Eliminate hardcoded secrets with OpenBao - a ready-to-run secrets manager that initializes, unseals, and serves requests in minutes with zero manual setup. Backed by 24/7 cloudimg support.
Real screenshots of this software running on the cloudimg image, taken while testing the deployment guide.
This is a repackaged open source software product wherein additional charges apply for cloudimg support services.
## Overview
OpenBao is an open source, community-driven secrets management platform: a Linux Foundation project and the MPL-2.0 licensed fork of Vault. It centrally stores, accesses, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets, and provides encryption as a service so applications never have to handle raw keys. This image delivers OpenBao fully installed and configured as a system service backed by integrated raft storage, so a working secrets engine is running within minutes of launch.
## Application Stack
## Secrets Management
Enable secrets engines for key/value secrets, dynamic database credentials, PKI certificate issuance, SSH, transit encryption as a service, and more. Authenticate with tokens, AppRole, userpass, JWT/OIDC, or cloud auth methods, and govern every path with fine-grained policies. Drive everything from the web UI, the `bao` CLI, or the HTTP API.
## Secure First Boot
On the first boot of your instance a one-shot service initializes the store, captures the single unseal key and the initial root token unique to that instance, unseals the server, and writes both to a root-only file. No shared or default credentials, no pre-initialized store, and no preset unseal key ship in the image.
## Auto Unseal Across Reboots
A dedicated service re-unseals the server automatically after every reboot so the appliance returns to a healthy, ready state unattended. The included user guide documents switching to AWS KMS auto-unseal and enabling TLS for production deployments.
## Concrete Use Case: Dynamic Database Credentials in CI/CD
A platform team running GitHub Actions or GitLab CI pipelines enables the database secrets engine to issue short-lived PostgreSQL credentials per job. Each pipeline step requests a unique credential scoped to the exact tables it needs, and the credential is automatically revoked when the lease expires. This eliminates long-lived database passwords stored in environment variables and reduces blast radius if a pipeline is compromised - ideal for teams managing dozens to hundreds of microservices.
## cloudimg Support
24/7 technical support by email and live chat. Our engineers help with deployment, secrets engine and auth method configuration, policies, PKI, transit encryption, AWS KMS auto-unseal, TLS, raft storage, and backup. Critical issues receive a one-hour average response.
## Additional Use Cases
## Getting Started
Launch the AMI, wait for the systemd initialization to complete, then access the web UI at https://your-instance-ip:8200. Retrieve your unique root token from the root-only file documented in the user guide and begin configuring secrets engines and auth methods immediately. Consult the included user guide for production hardening steps including AWS KMS auto-unseal and TLS termination.
All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.