Skip to main content

Managed Secrets Management / PKI

Managed OpenBao Hosting

Centralized secrets management, PKI, and encryption

License: MPL-2.0 GitHub: 6.2K stars Infra: 512 MB–1 GB RAM, 1–2 vCPU, 10 GB+ storage

What is OpenBao?

OpenBao is a community-governed platform for managing secrets and protecting sensitive data. It stores API keys, database credentials, and certificates behind a single audited API, issues short-lived dynamic secrets, and acts as a private certificate authority for your services.

Use cases

  • Central secrets store for microservices
  • Automatic TLS certificate issuance and rotation
  • Removing hard-coded credentials from code
  • Pairs with Keycloak for a complete identity and secrets stack

Features

  • Encrypted key-value secret storage
  • Dynamic, short-lived database credentials
  • Private PKI and certificate issuance
  • Encryption-as-a-service for application data
  • Fine-grained access policies
  • Full audit log of secret access
  • Auto-unseal and high-availability options
  • REST API and CLI

Simple, transparent pricing

Same software, fraction of the cost.

Starter

Single instance

From $40 /mo
  • OpenBao server
  • Key-value secrets engine
  • PKI certificate authority
  • Up to 25 access policies
  • Daily encrypted backups
  • Email support
Contact us

Most popular

Business

High-availability pair

From $80 /mo
  • Everything in Starter
  • HA cluster with failover
  • Dynamic database secrets
  • Unlimited access policies
  • Audit log export
  • Priority support
Contact us

Enterprise

Scaled deployments

From $150 /mo
  • Everything in Business
  • Auto-unseal
  • Multiple secrets engines
  • Custom integrations
  • Namespace isolation
  • SLA-backed uptime
Contact us

Every plan includes

Managed hosting

Dedicated bare-metal servers

Automated backups

Daily backups with 30-day retention

SSL included

Automatic HTTPS with Let's Encrypt

Monitoring

24/7 uptime monitoring and alerting

Compliance-ready hosting

Every managed deployment runs on EU infrastructure. Data Processing Agreement available on request. All services covered under a single DPA.

View compliance documentation →

Frequently asked questions

Which secrets engines does OpenBao support?

The Starter plan includes the key-value (KV) secrets engine and PKI certificate authority. Business adds dynamic database credentials, and Enterprise unlocks multiple simultaneous secrets engines with namespace isolation for different teams or environments.

How do dynamic database credentials work?

OpenBao generates a unique, short-lived username and password for each service that requests database access. Credentials expire automatically after a configurable TTL, so there are no long-lived static passwords in your codebase.

Can OpenBao act as a private certificate authority for our services?

Yes. The built-in PKI engine issues TLS certificates for internal services, rotates them before expiry, and signs certificate requests via the API. This covers mTLS between microservices without a third-party CA.

Can I migrate from HashiCorp Vault to managed OpenBao?

Yes. OpenBao is a community fork of Vault and shares its data format. We migrate your existing secret data, access policies, and engine configurations. PKI roots and dynamic secret leases are re-established to avoid service disruption.

Ready to get started with OpenBao?

Your instance is provisioned in minutes. No credit card required for a consultation.

Contact us