Skip to main content
Version: latest

OpenBao access

VaultPAM uses OpenBao (the open-source fork of HashiCorp Vault) as its underlying secrets engine. This article explains what OpenBao is, how VaultPAM uses it, and when on-premises admins might need to interact with it directly.

What OpenBao is

OpenBao is an open-source secrets management platform. VaultPAM uses it to encrypt and store all privileged credentials (passwords, SSH keys, API tokens) in a secure, auditable backend.

In normal operation, you never interact with OpenBao directly. VaultPAM provides a console-level abstraction: you manage Safes and credentials through the UI, and VaultPAM communicates with OpenBao on your behalf.

How VaultPAM uses OpenBao

  • SaaS deployments: OpenBao is managed entirely by the VaultPAM platform. You have no direct access to it.
  • On-premises deployments: OpenBao runs as part of your deployment stack. It is initialised and unsealed automatically by the VaultPAM installer. Under normal circumstances, you do not need to interact with it directly.

When you would interact with OpenBao directly

On-premises admins may need to access OpenBao directly in advanced scenarios:

  • Disaster recovery: if the VaultPAM control-plane fails and you need to retrieve raw secrets
  • Key rotation: rotating the OpenBao root or transit key as part of a security audit
  • Debugging: diagnosing a credentials-layer issue under guidance from VaultPAM support

Before accessing OpenBao directly, contact support@vaultpam.com to confirm the procedure and avoid data loss.

Direct OpenBao access bypasses VaultPAM audit logging

Any action taken directly against the OpenBao API -- reading, writing, or deleting secrets -- bypasses VaultPAM's audit trail. This means those actions are not recorded in the VaultPAM audit log and cannot be attributed to a VaultPAM user.

Always use VaultPAM's interface for privileged access. Reserve direct OpenBao access for emergency recovery only.

OpenBao data and backups

OpenBao data is included in the standard VaultPAM backup. For SaaS, this is handled automatically. For on-premises, the PostgreSQL backup covers the OpenBao storage backend. See Backup and recovery for details.