Skip to main content

"Dev" server mode

You can start OpenBao as a server in "dev" mode like so: bao server -dev. This dev-mode server requires no further setup, and your local bao CLI will be authenticated to talk to it. This makes it easy to experiment with OpenBao or start an OpenBao instance for development. Every feature of OpenBao is available in "dev" mode. The -dev flag just short-circuits a lot of setup to insecure defaults.


Warning: Never, ever, ever run a "dev" mode server in production. It is insecure and will lose data on every restart (since it stores data in-memory). It is only made for development or experimentation.


The properties of the dev server (some can be overridden with command line flags or by specifying a configuration file):

  • Initialized and unsealed - The server will be automatically initialized and unsealed. You don't need to use bao operator unseal. It is ready for use immediately.

  • In-memory storage - All data is stored (encrypted) in-memory. OpenBao server doesn't require any file permissions.

  • Bound to local address without TLS - The server is listening on (the default server address) without TLS.

  • Automatically Authenticated - The server stores your root access token so bao CLI access is ready to go. If you are accessing OpenBao via the API, you'll need to authenticate using the token printed out.

  • Single unseal key - The server is initialized with a single unseal key. The OpenBao is already unsealed, but if you want to experiment with seal/unseal, then only the single outputted key is required.

  • Key Value store mounted - A v2 KV secret engine is mounted at secret/. Please be aware that there are differences with v1 KV. If you want to use v1, use this flag -dev-kv-v1.

Use case

The dev server should be used for experimentation with OpenBao features, such as different auth methods, secrets engines, audit devices, etc.

In addition to experimentation, the dev server is very easy to automate for development environments.