Skip to main content

unwrap

The unwrap command unwraps a wrapped secret from OpenBao by the given token. The result is the same as the "bao read" operation on the non-wrapped secret. If no token is given, the data in the currently authenticated token is unwrapped.

Examples

Unwrap the data in the cubbyhole secrets engine for a token:

$ bao unwrap 3de9ece1-b347-e143-29b0-dc2dc31caafd

Unwrap the data in the active token:

$ bao login 848f9ccf-7176-098c-5e2b-75a0689d41cd
$ bao unwrap # unwraps 848f9ccf...

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Output options

  • -field (string: "") - Print only the field with the given name. Specifying this option will take precedence over other formatting directives. The result will not have a trailing newline making it ideal for piping to other processes.

  • -format (string: "table") - Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the BAO_FORMAT environment variable.