Managed Secrets Management / PKI
Managed OpenBao Hosting
Centralized secrets management, PKI, and encryption
What is OpenBao?
OpenBao is a community-governed platform for managing secrets and protecting sensitive data. It stores API keys, database credentials, and certificates behind a single audited API, issues short-lived dynamic secrets, and acts as a private certificate authority for your services.
Use cases
- Central secrets store for microservices
- Automatic TLS certificate issuance and rotation
- Removing hard-coded credentials from code
- Pairs with Keycloak for a complete identity and secrets stack
Features
- Encrypted key-value secret storage
- Dynamic, short-lived database credentials
- Private PKI and certificate issuance
- Encryption-as-a-service for application data
- Fine-grained access policies
- Full audit log of secret access
- Auto-unseal and high-availability options
- REST API and CLI
Simple, transparent pricing
Same software, fraction of the cost.
Starter
Single instance
- OpenBao server
- Key-value secrets engine
- PKI certificate authority
- Up to 25 access policies
- Daily encrypted backups
- Email support
Most popular
Business
High-availability pair
- Everything in Starter
- HA cluster with failover
- Dynamic database secrets
- Unlimited access policies
- Audit log export
- Priority support
Enterprise
Scaled deployments
- Everything in Business
- Auto-unseal
- Multiple secrets engines
- Custom integrations
- Namespace isolation
- SLA-backed uptime
Every plan includes
Managed hosting
Dedicated bare-metal servers
Automated backups
Daily backups with 30-day retention
SSL included
Automatic HTTPS with Let's Encrypt
Monitoring
24/7 uptime monitoring and alerting
Compliance-ready hosting
Every managed deployment runs on EU infrastructure. Data Processing Agreement available on request. All services covered under a single DPA.
Frequently asked questions
Which secrets engines does OpenBao support?
The Starter plan includes the key-value (KV) secrets engine and PKI certificate authority. Business adds dynamic database credentials, and Enterprise unlocks multiple simultaneous secrets engines with namespace isolation for different teams or environments.
How do dynamic database credentials work?
OpenBao generates a unique, short-lived username and password for each service that requests database access. Credentials expire automatically after a configurable TTL, so there are no long-lived static passwords in your codebase.
Can OpenBao act as a private certificate authority for our services?
Yes. The built-in PKI engine issues TLS certificates for internal services, rotates them before expiry, and signs certificate requests via the API. This covers mTLS between microservices without a third-party CA.
Can I migrate from HashiCorp Vault to managed OpenBao?
Yes. OpenBao is a community fork of Vault and shares its data format. We migrate your existing secret data, access policies, and engine configurations. PKI roots and dynamic secret leases are re-established to avoid service disruption.
Ready to get started with OpenBao?
Your instance is provisioned in minutes. No credit card required for a consultation.
Contact us