Setting Up OpenBao in Docker Using Docker Compose

OpenBao is an open-source secrets management tool that provides a secure way to store and manage sensitive data. Setting it up in a containerized environment using Docker and Docker Compose makes deployment and management easier. In this guide, I’ll walk you through setting up OpenBao using Docker Compose.

Prerequisites

Before we start, ensure you have the following installed:

• Docker

• Docker Compose

• A terminal or command-line tool

Step 1: Create a docker-compose.yml File

First, create a directory for OpenBao and navigate into it:

mkdir openbao && cd openbao

Next, create the folders where openBao data will be stored:

mkdir config 
mkdir data

After you are done creating the folders, create a config.json file in the config folder you just created and add the code below:

{
    "listener": {
      "tcp": {
        "address": "0.0.0.0:8200",
        "tls_disable": 1
      }
    },
    "storage": {
      "file": {
        "path": "/openbao/data"  
      }
    },
    "api_addr": "http://openbao:8200",  
    "ui": true //If you intend to use the openBao UI 
  }

Then, create a docker-compose.yml file in this directory and add the following configuration:

services:
  open_bao:
    image: openbao/openbao:latest
    container_name: openbao
    ports:
      - "8200:8200"
    volumes:
      - ./openbao/config:/openbao/config
      - ./openbao/data:/openbao/data
    environment:
      - VAULT_ADDR=http://openbao:8200  #same as api_addr in config file
    command: server

Explanation of the Configuration

• Image: We use the latest OpenBao Docker image.

• Container Name: Named openbao for easy reference.

• Ports: Maps OpenBao’s default port (8200) to the host.

• Environment Variables:

  • VAULT_ADDR=http://openbao:8200: Sets the address openBao will be accessed at.

• Volumes: Stores OpenBao data persistently to avoid data loss when the container restarts.

Step 2: Start OpenBao

Now, start the OpenBao service using Docker Compose:

docker compose up --build -d

This command runs OpenBao in detached mode (-d flag), meaning it will build and run in the background.

To verify that the container is running, use:

docker ps

You should see a running container named openbao

Then run the command below to initiate it :

docker exec -it openbao sh -c "VAULT_ADDR=http://openbao:8200 bao operator init"

you will receive a set of 5 unseal keys and a root token, something like :

Unseal Key 1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Unseal Key 2: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Unseal Key 3: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Unseal Key 4: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Unseal Key 5: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Initial Root Token: s.xxxxxxxxxxxxxxxxxxxxxxxxxx

Unseal OpenBao

OpenBao starts in a sealed state. Use 3 of your 5 unseal keys to unseal it:

docker exec -it openbao bao operator unseal

Run this 3 times, entering a different unseal key each time.

Login with Root Token

docker exec -it openbao bao login

Step 3: Access OpenBao

OpenBao runs on port 8200. You can access it via:

curl http://localhost:8200

Alternatively, open your browser and navigate to http://localhost:8200/ui

Step 4: Managing Secrets in OpenBao

OpenBao has what they call secrets engines. Secrets engines are components that store, generate, or encrypt data. Secrets engines provide some set of data, they take some action on that data, and they return a result. For this guide, we are going to be using a kv engine

To enable the engine, run this command:

docker exec -it openbao bao secrets enable -version=1 kv

The engine has 2 versions so you need to specify which one you are going to use. The engine can also be enabled via the UI.

Verify the Secrets Engine is Enabled
Run the following command to check that KV is enabled:

docker exec -it bao secrets list

You should see output like this:

Path          Type        Description
----          ----        -----------
secret/       kv          n/a

Next Steps

Now that your KV engine is enabled, you can start adding secrets:

docker exec -it bao kv put secret/my_secret key1=value1 key2=value2

Or retrieve a secret:

docker exec -it bao kv get secret/my_secret

You can interact with OpenBao using its API. To retrieve the stored secret:

$ curl \
    --header "X-Vault-Token: ..." \
    https://localhost:8200/v1/secret/my-secret

Step 5: Stopping and Removing OpenBao

If you ever need to stop the OpenBao container, use:

docker compose down

This stops and removes the container but keeps the data volume intact. If you want to remove everything, including the stored secrets, add the -v flag:

docker compose down -v

Conclusion

Setting up OpenBao with Docker Compose provides a quick and easy way to manage secrets in a containerized environment. With just a few commands, you can have a fully functional secrets management system running locally. If you’re working on projects that require secure storage of credentials, OpenBao is a great open-source alternative.

Links: OpenBao, Docker

If you found this guide useful, feel free to share your experience in the comments below! Happy coding!