security

Storing and Reading Secrets with OpenBao

Abubakar Siddiq Ango
Abubakar Siddiq Ango Senior Developer Advocate
Jun 17, 2026 2 min read Beginner
security secrets-management openbao

Prerequisites

  • Completed ‘Installing OpenBao on Kubernetes’ (part 2) — OpenBao is running in dev mode
  • kubectl installed and configured

Introduction

OpenBao is running, but empty. This tutorial puts secrets into it and reads them back using the key/value (KV) engine and the bao command-line tool.

Step 1 — Open a shell in the OpenBao pod

The bao CLI ships inside the server image. Exec into the pod and point the CLI at the local server. In dev mode the root token is root:

kubectl exec -it -n openbao openbao-0 -- sh

Inside the pod:

export BAO_ADDR=http://127.0.0.1:8200
export BAO_TOKEN=root

Step 2 — Find the key/value engine

Dev mode mounts a KV version 2 engine at secret/ for you. List the enabled engines to confirm:

bao secrets list

Path       Type   Description
----       ----   -----------
secret/    kv     key/value secret storage

The secret/ path is where your key/value secrets live.

Step 3 — Store a secret

A secret is a set of key/value pairs at a path. Store an app’s config under secret/myapp/config:

bao kv put secret/myapp/config api_key=s3cr3t-123 db_password=hunter2

====== Secret Path ======
secret/data/myapp/config

======= Metadata =======
Key             Value
---             -----
created_time    2026-06-17T...
version         1

version 1 is the first revision of this secret. The KV v2 engine keeps a history, so each later write creates a new version and preserves the previous one.

Step 4 — Read it back

bao kv get secret/myapp/config

======= Data =======
Key            Value
---            -----
api_key        s3cr3t-123
db_password    hunter2

To read a single field, use the -field flag — useful in scripts:

bao kv get -field=api_key secret/myapp/config

s3cr3t-123

Type exit to leave the pod shell.

A note on paths and access

Paths like secret/myapp/config are how you organize secrets per app or team. In production you pair them with policies that grant a given identity read access to only the paths it needs, and OpenBao records every read in its audit log. Dev mode skips policies for simplicity; you read and write everything as the root token.

What’s next

Your secret lives in OpenBao. The final step is delivering it to a workload as a normal Kubernetes Secret, without copying the value into a manifest. That is the job of the External Secrets Operator.

Next in this series: Syncing Secrets into Kubernetes with the External Secrets Operator.

Summary

  • Secrets in OpenBao are key/value pairs stored at a path, such as secret/myapp/config.
  • bao kv put writes a secret and bao kv get reads it; -field returns a single value for scripts.
  • The KV v2 engine versions every write, keeping a history you can roll back to.
  • Production access is governed by per-path policies and recorded in an audit log.