¶ Bootstrap and Unseal Security
- Protect unseal keys and recovery material using split custody.
- Never store bootstrap root tokens in plaintext files.
- Rotate initial root credentials and use scoped operator roles.
¶ Storage and Transit Protection
- Use encrypted storage backend and hardened TLS settings.
- Enforce mTLS between clients and OpenBao endpoints.
- Restrict API listener to trusted networks or service mesh.
¶ Policy and Token Hygiene
- Implement least-privilege policies per app/team namespace.
- Use short-lived tokens with renewal where needed.
- Enable audit logging for all auth and secret access events.
- Automate seal/unseal and token workflows securely.
- Patch OpenBao and dependencies regularly.
- Test backup/restore and disaster recovery procedures.