secure k8 s

Seal / Unseal

Summary: On startup OpenBao is sealed — storage is accessible but encrypted and unreadable. Unsealing reconstructs the root key (Shamir shards or auto-unseal KMS) so the keyring can be decrypted and the server can serve.

Sources: raw/docs/concepts/seal.md, raw/docs/configuration/seal/*.md.

Last updated: 2026-05-19

Why

Data in the storage backend is encrypted by the encryption key (the keyring). The keyring is encrypted by the root key. The root key is encrypted by the unseal key (or by an external KMS, in auto-unseal). Unsealing is the process of producing the unseal key → root key → keyring → data (source: raw/docs/concepts/seal.md).

While sealed, almost nothing works — only seal status and the unseal endpoints themselves.

Shamir seal (default)

The unseal key is split via Shamir’s Secret Sharing into N shares with threshold T. Operators run bao operator unseal providing one share at a time from different machines until T shares have been provided, at which point OpenBao reconstructs the unseal key. Each node in a cluster must be unsealed independently — partial unseal does not propagate (source: raw/docs/concepts/seal.md).

Auto unseal

Delegates protection of the unseal key to a KMS or HSM. At startup OpenBao reads the encrypted root key from storage and asks the configured device to decrypt it. Available backends (raw/docs/configuration/seal/):

  • awskms, azurekeyvault, gcpckms, ocikms, alicloudkms — cloud KMS.
  • pkcs11 — HSMs via PKCS#11 (raw/docs/guides/unseal/pkcs11/).
  • kmip — KMIP-speaking key servers.
  • transit — another OpenBao cluster acting as KMS.
  • static — a literal key in config (lab/test only).

Auto-unseal also defines a separate recovery key (Shamir-split) used for operations that still need a quorum, e.g. operator generate-root.

Sealing

bao operator seal discards the in-memory root key. Useful as an incident-response kill switch — the server keeps its config but stops serving until re-unsealed.

A node also seals automatically if the storage layer hits an unrecoverable error.

  • storage — what the seal protects
  • tokensoperator generate-root requires unseal/recovery quorum
  • configurationseal { ... } stanzas
  • internals — architecture-level view of the barrier