Plugins

Summary: Auth methods, secret engines, and database backends are all plugins. They can be built-in, external binaries registered with OpenBao, or distributed as OCI images.

Sources: raw/docs/plugins/index.md, raw/docs/upgrading/plugins.md.

Last updated: 2026-05-19

Three plugin types

secret, auth, database. A plugin is uniquely identified by (type, name, version). The empty version means either a built-in plugin or the single unversioned plugin registered at that name (source: raw/docs/plugins/index.md).

Different versions of the same plugin can live at different mount paths simultaneously — useful for staged rollouts.

Distribution

Built-in — shipped in the OpenBao binary; usable without registration.
External binary — operator drops a binary into the plugin directory and registers it. Source binaries from the openbao/openbao-plugins repo or build from source (source: raw/docs/plugins/index.md).
OCI image — OpenBao can pull plugins from container registries as OCI artifacts.

Lifecycle

bao plugin register, bao plugin list, bao plugin info, bao plugin deregister, bao plugin reload, bao plugin reload-status, bao plugin runtime (source: raw/docs/commands/plugin/).

Mounting a registered plugin uses the normal bao auth enable / bao secrets enable with -plugin-name and -plugin-version.

Upgrades

In-place upgrade of a built-in plugin is documented at raw/docs/upgrading/plugins.md. The supported flow is to register the new version, then re-tune the existing mount to the new version (rolling), rather than disabling/re-enabling the mount.

Profiles

Profiles enable cross-plugin communication via a server-side request framework — an alternative to inventing new ACL semantics for plugin-to-plugin calls (source: raw/blog/2024-09-27-profiles.md, raw/docs/concepts/profiles.md).

auth — auth methods are plugins
secrets — secret engines and database backends are plugins
upgrading — plugin upgrade procedure
configuration — plugin_directory config option