Search Linode

Docs Home Guides Security, Upgrades & Backups Secrets Management

Deploying OpenBao on a Linode Instance

Published May 6, 2025 by Akamai

Create a Linode account to try this guide with a $100 credit.

This credit will be applied to any valid services used during your first 60 days. Sign Up

OpenBao is an open source secrets management solution and fork of HashiCorp Vault. This guide walks through a manual
installation of OpenBao on a single Linode instance running the Ubuntu 24.04 LTS distribution.

For a Kubernetes cluster deployment, see our Deploy OpenBao on Linode Kubernetes Engine guide. If you prefer an automated
one-click deployment, see our OpenBao Marketplace app.

Before You Begin

1. If you do not already have an account or virtual machine to use, see our Get Started and Create a Compute Instance guides to
create an Akamai Cloud account, familiarize yourself with Cloud Manager, and provision a new Compute Instance.

While OpenBao does not provide explicit hardware recommendations, its architecture closely mirrors that of HashiCorp Vault.
Based on Vault’s recommended specifications, this guide uses a Shared CPU Linode 8 GB plan ( g6-standard-4 ) with 4 vCPUs
and 160 GB of storage. Deployment time may vary.

Provisioning Compute Instances with the Linode CLI

2. Follow our Set Up and Secure a Compute Instance guide to update your system and create a limited user account. You may
also wish to set the timezone, configure your hostname, and harden SSH access.

Note
This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo . If you’re
not familiar with the sudo command, see the Users and Groups guide.

Install OpenBao
Log into your Linode instance, and install the OpenBao package.

1. SSH into the newly provisioned Linode as a user with sudo privileges, replacing USERNAME with your username and
IP_ADDRESS with the IP address of your Linode:

ssh USERNAME@IP_ADDRESS

2. Download the latest appropriate version of OpenBao from the downloads page. This tutorial uses v2.2.0 of the AMD 64-bit
Debian package:

wget https://github.com/openbao/openbao/releases/download/v2.2.0/bao_2.2.0_linux_amd64.deb

3. Install the package:

 sudo dpkg -i bao_2.2.0_linux_amd64.deb

Selecting previously unselected package bao.

(Reading database ... 124865 files and directories currently installed.)
Preparing to unpack bao_2.2.0_linux_amd64.deb ...
Unpacking bao (2.2.0) ...
Setting up bao (2.2.0) ...
Generating OpenBao TLS key and self-signed certificate...
...
OpenBao TLS key and self-signed certificate have been generated in '/opt/openbao/tls'.

4. Verify successful installation by checking the OpenBao version:

bao -v

OpenBao v2.2.0 (a2bf51c891680240888f7363322ac5b2d080bb23), built 2025-03-05T13:07:08Z

Verify Swap Memory Limits

For Linux distributions, ensure that the OpenBao service settings do not impose a soft limit on Swap memory. To check this with a
systemd-based Linux distro, use the following command:

systemctl cat openbao

# /usr/lib/systemd/system/openbao.service
[Unit]
Description="OpenBao - A tool for managing secrets"
...

[Service]
...
TimeoutStopSec=30
LimitNOFILE=65536
MemorySwapMax=0

[Install]
WantedBy=multi-user.target

Verify that MemorySwapMax=0 appears in the results under the Service heading.

Test the OpenBao Development Server

OpenBao provides a development server that you can use to verify settings and explore OpenBao features.

Warning
The development server runs entirely in memory and is not suitable for production use. Data is not persisted between
restarts, and TLS is disabled.

1. Run this command to start the server in development mode and set a primary key. Replace MY_DEV_TOKEN with a secure key
that you have created:

bao server -dev \

-dev-root-token-id="MY_DEV_TOKEN"

The OpenBao server configuration should print to the screen along with a tail of the logs:

==> OpenBao server configuration:

Administrative Namespace:
Api Address: http://127.0.0.1:8200
 Cgo: disabled
Cluster Address: https://127.0.0.1:8201
Environment Variables: HOME, LANG, LESSCLOSE, LESSOPEN, LOGNAME, LS_COLORS, MAIL, PATH, PWD, SHE
Go Version: go1.22.9
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_reque
Log Level:
Recovery Mode: false
Storage: inmem
Version: OpenBao v2.0.3, built 2024-11-15T16:54:47Z
Version Sha: a2522eb71d1854f83c7e2e02fdbfc01ae74c3a78

==> OpenBao server started! Log data will stream in below:

...
2024-11-25T10:07:57.493-0700 [INFO] core: vault is unsealed
2024-11-25T10:07:57.495-0700 [INFO] expiration: revoked lease: lease_id=auth/token/roo
2024-11-25T10:07:57.498-0700 [INFO] core: successful mount: namespace="" path=secret/
2024-11-25T10:07:57.499-0700 [INFO] secrets.kv.kv_cd63d9f9: collecting keys to upgrade
2024-11-25T10:07:57.499-0700 [INFO] secrets.kv.kv_cd63d9f9: done collecting keys: num_
2024-11-25T10:07:57.499-0700 [INFO] secrets.kv.kv_cd63d9f9: upgrading keys finished
...

Leave this server process running in the background.

2. Open a separate terminal window and connect to the Linode instance using another shell session:

ssh USERNAME@IP_ADDRESS

3. OpenBao expects certain variables to be set for every request. Rather than setting these variables repeatedly with each
command, set the following environment variables in the shell:

export VAULT_TOKEN="MY_DEV_TOKEN"
export OPENBAO_IP="127.0.0.1"
export OPENBAO_PORT="8200"

4. Send a request with curl to store a secret as a key-value pair. Replace VAULT_PASSWORD with a secure password.

curl -X POST \
--header "X-Vault-Token: $VAULT_TOKEN" \
--header "Content-Type: application/json" \
--data '{"data": {"password": "VAULT_PASSWORD"}}' \
http://$OPENBAO_IP:$OPENBAO_PORT/v1/secret/data/test-password-1 \
| json_pp

{
"auth" : null,
"data" : {
"created_time" : "2025-04-17T16:53:43.538885271Z",
"custom_metadata" : null,
"deletion_time" : "",
"destroyed" : false,
"version" : 1
},
"lease_duration" : 0,
"lease_id" : "",
"renewable" : false,
"request_id" : "8b6538d0-e52c-7a7a-27a4-6d4c58d9fc02",
"warnings" : null,
"wrap_info" : null
}

The development server is only exposed on localhost . Therefore, this command must be run on the server itself.
Authentication is handled by supplying the X-Vault-Token header. The structure of the URI follows the pattern
/v1/secret/data/SECRET_NAME . This POST request stores the key-value pair at location /data/SECRET_NAME .

The response provides metadata regarding the secret stored in the data object, including versioning when the secret gets
updated.
5. To retrieve the secret, send the following request:

curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
http://$OPENBAO_IP:$OPENBAO_PORT/v1/secret/data/test-password-1 \
| json_pp

The original secret is found within the data object as a key-value pair.

{
"auth" : null,
"data" : {
"data" : {
"password" : "OpenBao123"
},
"metadata" : {
"created_time" : "2025-04-17T16:53:43.538885271Z",
"custom_metadata" : null,
"deletion_time" : "",
"destroyed" : false,
"version" : 1
}
},
"lease_duration" : 0,
"lease_id" : "",
"renewable" : false,
"request_id" : "7ec0baa1-126d-1bd8-56a3-4ea4555821ff",
"warnings" : null,
"wrap_info" : null
}

6. When done, you can close the second terminal session.

7. Return to the original terminal session with OpenBao running, and press Ctrl + C to stop OpenBao.

Run OpenBao as a Service

In a real-world use case, OpenBao is ideally run as a service managed by a tool like systemd .

1. Run the following systemctl command to check the status of the OpenBao service:

systemctl status openbao

This shows that systemd is aware of the OpenBao service, but it has not been started:

○ openbao.service - "OpenBao - A tool for managing secrets"

Loaded: loaded (/usr/lib/systemd/system/openbao.service; disabled; preset: enabled)
Active: inactive (dead)
Docs: https://github.com/openbao/openbao/tree/main/website/content/docs

2. Edit the OpenBao configuration file located at /etc/openbao/openbao.hcl in a command line text editor such as nano :

sudo nano /etc/openbao/openbao.hcl

Replace the contents of the file with the following minimal configuration to run OpenBao as a publicly available service
without TLS:

File: /etc/openbao/openbao.hcl

1 ui = false
2
3 storage "file" {
4 path = "/opt/openbao/data"
5 }
6 api_addr = "http://0.0.0.0:8200"
7
8 listener "tcp" {
 9 address = "0.0.0.0:8200"
10 tls_disable = 1
11 }

Warning
The configuration above is insecure and not suitable for production use. It is only for demonstration purposes of this
tutorial. For a production-grade deployment, reference the Configuration section at the end of this guide.

When done, press CTRL + X , followed by Y then Enter to save the file and exit nano .
3. Start the OpenBao service:

systemctl start openbao

4. Recheck its status:

systemctl status openbao

The output should now show active (running) :

● openbao.service - "OpenBao - A tool for managing secrets"

Loaded: loaded (/usr/lib/systemd/system/openbao.service; disabled; preset: enabled)
Active: active (running) since Mon 2024-11-25 10:38:04 MST; 7s ago
Docs: https://github.com/openbao/openbao/tree/main/website/content/docs
Main PID: 642487 (bao)
Tasks: 6 (limit: 1124)
Memory: 12.2M (swap max: 0B peak: 12.5M)
CPU: 66ms
CGroup: /system.slice/openbao.service
└─642487 /usr/bin/bao server -config=/etc/openbao/openbao.hcl

Press the Q key to exit the status output and return to the terminal prompt.

5. Run the following command to enable the service to start automatically on boot:

systemctl enable openbao

Configure OpenBao for External Access

Although OpenBao is now running as a service on the Linode instance, additional configuration is required before it can be used.
Use the OpenBao CLI ( bao ) to interact with the running server, retrieving its current status:

bao status --address=http://0.0.0.0:8200

Key Value
--- -----
Seal Type shamir
Initialized false
Sealed true
Total Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version 2.2.0
Build Date 2025-03-05T13:07:08Z
Storage Type file
HA Enabled false

This shows that the server has not been initialized and is sealed. Both of these issues must be resolved before you can interact
with the server.

Initialize the Server

1. Set the BAO_ADDR environment variable, which is used in several subsequent commands:

export BAO_ADDR=http://0.0.0.0:8200

Warning
This tutorial sets BAO_ADDR to http://0.0.0.0:8200 for demonstration purposes. In production deployments, it
should match the public IP address or domain name used to connect to the server.

2. Initialize the server:

bao operator init

Unseal Key 1: SNP+diKq1L2MYYre8pn+PIqSEn/nK76n7C6coUoVby4g

Unseal Key 2: 9Bm3d5ZHsWBT/LghfVYbGrVn0Lcmr5CvNu6H8UYVx+R/
Unseal Key 3: IrPLoIFrl2ol7dF4mA9C+kTaE44qogwT/pZ+kTrS7M4j
Unseal Key 4: O7fs+9492lVGdI5295n4AKis5c3cFZ8VEtkBmLg3lYAJ
Unseal Key 5: 0gnwUnHfkeFTaE6xIkVWy/5s4Hfwh5WxVWOrCrApGHig

Initial Root Token: s.V82B9tynwZkQtDyOne7PJ1IS

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of

existing unseal keys shares. See "bao operator rekey" for more information.

Store the values for each Unseal Key and Initial Root Token in a secure location.

Unseal the Vault (Three Times for Quorum)

When unsealing a vault, the bao operator unseal command must be performed a total of three times using different Unseal
Key values each time. This is the default quorum for OpenBao’s unsealing process.

1. Use the following command to begin unsealing the vault:

bao operator unseal

When prompted, enter one of the unseal keys provided in the previous section:

Unseal Key (will be hidden): SNP+diKq1L2MYYre8pn+PIqSEn/nK76n7C6coUoVby4g

After this first execution, the Unseal Progress output value shows 1/3 :

Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce e88d59f4-db7f-a074-c9e5-6476e55d77c4
Version 2.2.0
Build Date 2025-03-05T13:07:08Z
Storage Type file
HA Enabled false

2. Unseal the vault again, but enter a different unseal key when prompted:
 bao operator unseal

Unseal Key (will be hidden): 9Bm3d5ZHsWBT/LghfVYbGrVn0Lcmr5CvNu6H8UYVx+R/

Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 2/3
Unseal Nonce e88d59f4-db7f-a074-c9e5-6476e55d77c4
Version 2.2.0
Build Date 2025-03-05T13:07:08Z
Storage Type file
HA Enabled false

3. Unseal the vault for the third and final time, using yet another unsealing key when prompted:

bao operator unseal

After unsealing the vault with three different unseal keys, OpenBao should report the following status:

Unseal Key (will be hidden): IrPLoIFrl2ol7dF4mA9C+kTaE44qogwT/pZ+kTrS7M4j

Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 2.2.0
Build Date 2025-03-05T13:07:08Z
Storage Type file
Cluster Name vault-cluster-bf06dcdc
Cluster ID e241640b-4e62-5063-04fb-e71562706b8c
HA Enabled false

The vault has now been initialized and unsealed.

Authenticate the CLI

To authenticate the CLI with the server, use the bao login command with the Initial Root Token output value provided
upon vault initialization.

bao login -method=token INITIAL_ROOT_TOKEN

Success! You are now authenticated. The token information displayed below is
already stored in the token helper. You do NOT need to run "bao login" again.
Future OpenBao requests will automatically use this token.

Key Value
--- -----
token s.V82B9tynwZkQtDyOne7PJ1IS
token_accessor 4IjIYjvf9TLIPPXgMVFFJYzG
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]

Enable Key-Value Storage

Lastly, run the following command to enable a key-value store in OpenBao for storing and retrieving secrets via the API:
bao secrets enable kv

Success! Enabled the kv secrets engine at: kv/

Storing and Retrieving a Secret Remotely Over HTTP

OpenBao can now be accessed externally via the API. Ensure that any firewall on the Linode instance allows traffic on port 8200 .

1. From a remote machine, store a new secret, providing the Initial Root Token for authentication.

curl -X POST \
--header "X-Vault-Token: INITIAL_ROOT_TOKEN" \
--header "Content-Type: application/json" \
--data '{"data": {"hello": "world"}}' \
http://OPENBAO_LINODE_IP:8200/v1/kv/test-secret

2. Get the newly created secret to verify it was stored properly.

curl -X GET \
--header "X-Vault-Token: INITIAL_ROOT_TOKEN" \
http://OPENBAO_LINODE_IP:8200/v1/kv/test-secret \
| json_pp

{
"auth" : null,
"data" : {
"hello" : "world"
},
"lease_duration" : 2764800,
"lease_id" : "",
"renewable" : false,
"request_id" : "3bbd69a5-b77a-62b0-686d-a8a3103d6d6b",
"warnings" : null,
"wrap_info" : null
}

Considerations for Production Deployments

Several additional steps are recommended to harden an OpenBao server for production use.

Auto Unseal
OpenBao starts with its vault in a sealed state, meaning all data is encrypted. For more information on the seal and unseal
concepts, see the OpenBao documentation.

In production, auto-unseal is recommended to minimize manual operations that could lead to mistakes or exposure. Auto-unseal
is configured using cloud-based key management systems to ensure the unsealing key is never exposed directly.

Authentication
Enable and configure secure authentication methods such as:

AppRole

JSON Web Tokens (JWT)

TLS certificates

Lightweight directory access protocol (LDAP)

OpenID Connect (OIDC)

TLS certificate authentication provides secure, mutual TLS verification for sensitive environments. Meanwhile, AppRole allows
service accounts and applications to securely authenticate without human interaction. For LDAP or OIDC deployments, enforce
multi-factor authentication (MFA) for human operators to enhance security, if supported.

Configuration
OpenBao supports two configuration formats: HashiCorp Configuration Language (HCL) and JSON.

Properly configuring your OpenBao server is essential to ensuring a secure production environment. The main configuration
aspects include the UI, TLS certificate, and address/port settings. A default production configuration HCL file may look like this:

File: /etc/openbao/openbao.hcl

1 ui = false
2
3 storage "file" {
4 path = "/opt/openbao/data"
5 }
6 api_addr = "https://0.0.0.0:8200"
7
8 listener "tcp" {
9 address = "0.0.0.0:8200"
10 tls_cert_file = "/opt/openbao/tls/tls.crt"
11 tls_key_file = "/opt/openbao/tls/tls.key"
12 }

In production, disabling or securing the UI is crucial, as it exposes OpenBao’s management interface, which could be exploited if
left unprotected. If the UI is required, limit its exposure by restricting access to trusted IP ranges or VPN users only. Implement
strong authentication methods like OIDC for access control.

If the UI is not required, set ui = false .

TLS or SSL certificates encrypt traffic to and from the OpenBao server, ensuring data confidentiality and integrity. Using a valid,
trusted TLS certificate prevents man-in-the-middle attacks and validates the server’s identity to clients. Obtain a certificate from a
trusted Certificate Authority (CA) and configure OpenBao to use it as shown in the example configuration above.

For environments using an internal CA, ensure that all clients trust it, and renew the certificates periodically to avoid downtime.

Controlling the address and ports on which OpenBao listens reduces exposure and minimizes the risk of unauthorized access.
Limit OpenBao’s exposure by binding it to an internal IP address such as 127.0.0.1 or a specific internal network IP. Ensure that
OpenBao only listens on the necessary port, where the default port is 8200 . Use firewall rules to restrict access to this port to
authorized networks or users only.

These hardening measures can reduce the attack surface of the OpenBao server, enhance security controls, and ensure that only
authorized entities have access.
This page was originally published on May 6, 2025.

Your Feedback Is Important

Let us know if this guide was helpful to you.

Provide Feedback

Join the conversation.

The Disqus commenting system for Linode Docs requires the acceptance of Functional Cookies, which allow us to analyze site
usage so we can measure and improve performance. To view and create comments for this article, please update your Cookie
Preferences on this website and refresh this web page. Please note: You must have JavaScript enabled in your browser.
PRODUCTS

Products Overview

Essential Compute

Premium CPU

GPU

Accelerated Compute

Kubernetes

App Platform

Block Storage

Object Storage

Backups

Cloud Firewall

DNS Manager

NodeBalancers

Private Networking

Managed Databases

Managed Services

Distributions

Kernels

COMPANY

About Akamai

History

Leadership

Facts and Figures

Awards

Board of Directors

Investor Relations

Corporate Responsibility

Ethics

Locations

Vulnerability Reporting

Accessibility Commitment

CAREERS

Careers

Working at Akamai

Students and Recent Grads

Workplace Diversity

Search Jobs

Culture Blog

NEWSROOM

Newsroom

Press Releases

In the News
Media Resources

LEGAL & COMPLIANCE

Linode Legal

Akamai Legal

Linode Terms of Service (MSA)

EU Digital Services Act (DSA)

Information Security Compliance

Privacy Trust Center

Cookie Policy

GLOSSARY

What Is Cloud Security?

What Is Cloud Redundancy?

What Is Cloud Computing Security?

What is Cloud Portability?

What Is Event-Driven Architecture?

See all

Cookie Preferences

Support

Contact Us

System Status

Site Map

© 2003-2025 Linode LLC. All rights reserved.