Hey everyone! I'm trying to figure out how to automatically unseal OpenBao in an on-premise setup since I can't use any external unseal engines. I read something about the static unseal method but I've been having trouble getting it to work. Any tips or guidance would really help! Also, I'm looking to set this up using the Helm chart if that makes a difference.
1 Answer
Using static unseal isn't the best option unless you have a reliable source for the static key. If external unseal engines are off the table, have you considered the transit method with a second OpenBao installation? It can work with the Helm chart, and I can vouch for that setup. Just keep in mind that while auto-unseal seems convenient, it can potentially lead to data loss if something goes wrong with the unsealing mechanism.
We can only operate on-prem and can't use outside tools. If I run a second OpenBao instance, do I have to unseal it every time? Also, how can I get the automatic static method to work? I tried a configuration like this but it seems like the Helm Chart is ignoring my changes.