Runbook: Unseal OpenBao

Procedure for unsealing OpenBao after container restart or server reboot.

When to Use

OpenBao automatically seals when:

Container restarts
Server reboots
Manual seal command issued

Symptoms:

Services fail to read secrets
OpenBao UI shows "Vault is sealed"
API returns 503 errors
Health check fails

Prerequisites

SSH access to odin (ssh ravenhelm@100.115.101.81)
1Password CLI authenticated (op signin)
Access to ravenmask vault

Procedure

Step 1: Verify Seal Status

ssh ravenhelm@100.115.101.81 "docker exec openbao bao status"

Look for Sealed: true.

Step 2: Get Unseal Keys

KEY1=$(op item get "OpenBao Root Keys" --vault ravenmask --fields "Unseal Key 1" --reveal)
KEY2=$(op item get "OpenBao Root Keys" --vault ravenmask --fields "Unseal Key 2" --reveal)
KEY3=$(op item get "OpenBao Root Keys" --vault ravenmask --fields "Unseal Key 3" --reveal)

Step 3: Unseal (Requires 3 of 5 Keys)

ssh ravenhelm@100.115.101.81 "docker exec openbao bao operator unseal $KEY1"
ssh ravenhelm@100.115.101.81 "docker exec openbao bao operator unseal $KEY2"
ssh ravenhelm@100.115.101.81 "docker exec openbao bao operator unseal $KEY3"

Step 4: Verify Unsealed

ssh ravenhelm@100.115.101.81 "docker exec openbao bao status"

Confirm Sealed: false.

One-Liner Script

KEY1=$(op item get "OpenBao Root Keys" --vault ravenmask --fields "Unseal Key 1" --reveal) && \
KEY2=$(op item get "OpenBao Root Keys" --vault ravenmask --fields "Unseal Key 2" --reveal) && \
KEY3=$(op item get "OpenBao Root Keys" --vault ravenmask --fields "Unseal Key 3" --reveal) && \
ssh ravenhelm@100.115.101.81 "docker exec openbao bao operator unseal $KEY1 && docker exec openbao bao operator unseal $KEY2 && docker exec openbao bao operator unseal $KEY3"

Automation Options

Option 1: n8n Webhook

Create n8n workflow triggered by monitoring alert that runs unseal commands.

Option 2: Auto-Unseal with Cloud KMS

Configure OpenBao to use GCP/AWS KMS for automatic unsealing:

seal "gcpckms" {
  project     = "your-project"
  region      = "global"
  key_ring    = "openbao-keyring"
  crypto_key  = "openbao-key"
}

Troubleshooting

Keys Not Working

Verify you're using keys from the correct 1Password item:

op item get "OpenBao Root Keys" --vault ravenmask

Container Not Running

ssh ravenhelm@100.115.101.81 "docker ps -a | grep openbao"
# If not running:
ssh ravenhelm@100.115.101.81 "cd ~/ravenhelm/services/openbao && docker compose up -d"

Unseal Progress Resets

If unseal progress resets between commands, you may be hitting different cluster nodes. For single-node setup, this shouldn't happen. Check container stability:

ssh ravenhelm@100.115.101.81 "docker logs openbao --tail 50"

OpenBao - Main documentation
Disaster Recovery - Full recovery procedures

When to Use​

Prerequisites​

Procedure​

Step 1: Verify Seal Status​

Step 2: Get Unseal Keys​

Step 3: Unseal (Requires 3 of 5 Keys)​

Step 4: Verify Unsealed​

One-Liner Script​

Automation Options​

Option 1: n8n Webhook​

Option 2: Auto-Unseal with Cloud KMS​

Troubleshooting​

Keys Not Working​

Container Not Running​

Unseal Progress Resets​

Related Documentation​