Secrets

Summary: Secrets engines store, generate, or transform secret data. They mount at paths under arbitrary names and behave like a virtual filesystem you can read/write/list.

Sources: raw/docs/secrets/index.md, raw/docs/secrets/*/index.md.

Last updated: 2026-05-19

---

What a secrets engine is

A component mounted at a path that receives requests, does something to data, and returns a response. Some are passive stores (KV, cubbyhole); others generate dynamic credentials on demand (databases, PKI, SSH); others are pure cryptography services (transit, TOTP) (source: raw/docs/secrets/index.md).

Lifecycle

Engines are enabled, optionally tuned, moved, and disabled — same lifecycle verbs as auth methods (source: raw/docs/commands/secrets/).

Path names are case-sensitive — kv/ and KV/ are different mounts (source: raw/docs/secrets/index.md).

Built-in engines (per raw/docs/secrets/)

KV

Two versions of a key/value store. v2 adds versioning, soft delete, and metadata. Does not issue leases (source: raw/docs/secrets/kv/, raw/docs/concepts/lease.md).

Cubbyhole

A per-token namespace, scoped to the lifetime of the token. Useful for response-wrapping handoffs (source: raw/docs/secrets/cubbyhole.md).

PKI

Generates X.509 certificates on demand against a configured CA. Supports roles, intermediate chains, CRL/OCSP, and the bao pki CLI helpers (source: raw/docs/secrets/pki/, raw/docs/commands/pki/).

SSH

Issues short-lived SSH certificates, OTPs, or signed user keys (source: raw/docs/secrets/ssh/).

Transit

“Encryption as a service” — applications send plaintext, OpenBao returns ciphertext (or signature, HMAC, etc.) without storing the data. Supports key rotation and convergent encryption (source: raw/docs/secrets/transit/, raw/docs/commands/transit/).

Databases

Dynamic database credentials. OpenBao creates a temporary user on the target DB scoped by role, hands back username/password, and revokes when the lease expires (source: raw/docs/secrets/databases/).

Identity

Not a “secret store” exactly — exposes entities, aliases, and groups as a tunable secrets engine. Always mounted (source: raw/docs/secrets/identity/).

Kubernetes

Generates short-lived Kubernetes service-account tokens (source: raw/docs/secrets/kubernetes.md).

Others

LDAP credentials (raw/docs/secrets/ldap.md), RabbitMQ (raw/docs/secrets/rabbitmq.md), TOTP codes (raw/docs/secrets/totp.md).

Related pages

• leases — dynamic secrets always have leases; KV does not
• policies — controls which paths a token can read/write
• plugins — external secrets engines load as plugins
• commands-cli — bao secrets ..., bao kv ..., bao pki ...