Create a Linode account to try this guide with a $ credit.
This credit will be applied to any valid services used during your first  days.

OpenBao is an open source solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. This project is a forked alternative to Vault managed by the Linux Foundation, and development is driven by the community.

OpenBao is still early in development
While OpenBao is a fork of a production-ready 1.14.x release of Hashicorp Vault, the OpenBao codebase is still early in development and is subject to change as development takes place. We recommend following the release cycles for any breaking changes to minimize any downtime on a production environment.

Deploying a Marketplace App

The Linode Marketplace lets you easily deploy software on a Compute Instance using Cloud Manager. See Get Started with Marketplace Apps for complete steps.

  1. Log in to Cloud Manager and select the Marketplace link from the left navigation menu. This displays the Linode Create page with the Marketplace tab pre-selected.

  2. Under the Select App section, select the app you would like to deploy.

  3. Complete the form by following the steps and advice within the Creating a Compute Instance guide. Depending on the Marketplace App you selected, there may be additional configuration options available. See the Configuration Options section below for compatible distributions, recommended plans, and any additional configuration options available for this Marketplace App.

  4. Click the Create Linode button. Once the Compute Instance has been provisioned and has fully powered on, wait for the software installation to complete. If the instance is powered off or restarted before this time, the software installation will likely fail.

To verify that the app has been fully installed, see Get Started with Marketplace Apps > Verify Installation. Once installed, follow the instructions within the Getting Started After Deployment section to access the application and start using it.

Note
Estimated deployment time: OpenBao should be fully installed within 5-7 minutes after the Compute Instance has finished provisioning.

Configuration Options

  • Supported distributions: Ubuntu 24.04 LTS
  • Suggested minimum plan: All plan types and sizes can be used. For best results, use a 8GB Dedicated CPU or Shared Compute Instance.

OpenBao Options

Custom Domain (Optional)

If you wish to automatically configure a custom domain, you first need to configure your domain to use Linode’s name servers. This is typically accomplished directly through your registrar. See Use Linode’s Name Servers with Your Domain. Once that is finished, you can fill out the following fields for the Marketplace App:

  • Linode API Token: If you wish to use the Linode’s DNS Manager to manage DNS records for your custom domain, create a Linode API Personal Access Token on your account with Read/Write access to Domains. If this is provided along with the subdomain and domain fields (outlined below), the installation attempts to create DNS records via the Linode API. See Get an API Access Token. If you do not provide this field, you need to manually configure your DNS records through your DNS provider and point them to the IP address of the new instance.

  • Subdomain: The subdomain you wish to use, such as www for www.example.com.

  • Domain: The domain name you wish to use, such as example.com.

  • List of IP addresses to whitelist: A list of IP address that will be whitelisted for OpenBao. These should be client IPs that will need to obtain secrets from your OpenBao instance.

  • Country or region (required): Enter the country or region for you or your organization.

  • State or province (required): Enter the state or province for you or your organization.

  • Locality (required): Enter the town or other locality for you or your organization.

  • Organization (required): Enter the name of your organization.

  • Email address (required): Enter the email address you wish to use for your certificate file.

Limited Sudo User

You need to fill out the following fields to automatically create a limited sudo user, with a strong generated password for your new Compute Instance. This account will be assigned to the sudo group, which provides elevated permissions when running commands with the sudo prefix.

  • Limited sudo user: Enter your preferred username for the limited user. No Capital Letters, Spaces, or Special Characters.

    Locating The Generated Sudo Password

    A password is generated for the limited user and stored in a .credentials file in their home directory, along with application specific passwords. This can be viewed by running: cat /home/$USERNAME/.credentials

    For best results, add an account SSH key for the Cloud Manager user that is deploying the instance, and select that user as an authorized_user in the API or by selecting that option in Cloud Manager. Their SSH pubkey will be assigned to both root and the limited user.

  • Disable root access over SSH: To block the root user from logging in over SSH, select Yes. You can still switch to the root user once logged in, and you can also log in as root through Lish.

    Accessing The Instance Without SSH
    If you disable root access for your deployment and do not provide a valid Account SSH Key assigned to the authorized_user, you will need to login as the root user via the Lish console and run cat /home/$USERNAME/.credentials to view the generated password for the limited user.

Warning
Do not use a double quotation mark character (") within any of the App-specific configuration fields, including user and database password fields. This special character may cause issues during deployment.

Getting Started After Deployment

Once the deployment is complete, OpenBao is installed and ready to use. You can SSH into your machine and obtain the credentials found in the .credentials file in the sudo users home directory /home/$SUDO_USER/.credentials.

  1. bao commands can run to continue setting up your OpenBao instance. To confirm, you can run the bao status command:

    bao status
    Note

    If you receive an error when running the bao status command, reload the environment variable by sourcing your server’s bashrc file:

    source /root/.bashrc
  2. The OpenBao instance is initialized as part of the deployment. The unseal keys along with the root token can be found in the .credentials file in the sudo users home directory /home/$SUDO_USER/.credentials.

The unseal keys should be stored in separate locations. For example, store one key in a password manager such as 1Password, encrypted with gpg, and another offline on a USB key. Doing so ensures that compromising one storage location is not sufficient to recover the number of unseal keys required to decrypt the OpenBao database.

The Initial Root Token is equivalent to the root or superuser account for the OpenBao API. Record and protect this token in a similar fashion. Like the root account on a Unix system, this token should be used to create less-privileged accounts to use for day-to-day interactions with OpenBao and the root token should be used infrequently due to its widespread privileges.

Unseal OpenBao

After the deployment is complete, OpenBao will be sealed. The following unseal steps must be performed any time the openbao service is brought down and then brought up again, such as when performing systemctl restart openbao or restarting the host machine.

  1. With VAULT_ADDR set appropriately, execute the unseal command.

    bao operator unseal

    A prompt will appear:

    Unseal Key (will be hidden):
  2. Paste or enter one unseal key and press Enter. The command will finish with output similar to the following:

    Unseal Key (will be hidden):
    Key                Value
    ---                -----
    Seal Type          shamir
    Initialized        true
    Sealed             true
    Total Shares       3
    Threshold          2
    Unseal Progress    1/2
    Unseal Nonce        n/a
    Version            2.0.0-alpha20240329
    Storage Type       raft
    HA Enabled         false

    The output indicates that one out of the two required unseal keys has been provided.

  3. Perform the unseal command again.

    bao operator unseal
  4. Enter a different unseal key when the prompt appears.

    Unseal Key (will be hidden):
  5. The resulting output should indicate that OpenBao is now unsealed (Sealed:false).

    Unseal Key (will be hidden):
    Key                     Value
    ---                     -----
    Seal Type               shamir
    Initialized             true
    Sealed                  false
    Total Shares            3
    Threshold               2
    Version                 2.0.0-alpha20240329
    Build Date              2024-03-29T21:37:50Z
    Storage Type            raft
    Cluster Name            vault-cluster-9b0549a6
    Cluster ID              4cb3e7c0-6ce5-2d54-2549-f88d29cb9691
    HA Enabled              true
    HA Cluster              n/a
    HA Mode                 standby
    Active Node Address     <none>
    Raft Committed Index    27
    Raft Applied Index      27

OpenBao is now operational.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

Note
Currently, Linode does not manage software and systems updates for Marketplace Apps. It is up to the user to perform routine maintenance on software deployed in this fashion.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

This page was originally published on


Your Feedback Is Important

Let us know if this guide was helpful to you.