Use cases
OpenBao is an identity-based secrets and encryption management system. OpenBao validates and authorizes clients (users, machines, apps) before providing them access to secrets or stored sensitive data.
This page describes common OpenBao use cases and provides related resources that can be used to create OpenBao configurations and workflows. Please note that not all use cases may be listed.
General secret storage
As workloads become more and more ephemeral and short-lived, having long-lived static credentials pose a big security threat vector. What if credentials are accidentally leaked, or an employee leaves with their post it notes that contain the AWS access key, or someone checks their S3 access token to a public GH repo? With OpenBao, you can generate short-lived, just-in-time credentials that are automatically revoked when their time expires. This means users and security teams do not have to worry about manually revoking or changing these credentials.
Static secrets
Credentials can be long-lived and static, where they don't change or are changed infrequently. OpenBao can store these secrets behind its cryptographic barrier, and clients can request them to use in their applications.
Dynamic secrets
The key value with secrets storage is the ability to dynamically generate credentials. These credentials are created when clients need them. OpenBao can also manage the lifecycle of these credentials, including but not limited to, deleting them after a defined period of time.
In addition to database credential management, OpenBao can manage your Active Directory accounts, SSH keys, PKI certificates and more.
Data encryption
Many organizations seek solutions to encrypt/decrypt application data within a cloud or multi-datacenter environment; deploying cryptography and maintaining a complex key management infrastructure can be expensive and challenging to develop. OpenBao provides encryption as a service with centralized key management to simplify encrypting data in transit and stored across clouds and datacenters. OpenBao can encrypt/decrypt data stored elsewhere, essentially allowing applications to encrypt their data while storing it in the primary data store. OpenBao's security team manages and maintains the responsibility of the data encryption within the OpenBao environment, allowing developers to focus solely on encrypting/decrypting data as needed.
Identity-Based access
Organizations need a way to manage identity sprawl with the proliferation of different clouds, services, and systems- all with their identity providers. The risk of compromising an organization's security infrastructure increases as organizations are forced to manage multiple identity management systems as they try to implement solutions to unify a single logical identity across numerous cloud platforms. Different platforms support different methods and constructs for identity, making it difficult to recognize a user or identity across multiple forms of credentials. OpenBao solves this challenge by using a unified ACL system to broker access to systems and secrets and merges identities across providers. With identity-based access, organizations can leverage any trusted resource identity to regulate and manage system and application access, and authentication across various clouds, systems, and endpoints.