Installing OpenBao
There are several options to install OpenBao:
-
Install from a Package Manager.
-
Use a precompiled binary.
-
Install from source.
Package manager
OpenBao does not yet have a package repository. For now you need to download and install packages manually.
OpenBao manages packages for Ubuntu, Debian, Fedora, RHEL, Amazon Linux, and other distributions. Download the appropriate package for your operating system and architecture.
Precompiled binaries
To install the precompiled binary, download the applicable package for your system. OpenBao is packaged as a zip file.
Once the zip is downloaded, unzip the file into your designated directory. The bao binary
inside is all that is necessary to run OpenBao (or bao.exe for Windows). No
additional files are required to run OpenBao.
Copy the binary to your system. If you intend to access it from the
command-line, ensure that you place the binary somewhere on your PATH.
Refer to the [OpenBao Tutorials][learn-vault-dev-server] to start a server, put
your first secret, and use other features of OpenBao.
Compiling from source
To compile from source, you will need Go installed and
properly configured (including a GOPATH environment variable set), as well as
a copy of git in your PATH.
Clone the OpenBao repository from GitHub into your GOPATH:
$ mkdir -p $GOPATH/src/github.com/openbao && cd $_
$ git clone https://github.com/openbao/openbao.git
$ cd openbao
Bootstrap the project. This will download and compile libraries and tools needed to compile OpenBao:
$ make bootstrap
Build OpenBao for your current system and put the binary in ./bin/ (relative to
the git checkout). The make dev target is just a shortcut that builds bao
for only your local build environment (no cross-compiled targets).
$ make dev
Verifying the installation
To verify OpenBao is installed, run bao -h on your system. You should
see the help output. If you are executing it from the command line, ensure it is
on your PATH to avoid receiving an error that OpenBao is not found.
$ bao -h
Post-installation hardening
After installing OpenBao, you may want to take additional steps to secure it against leaking your secrets. OpenBao normally does this very well, but there is an operating system feature that undermines OpenBao's protection. This is memory paging (aka swap). To provide extra security, you will want to make sure that your OS has swap disabled or that its swap space is encrypted.
Linux
The example systemd service file provided with the OpenBao source code comes
configured to disable swap for the OpenBao process. To verify that swap is
disabled, run systemctl cat openbao and check for the line MemorySwapMax=0.
Alternatively, to allow the openbao process to swap out, make sure that line is
deleted.
If you are not using systemd, you can achieve the same effect by setting the
cgroupv2 value memory.swap.max to 0 using your tool of choice. You can
disable swap for the entire OS by running swapoff (this is not recommended).
Encrypting swap space in Linux is possible, but as usual, there are many
options, and a guide is outside the scope of these docs. Consult your distro's
documentation.
BSDs and other Unix-like
It is recommended to confirm that swap is encrypted. This can be done on all the major BSDs.
- FreeBSD guide to encrypted swap
- NetBSD guide to encrypted swap
- OpenBSD info on encrypted swap (enabled by default)
Windows
You can check if your swap space is encrypted by opening Powershell and running:
> fsutil behavior query encryptpagingfile
If the value is 0 (that is, DISABLED), you are recommended to enable swap
encryption by running:
> fsutil behavior set encryptpagingfile 1
Then reboot.
Docker
When running the Docker image, include the flag --memory-swappiness=0.
macOS
The swap space on macOS is always encrypted.
Signature Verification
GPG
First, download our GPG key and import it:
$ gpg2 --import openbao-gpg-pub-20240618.asc
gpg: key D200CD702853E6D0: public key "OpenBao <openbao@lists.lfedge.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
To verify GPG signed artifacts, use gpg2 from the command line. For example, to verify checksums-freebsd.txt with the checksums-freebsd.txt.gpgsig stored locally:
$ gpg2 --verify checksums-freebsd.txt.gpgsig checksums-freebsd.txt
gpg: Signature made Wed 17 Jul 2024 06:12:03 PM EDT
gpg: using RSA key E617DCD4065C2AFC0B2CF7A7BA8BC08C0F691F94
gpg: Good signature from "OpenBao <openbao@lists.lfedge.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 66D1 5FDD 8728 7219 C8E1 5478 D200 CD70 2853 E6D0
Subkey fingerprint: E617 DCD4 065C 2AFC 0B2C F7A7 BA8B C08C 0F69 1F94
Cosign and Rekor
To verify Cosign signed artifacts, use rekor-cli or curl to pull the entry from Rekor.
For example, to verify checksums.txt with the checksums.txt.sig stored locally:
$ SHASUM="$(openssl sha256 -r checksums.txt | awk '{print $1}')"
bc53476e7e69c98650bf69690caf1aa32dc08c19735375819ae3b29bb9c2b733
$ curl -X POST -H "Content-type: application/json" 'https://rekor.sigstore.dev/api/v1/index/retrieve' --data-raw "{\"hash\":\"sha256:$SHASUM\"}"
24296fb24b8ad77aedcc1a0cea8b33a04926d6f3b8db35107a1e864c007bb4aa84416a5153cc0bca
$ UUID=24296fb24b8ad77aedcc1a0cea8b33a04926d6f3b8db35107a1e864c007bb4aa84416a5153cc0bca
$ curl -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}" > response.json
$ jq -r ".[\"$UUID\"].body" < response.json | base64 -d | jq -r '.spec.signature.publicKey.content' | base64 -d > certificate.pem
$ base64 -d < checksums-linux.txt.sig > checksums-linux.txt.rawsig
$ openssl pkeyutl -verify -certin -inkey certificate.pem -sigfile checksums-linux.txt.rawsig -in checksums-linux.txt -rawin
Signature Verified Successfully