Tutorial  on  Security

Auto Unseal OpenBao/Vault with the Transit Secrets Engine

In this tutorial, you'll learn how to unseal OpenBao and Vault automatically using the Transit secrets engine.

You'll walk through how to:

  • Set up the Transit secrets engine
  • Enable automatic unsealing using the Transit seal

💡 To dive deeper into the concepts covered in this tutorial, check out the References section.

Preparations

First, choose whether to use OpenBao or Vault. The included playground has both pre-installed.

Enter one of the following values:

  • openbao
  • vault

How it works

Automatic unsealing isn't fundamentally different from the manual unsealing process.

In the manual process, a set of unseal keys is required to reconstruct the root key (or master key). The root key is then used to decrypt the encryption key, which the service uses to access the underlying data.

💡 To learn more about the unsealing process, check out this tutorial.

With automatic unsealing, an external service manages the encryption of the root key, eliminating the need for unseal keys.

Auto unseal process

The service is configured for automatic unsealing via the seal stanza.

Both OpenBao and Vault support several unsealing mechanisms, including:

  • Cloud KMS (AWS, GCP, Azure, etc.)
  • PKCS#11 (HSM)
  • Transit secrets engine (built-in "KMS")

In this tutorial, you'll use the Transit secrets engine for simplicity, though the setup is similar to other supported unsealing mechanisms.

You'll configure two instances of OpenBao/Vault:

  • An unsealer (with the Transit secrets engine enabled) running in dev mode
  • A standard installation of the service, configured for automatic unsealing

Configuring the unsealer

Since the unsealer runs in dev mode, you don't need to configure a storage backend or initialize it.

However, you'll still need to enable the Transit secrets engine so it can be used to unseal other instances.

To enable the secrets engine, switch to the unsealer and run the following command:

OpenBao
Vault
bao secrets enable transit

vault secrets enable transit

You'll also need to create a key in the new secrets engine for the unsealer to use when encrypting and decrypting the root key:

OpenBao
Vault
bao write -f transit/keys/unseal-key

vault write -f transit/keys/unseal-key

Configuring the service

The service that will be automatically unsealed is already configured to use the in-memory storage backend.

Switch to the playground and configure the unsealing process:

OpenBao
Vault
/etc/openbao/config.d/seal.hcl
seal "transit" {
  address = "http://unsealer:8200"
  token   = "iximiuz"

  key_name   = "unseal-key"
  mount_path = "transit/"
}
Hint 1 💡
sudo -u openbao $EDITOR /etc/openbao/config.d/seal.hcl
Configuration breakdown
  • The seal stanza sets up the Transit seal.
  • address and token specify the connection details for the instance configured as the unsealer service.
  • key_name and mount_path define the location of the transit key used to encrypt and decrypt the root key.

Then restart the service:

sudo systemctl restart openbao
/etc/vault.d/config.d/seal.hcl
seal "transit" {
  address = "http://unsealer:8200"
  token   = "iximiuz"

  key_name   = "unseal-key"
  mount_path = "transit/"
}
Hint 1 💡
sudo -u vault $EDITOR /etc/vault.d/config.d/seal.hcl
Configuration breakdown
  • The seal stanza sets up the Transit seal.
  • address and token specify the connection details for the instance configured as the unsealer service.
  • key_name and mount_path define the location of the transit key used to encrypt and decrypt the root key.

Then restart the service:

sudo systemctl restart vault

As with any new instance, you'll need to initialize the service, but this time, the process will be slightly different.

In a typical initialization, a set of unseal keys is generated and used to reconstruct the root key during the unsealing process.

With auto unsealing enabled, unseal keys are no longer needed, since an external service manages the encryption of the root key. Instead, a set of recovery keys is created.

This is because the service can still be manually sealed, even with auto unsealing enabled (for example, as a protective measure to restrict access). In such cases, recovery keys are used to manually unseal the service.

It's important to note that recovery keys are not related to the root key. They serve purely as an authorization mechanism, ensuring that only those who possess them can unseal a manually sealed service.

The external service that manages root key encryption is still required to complete the unsealing process.

To initialize the service, use the following command:

OpenBao
Vault
bao operator init -recovery-shares=1 -recovery-threshold=1

vault operator init -recovery-shares=1 -recovery-threshold=1

⚠️ Similarly to key shares and threshold, using -recovery-shares=1 -recovery-threshold=1 in production is not recommended, as it creates a single recovery key with no redundancy. This configuration is used here for simplicity.

Make sure to save both the recovery key and the root token.

Once the initialization is complete, the service should be unsealed automatically.

Manual sealing

Let's test the manual sealing process.

Log in to the service using the root token received during initialization:

OpenBao
Vault
bao login

vault login

Seal the service:

OpenBao
Vault
bao operator seal

vault operator seal

You can verify the seal status by looking at the result of the status command:

OpenBao
Vault
bao status

vault status

Now, unseal the service using the recovery token received during initialization:

OpenBao
Vault
bao operator unseal

vault operator unseal

Summary

🎉 Congratulations!

You’ve learned how automatic unsealing works in OpenBao/Vault.

While this tutorial used the Transit secrets engine, the same concepts apply to other supported unsealing mechanisms. For more details, check out the References section below.

What's next?

There's still plenty more to explore:

  • See the References section below to dive deeper into the topics covered
  • Check out additional tutorials and challenges to expand your knowledge

If you want to test your knowledge or experiment further, check out these playgrounds:

References

💡 To dive deeper into the concepts covered in this tutorial, check out the resources below.

OpenBao
Vault
Discussion:  Discord
Categories: Security
Tags:  #openbao #vault #secret-management

Level up your Server Side game — Join 10,500 engineers who receive insightful learning materials straight to their inbox

How to Author Tutorials on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull tutorial content

labctl content pull tutorial openbao-vault-auto-unseal-transit-82d2a212

This will create a local copy of the tutorial content in a directory named openbao-vault-auto-unseal-transit-82d2a212. You only need to do this once per tutorial.

Stream your changes

labctl content push -fw tutorial openbao-vault-auto-unseal-transit-82d2a212

Run this command in a separate terminal to continuously upload your changes to the server while editing the tutorial in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help