I'm looking for a way to automatically unseal OpenBao on-premise. Unfortunately, I'm unable to use external unseal engines. I've read about the static unseal method but I'm having issues getting it to work properly. I'm hoping to use the Helm chart for this setup. Any advice on how to proceed?
1 Answer
Using static unseal isn't ideal unless you’ve got a reliable source for the static key. Since external unseal engines are off the table for you (any particular reason?), I’d suggest looking into the transit method, which works with another OpenBao installation. You can definitely set this up with the Helm Chart. Just make sure you understand that while auto-unseal sounds great, it could risk data loss if the unsealing process fails. Be cautious!
We have a single on-prem platform and can't use external tools either. If I run a second instance, do I need to unseal that one every time too? I was also trying to get the automatic static unseal method to work and attempted some Helm Chart configurations but it seems to ignore my changes. Any thoughts on that?