OpenBao HA Cluster with Auto-Unseal using TPM

Guide to deploy a 3-node Raft cluster with TLS everywhere, SoftHSM2 PKCS#11 auto-unseal, per-node vTPM pin sealing, and keepalived VIP for leader failover. Node Reference Role IP Node 1 (bootstrap leader) 192.168.1.10 Node 2 (follower) 192.168.1.11 Node 3 (follower) 192.168.1.12 VIP (floats to leader) 192.168.1.13 OS: Ubuntu 24.04 LTS OpenBao: v2.5.1 (HSM build) Storage: Integrated Raft Auto-unseal: SoftHSM2 PKCS#11 (AES-256-GCM) + vTPM-sealed pin per node How It Works All three nodes share one SoftHSM2 token containing a single AES-256 key. Raft bootstrap requires this — the leader encrypts a join challenge with the seal key and the joining node must decrypt it with the same key. Each node's SoftHSM userpin is sealed to that node's own vTPM. On every start, a wrapper script calls tpm2_unseal to retrieve the pin, passes it to OpenBao via BAO_HSM_PIN , and the node auto-unseals. No human intervention. If the vTPM is gone (VM migrated without vTPM state), the node cannot start — that's t