election, log replication, and safety. At any point, each node is in one of three states:

Leader — handles all client writes, replicates log entries to followers, sends periodic heartbeats
Follower — passive; responds to RPCs from the leader and candidates
Candidate — transitional state during leader election; a follower becomes a candidate when it hasn't received a heartbeat within the election timeout

Time is divided into terms (monotonically increasing integers). Each term begins with an election. If a candidate wins, it serves as leader for the rest of the term. If the election splits (no majority), a new term begins.

Log replication is the core mechanism: the leader appends client requests to its log, then replicates them to followers. Once a majority (quorum) of nodes have written the entry, it is considered committed and can be applied to the state machine. This is why write latency depends on how quickly a majority of nodes acknowledge the entry.

Raft in OpenBao

When you configure storage "raft" in bao.hcl, OpenBao uses an embedded Raft implementation (based on HashiCorp's raft library) for all persistent state. Key operational details:

Cluster sizing: always use an odd number of nodes — 3 (tolerates 1 failure) or 5 (tolerates 2 failures). Even numbers provide no additional fault tolerance but increase the risk of split-brain scenarios.
Quorum: majority of nodes must be healthy. For 3 nodes, quorum = 2. For 5 nodes, quorum = 3. Losing quorum means the cluster is read-only (no writes, no leader election).
Data path: stored in the directory specified by path in the storage stanza (e.g., /opt/bao/data). All data is encrypted at rest by the master key.
Cluster port: Raft communication happens on port 8201 (the cluster_addr), separate from the API port 8200.

Peer management

# List all Raft peers and their state
bao operator raft list-peers

# Join a new node to an existing cluster
bao operator raft join https://bao-1.example.com:8200

# Remove a dead node from the cluster
bao operator raft remove-peer bao-3

# Take a snapshot for backup
bao operator raft snapshot save /backup/bao-$(date +%Y%m%d).snap

# Restore from snapshot (replaces ALL data)
bao operator raft snapshot restore -force backup.snap

Performance considerations

Write latency is bounded by the slowest node in the quorum — if one of three nodes has slow disks, every write waits for it
Use SSDs. Raft is write-intensive; every API operation that changes state generates a log entry that must be fsync'd to disk
Network latency matters. Cross-AZ is fine (< 2ms typical). Cross-region is not — Raft performance degrades badly above 10ms RTT
Autopilot (built-in) automatically manages dead server cleanup, stable server promotion, and server health tracking

Operational rule of thumb: If vault.raft.commitTime is consistently above 25ms at p99, your storage is the bottleneck. Move to faster SSDs or reduce cross-node latency. Raft leader instability (frequent elections) is almost always caused by slow disks or unreliable networks.

Shamir's Secret Sharing

Cryptographic key splitting for separation of duties — the foundation of OpenBao's seal model

The algorithm

Shamir's Secret Sharing is a cryptographic algorithm invented by Adi Shamir in 1979. It splits a secret (in this case, the master key) into N shares, such that any K shares (the threshold) can reconstruct the original secret, but K-1 or fewer shares reveal absolutely nothing about the secret. This is a mathematically provable property, not just obfuscation.

The algorithm works using polynomial interpolation over a finite field. The secret is the constant term of a random polynomial of degree K-1. Each share is a point on that polynomial. With K points, you can reconstruct the polynomial (and thus the secret) via Lagrange interpolation. With fewer than K points, there are infinitely many valid polynomials — the secret could be anything.

How OpenBao uses Shamir

During bao operator init, OpenBao:

Generates a random master key
Uses the master key to encrypt the encryption key (which encrypts all data at rest)
Splits the master key into N shares using Shamir's algorithm
Outputs the shares — each share goes to a different key holder
Discards the master key from memory

# Initialize with 5 shares, threshold of 3
bao operator init -key-shares=5 -key-threshold=3

# Output:
# Unseal Key 1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Unseal Key 2: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Unseal Key 3: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Unseal Key 4: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Unseal Key 5: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Initial Root Token: hvs.xxxxxxxxxxxxxxxxxxxx

# Unseal process (run 3 times with different keys)
bao operator unseal   # provide key share 1
bao operator unseal   # provide key share 2
bao operator unseal   # provide key share 3
# Sealed: false — master key reconstructed in memory

Key shares vs. recovery keys

When using auto-unseal (cloud KMS), the master key is encrypted by the KMS rather than split via Shamir. In this mode:

Key shares are not generated — the KMS handles sealing/unsealing automatically
Recovery keys are generated instead (also using Shamir's algorithm) — these are used for operations like bao operator generate-root
Recovery keys cannot unseal the instance — only the KMS key can do that

Migration between seal types

# Migrate from Shamir to auto-unseal:
# 1. Add the seal stanza to bao.hcl
# 2. Restart Bao — it will start sealed
# 3. Provide existing Shamir keys with -migrate flag
bao operator unseal -migrate

# Migrate from auto-unseal back to Shamir:
# 1. Remove the seal stanza, add disabled = "true"
# 2. Restart and provide recovery keys with -migrate
bao operator unseal -migrate

Security considerations

Distribute shares to different people in different physical locations — the entire point is separation of duties
Never store multiple shares together — that defeats the threshold property
Consider using PGP encryption during init (-pgp-keys) so each share is encrypted to its holder's PGP key
If you lose more than N-K shares, the master key is permanently irrecoverable — all data is lost
For most production deployments, auto-unseal is preferred over Shamir — it eliminates the operational burden of coordinating key holders for every restart

Consultant guidance: Use Shamir for air-gapped or ultra-high-security environments where no cloud KMS is acceptable. For on-premises HSM environments, OpenBao supports PKCS#11 auto-unseal (since v2.2.0). For everything else, configure cloud KMS or Transit auto-unseal and treat recovery keys as the emergency break-glass mechanism. Store recovery keys in separate physical safes or a dedicated HSM.

AppRole Authentication

Machine-to-machine auth method — solving the "secret zero" problem for applications

What is AppRole?

AppRole is an authentication method designed for machines and applications (no human interaction). It uses a two-part credential system: a RoleID (analogous to a username) and a SecretID (analogous to a password). The separation of these two components is the key security property — they should be delivered through different channels.

How it works

An administrator creates a role: bao write auth/approle/role/my-app policies="app-policy" token_ttl=1h
The RoleID is embedded in the application's configuration or image — it's relatively static and identifies which role to authenticate as
A SecretID is generated on-demand and delivered to the application through a trusted channel (CI/CD pipeline, orchestrator, configuration management)
The application combines RoleID + SecretID to authenticate: bao write auth/approle/login role_id=xxx secret_id=yyy
Bao returns a token with the policies attached to the role

Configuration

# Enable AppRole auth method
bao auth enable approle

# Create a role
bao write auth/approle/role/my-app \
  token_policies="app-readonly" \
  token_ttl=1h \
  token_max_ttl=4h \
  secret_id_ttl=10m \
  secret_id_num_uses=1

# Read the RoleID (embed this in app config)
bao read auth/approle/role/my-app/role-id

# Generate a SecretID (deliver via trusted channel)
bao write -f auth/approle/role/my-app/secret-id

# Application authenticates
bao write auth/approle/login \
  role_id="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
  secret_id="yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"

Response wrapping for SecretID delivery

The recommended pattern uses response wrapping to deliver the SecretID securely:

# Generate a wrapped SecretID (returns a wrapping token)
bao write -wrap-ttl=120s -f auth/approle/role/my-app/secret-id

# The wrapping token is a single-use token that can only be
# unwrapped once — if someone intercepts it, the app's unwrap
# will fail (alerting you to compromise)
bao unwrap hvs.wrapping-token-here

This ensures that even if the delivery channel is compromised, the attacker gets a single-use wrapping token. If the attacker unwraps it first, the legitimate application's unwrap fails — providing a tamper-detection mechanism.

Common deployment pattern

CI/CD pipeline: The CI system (Jenkins, GitLab CI, GitHub Actions) has a long-lived token with permission to generate SecretIDs. It generates a wrapped SecretID, passes the wrapping token to the deployment. The application unwraps it, combines with its RoleID, and authenticates.
Kubernetes: For K8s workloads, prefer Kubernetes auth over AppRole — it uses the pod's service account token directly, eliminating the secret zero problem entirely.
VMs: Configuration management (Ansible, Puppet) delivers the SecretID during provisioning. The application authenticates on startup and renews its token periodically.

Comparison with other machine auth methods

vs. Kubernetes auth: K8s auth is simpler (no SecretID management) but only works for K8s workloads. AppRole works everywhere.
vs. TLS certificate auth: Cert auth requires PKI infrastructure and certificate distribution. More secure (mutual TLS) but higher operational overhead.
vs. Cloud IAM auth (AWS, Azure, GCP): Cloud auth uses the instance's IAM identity — zero secret management, but only works on that cloud provider.

Best practice: Always set secret_id_num_uses=1 and a short secret_id_ttl (5–10 minutes). Always use response wrapping for SecretID delivery. Never hardcode SecretIDs in source code or container images. If you're on Kubernetes, use Kubernetes auth instead of AppRole.

Transit Secrets Engine

Encryption-as-a-service — manage cryptographic keys without exposing them to applications

What is Transit?

The Transit secrets engine provides encryption, decryption, signing, verification, and hashing as an API service. Applications send data to Bao, Bao performs the cryptographic operation using a key that never leaves its boundary, and returns the result. The application never sees or manages the encryption key.

This is fundamentally different from KV secrets (where Bao stores your secrets) — with Transit, Bao performs cryptographic operations on your behalf. Your application stores the ciphertext in its own database; Bao just handles the crypto.

Core operations

# Enable the Transit engine
bao secrets enable transit

# Create an encryption key
bao write -f transit/keys/my-app-key

# Encrypt data (plaintext must be base64-encoded)
bao write transit/encrypt/my-app-key \
  plaintext=$(echo -n "sensitive-data" | base64)
# => ciphertext: vault:v1:xxxxxxxxxxxxxxxxxxxxxxxxxxx

# Decrypt data
bao write transit/decrypt/my-app-key \
  ciphertext="vault:v1:xxxxxxxxxxxxxxxxxxxxxxxxxxx"
# => plaintext: c2Vuc2l0aXZlLWRhdGE= (base64)

# Sign data
bao write transit/sign/my-signing-key \
  input=$(echo -n "message" | base64)

# Verify a signature
bao write transit/verify/my-signing-key \
  input=$(echo -n "message" | base64) \
  signature="vault:v1:yyyyyyyyyyy"

Key types

aes256-gcm96 (default) — symmetric encryption. Fast, suitable for bulk data encryption. 96-bit nonce for authenticated encryption. Also available: aes128-gcm96.
chacha20-poly1305 — symmetric encryption. 256-bit key. Good alternative to AES on platforms without hardware AES acceleration.
rsa-2048 / rsa-3072 / rsa-4096 — asymmetric. Encrypt, decrypt, sign, verify. Useful when external systems need to encrypt data that only Bao can decrypt.
ecdsa-p256 / ecdsa-p384 / ecdsa-p521 — asymmetric, signing only. Smaller keys and signatures than RSA, widely supported.
ed25519 — asymmetric, signing only. High performance, modern. Recommended for new signing use cases.
hmac — HMAC key for message authentication. Supports generation and verification.

Key rotation and versioning

Transit supports key rotation without re-encrypting existing data:

# Rotate the key (creates a new version)
bao write -f transit/keys/my-app-key/rotate

# New encryptions use version 2, but version 1
# ciphertext can still be decrypted

# Enforce minimum encryption version (force new key usage)
bao write transit/keys/my-app-key \
  min_encryption_version=2

# Enforce minimum decryption version (retire old keys)
bao write transit/keys/my-app-key \
  min_decryption_version=2
# WARNING: ciphertext encrypted with v1 becomes undecryptable

# Re-encrypt old ciphertext to the latest key version
bao write transit/rewrap/my-app-key \
  ciphertext="vault:v1:xxxxxxxxxxx"
# => ciphertext: vault:v2:yyyyyyyyyyy

The rewrap endpoint is key: it decrypts with the old version and re-encrypts with the current version, all server-side. Run a batch rewrap job after rotation to migrate all ciphertext to the latest key version, then advance min_decryption_version to retire old keys.

Convergent encryption

By default, encrypting the same plaintext twice produces different ciphertext (random nonce). Convergent encryption produces the same ciphertext for the same plaintext, enabling equality searches on encrypted data:

# Create a key with convergent encryption
bao write transit/keys/searchable-key \
  type=aes256-gcm96 \
  convergent_encryption=true \
  derived=true

Use this when you need to search encrypted database fields (e.g., "find all records for this email address") without decrypting everything. The trade-off: convergent encryption leaks the fact that two ciphertexts correspond to the same plaintext.

Real-world patterns

Database field encryption: Encrypt PII (SSN, email, payment info) before storing in the application database. The database never sees plaintext.
API token encryption: Encrypt API keys and tokens at rest. Decrypt only when needed for outbound API calls.
Envelope encryption: Use Transit to encrypt a local data encryption key (DEK). Encrypt bulk data locally with the DEK. Store the encrypted DEK alongside the data. This reduces round-trips to Bao for large datasets.
Tokenization: Combine Transit with format-preserving encryption to replace sensitive values with tokens that maintain the same format (e.g., credit card numbers).

Architecture tip: Transit adds a network round-trip per encrypt/decrypt operation. For high-throughput use cases (encrypting millions of rows), use the batch API (batch_input parameter) or implement envelope encryption to minimize Bao calls. A single Bao node can typically handle 10,000+ Transit operations per second.

PKI Secrets Engine

Built-in certificate authority — issue, renew, and revoke X.509 certificates on demand

What is the PKI engine?

The PKI secrets engine turns OpenBao into a full X.509 certificate authority. It can generate root and intermediate CAs, issue leaf certificates with configurable TTLs, manage CRLs, and serve OCSP responses. This eliminates the need for manual CSR workflows, expensive commercial CAs for internal services, or hand-managed OpenSSL scripts.

The key insight: certificates become short-lived and dynamic, just like database credentials. Instead of issuing a cert that lasts a year (and forgetting to rotate it), you issue certs that last 24-72 hours and let automation handle renewal.

Architecture: Root vs. Intermediate

The recommended pattern is a two-tier CA hierarchy:

Root CA — generated offline or in a separate, tightly locked-down Bao mount. Long-lived (10-20 years). Signs only intermediate CA certificates. Ideally kept offline after signing the intermediate.
Intermediate CA — the one applications actually use. Shorter-lived (1-5 years). Signed by the root. If compromised, revoke and re-issue a new intermediate without touching the root.

Setting up a PKI hierarchy

# 1. Enable the root CA mount
bao secrets enable -path=pki pki
bao secrets tune -max-lease-ttl=87600h pki   # 10 years

# 2. Generate a root certificate
bao write pki/root/generate/internal \
  common_name="My Org Root CA" \
  ttl=87600h
# => Save the certificate — this is your trust anchor

# 3. Configure CRL and issuing URLs
bao write pki/config/urls \
  issuing_certificates="https://bao.example.com:8200/v1/pki/ca" \
  crl_distribution_points="https://bao.example.com:8200/v1/pki/crl"

# 4. Enable the intermediate CA mount
bao secrets enable -path=pki_int pki
bao secrets tune -max-lease-ttl=43800h pki_int   # 5 years

# 5. Generate an intermediate CSR
bao write pki_int/intermediate/generate/internal \
  common_name="My Org Intermediate CA" \
  | jq -r '.data.csr' > pki_int.csr

# 6. Sign the intermediate with the root
bao write pki/root/sign-intermediate \
  csr=@pki_int.csr \
  format=pem_bundle \
  ttl=43800h \
  | jq -r '.data.certificate' > signed_int.pem

# 7. Import the signed intermediate
bao write pki_int/intermediate/set-signed \
  certificate=@signed_int.pem

Issuing certificates

# Create a role (defines what certs can be issued)
bao write pki_int/roles/web-server \
  allowed_domains="example.com" \
  allow_subdomains=true \
  max_ttl=72h

# Issue a certificate
bao write pki_int/issue/web-server \
  common_name="app.example.com" \
  alt_names="app2.example.com" \
  ttl=24h
# => Returns: certificate, private_key, ca_chain, serial_number

# Revoke a certificate
bao write pki_int/revoke \
  serial_number="xx:xx:xx:xx:..."

Roles and constraints

PKI roles define the boundaries of what certificates can be issued. This is where you enforce policy:

allowed_domains — which domains the role can issue for
allow_subdomains — whether subdomains of allowed_domains are permitted
allow_glob_domains — pattern-based domain matching
max_ttl — maximum certificate lifetime
key_type / key_bits — RSA (2048/4096) or ECDSA (256/384)
require_cn — whether a common name is mandatory
server_flag / client_flag — restrict to server-auth, client-auth, or both

Automated renewal patterns

Bao Agent — runs as a sidecar, auto-renews certs via templating and writes them to disk. Services reload on file change (e.g., Nginx, HAProxy).
cert-manager (K8s) — integrates with OpenBao's PKI engine as an issuer. Automatically provisions and rotates TLS secrets for Kubernetes workloads.
Consul-template / envconsul — watches the PKI lease and re-renders config files on renewal.
Short TTLs + automation — the core philosophy. A 24h cert that auto-renews is far safer than a 1-year cert that everyone forgets about.

Consultant tip: PKI is the engine with the biggest "wow factor" for customers. Show them a demo: issue a cert in one CLI command, point out it expires in 24 hours, then show the automated renewal. Compare that to their current process of filing a ticket, waiting 3 days, and getting a cert that expires in a year.

Database Secrets Engine

Dynamic, short-lived database credentials — eliminate shared passwords and credential sprawl

What is the Database engine?

The Database secrets engine generates dynamic, short-lived database credentials on demand. Instead of applications sharing a static db_password from a config file, each application instance requests its own unique credentials from Bao. Those credentials are automatically revoked when the lease expires.

This is arguably the highest-value engine in OpenBao. It solves the "who has the database password?" problem completely — every credential is unique, traceable, and automatically expires.

Supported databases

PostgreSQL — full support including static roles, rotation, and custom SQL statements
MySQL / MariaDB — dynamic and static credential management
MongoDB — dynamic credentials with custom roles
Microsoft SQL Server — Windows and SQL auth support
Oracle — dynamic credentials via custom creation statements
Redis — ACL-based dynamic credentials
Elasticsearch — dynamic user management
Snowflake, Cassandra, InfluxDB, Couchbase — community and built-in plugins

Setting up dynamic PostgreSQL credentials

# 1. Enable the database engine
bao secrets enable database

# 2. Configure the PostgreSQL connection
bao write database/config/my-postgres \
  plugin_name=postgresql-database-plugin \
  allowed_roles="readonly,readwrite" \
  connection_url="postgresql://{{username}}:{{password}}@pg.example.com:5432/mydb?sslmode=verify-full" \
  username="bao_admin" \
  password="initial-password"

# 3. Rotate the root credentials (Bao takes ownership)
bao write -f database/rotate-root/my-postgres
# WARNING: after this, only Bao knows the password

# 4. Create a role (defines what credentials look like)
bao write database/roles/readonly \
  db_name=my-postgres \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
    GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  revocation_statements="DROP ROLE IF EXISTS \"{{name}}\";" \
  default_ttl=1h \
  max_ttl=24h

# 5. Generate credentials
bao read database/creds/readonly
# => username: v-approle-readonly-xxxxxxxxxxxxx
# => password: A1B2-C3D4-E5F6-randomized
# => lease_duration: 1h
# => lease_id: database/creds/readonly/xxxx

Lease management

Every dynamic credential comes with a lease. When the lease expires, Bao runs the revocation statement (e.g., DROP ROLE). Applications can renew leases to extend the credential lifetime up to the max_ttl:

# Renew a lease (extend by 1 hour)
bao lease renew database/creds/readonly/xxxx

# Revoke a specific credential immediately
bao lease revoke database/creds/readonly/xxxx

# Revoke ALL credentials for a role
bao lease revoke -prefix database/creds/readonly/

Static roles

For cases where you can't use dynamic usernames (legacy apps that hardcode a username), static roles rotate the password of an existing database user on a schedule:

# Create a static role that rotates every 24 hours
bao write database/static-roles/my-static-user \
  db_name=my-postgres \
  username="app_user" \
  rotation_period=86400

# Get the current password
bao read database/static-creds/my-static-user
# => username: app_user
# => password: (current rotated password)

Application integration patterns

Bao Agent + templating — Agent fetches credentials and renders them into config files or environment variables. Handles renewal automatically.
Direct API calls — Application requests credentials at startup, renews them periodically, and handles reconnection on rotation.
Kubernetes sidecar — Init container or sidecar fetches creds via K8s auth, writes to a shared volume. The app reads creds from a file.
Connection pooling — Use PgBouncer or ProxySQL as an intermediary. Bao rotates creds in the pooler config; applications connect through the pooler with a stable address.

Operational considerations

Lease explosion: If applications request new credentials on every HTTP request instead of reusing them, you'll get thousands of orphaned DB roles. Set max_ttl aggressively and monitor vault.expire.num_leases.
Root rotation: After rotate-root, only Bao knows the admin password. If Bao is down, you can't manage the database directly. Keep a break-glass superuser account separate from the one Bao manages.
Schema changes: Dynamic users need permissions granted via the creation statement. If you add new tables, update the role's creation_statements or use GRANT ... ON ALL TABLES with default privileges.

Security win: With dynamic credentials, a compromised password is useless within hours (or minutes). There's no shared password to rotate across 15 config files. Every credential maps to a specific application instance, so audit logs show exactly who accessed what. This is the engine that security teams love most.

SSH Secrets Engine

Signed certificates and dynamic keys — eliminate authorized_keys management and static SSH credentials

What is the SSH engine?

The SSH secrets engine provides two mechanisms for securing SSH access: signed SSH certificates (recommended) and dynamic SSH keys (OTP-based). Both eliminate the need to manage authorized_keys files, distribute SSH keys manually, or maintain static credentials across servers.

The signed certificate approach is particularly powerful: the SSH server trusts a CA public key, and Bao signs user certificates on demand. No per-user configuration on the server side. A new engineer gets access by requesting a signed cert from Bao — no one touches the server.

Signed SSH Certificates (recommended)

This is the preferred approach. OpenBao acts as an SSH Certificate Authority:

# 1. Enable the SSH engine
bao secrets enable -path=ssh-client-signer ssh

# 2. Generate or import a CA signing key
bao write ssh-client-signer/config/ca \
  generate_signing_key=true
# => Returns the CA public key

# 3. Get the CA public key (configure this on SSH servers)
bao read -field=public_key ssh-client-signer/config/ca \
  > /etc/ssh/trusted-user-ca-keys.pem

# 4. On each SSH server, add to /etc/ssh/sshd_config:
#    TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
#    Then: systemctl restart sshd

# 5. Create a role for signing user keys
bao write ssh-client-signer/roles/admin \
  key_type=ca \
  default_user=ubuntu \
  allowed_users="ubuntu,admin,deploy" \
  allowed_extensions="permit-pty,permit-port-forwarding" \
  ttl=30m \
  max_ttl=4h

# 6. Sign a user's public key
bao write ssh-client-signer/sign/admin \
  public_key=@$HOME/.ssh/id_ed25519.pub \
  valid_principals=ubuntu \
  ttl=2h
# => Returns: signed_key (the certificate)

# 7. Save and use the certificate
# Save the signed key to ~/.ssh/id_ed25519-cert.pub
ssh -i ~/.ssh/id_ed25519 user@server
# SSH automatically uses the matching *-cert.pub file

How SSH certificates work

SSH certificates are different from X.509/TLS certificates. They are a built-in feature of OpenSSH:

The server trusts a CA public key (one line in sshd_config)
Users present a certificate signed by that CA along with their private key
The server validates the signature, checks the principals (allowed usernames), and checks the expiry time
No authorized_keys entry needed for the user — the CA signature is sufficient
Certificates have a TTL — expired certs are automatically rejected

This means adding or removing user access is entirely managed through Bao policies, not through server configuration.

One-Time Password (OTP) mode

An alternative for environments where SSH certificate support is limited:

# Enable the SSH engine for OTP
bao secrets enable -path=ssh ssh

# Configure a role
bao write ssh/roles/otp_role \
  key_type=otp \
  default_user=ubuntu \
  cidr_list="10.0.0.0/8"

# Generate an OTP for a specific host
bao write ssh/creds/otp_role \
  ip=10.0.1.50
# => key: xxxxxxxx-xxxx-xxxx  (one-time password)
# => username: ubuntu

# SSH using the OTP
ssh ubuntu@10.0.1.50
# Enter the OTP as the password — it works exactly once

OTP mode requires the bao-ssh-helper PAM module installed on target servers. The helper validates the OTP with Bao and invalidates it immediately after use.

Host key signing

Bao can also sign host keys, solving the "do you trust this host?" TOFU (Trust On First Use) problem:

# Enable a separate mount for host signing
bao secrets enable -path=ssh-host-signer ssh

# Generate a host CA key
bao write ssh-host-signer/config/ca generate_signing_key=true

# Sign a server's host key
bao write ssh-host-signer/sign/host-role \
  cert_type=host \
  public_key=@/etc/ssh/ssh_host_ed25519_key.pub

# On clients, add the host CA to known hosts:
# @cert-authority *.example.com 
# No more "The authenticity of host ... can't be established" prompts

Role configuration and security

allowed_users — restrict which Linux users can be specified as principals. Use "*" with caution.
allowed_extensions — control SSH features: permit-pty, permit-port-forwarding, permit-agent-forwarding. Omit extensions to restrict capabilities.
ttl / max_ttl — keep certificate lifetimes short. 30 minutes to 4 hours is typical for interactive sessions. CI/CD pipelines might use 15-minute certs.
allowed_critical_options — e.g., force-command to restrict what the user can execute via SSH.
cidr_list (OTP mode) — restrict which IP ranges OTPs can be generated for.

Real-world deployment

Interactive access: Engineers authenticate to Bao (OIDC/LDAP), request a signed cert with a 2h TTL, SSH into servers. Cert expires automatically — no cleanup needed.
CI/CD pipelines: Pipeline authenticates via AppRole, gets a 15-minute cert, deploys, cert expires. No long-lived deploy keys sitting in CI secrets.
Emergency access: Break-glass procedure: generate a signed cert via Bao with a specific "emergency" principal, triggering audit alerts. Full traceability.
Offboarding: Remove the user's Bao policy. Their existing cert expires within hours. No servers to touch, no keys to remove.

Migration path: Start by deploying the CA trust (TrustedUserCAKeys) on all servers — this is a one-line config change and doesn't break existing authorized_keys access. Then gradually move users to cert-based access. Once all users are on certs, you can remove authorized_keys entries and disable AuthorizedKeysFile entirely.