# Kubermatic SecureGuard > Protect and manage secrets with open-source transparency — a Kubernetes-native secrets management platform built on OpenBao and the External Secrets Operator. > Last updated: 2026-07-10 > Version: main > Pages: 13 ## About this section - [Kubermatic SecureGuard — Full Content](https://docs.kubermatic.com/secureguard/main/llms-full.txt) ## Pages - [Getting Started](https://docs.kubermatic.com/secureguard/main/getting-started/llms-full.txt): Quickly deploy Kubermatic SecureGuard in a local or development environment and watch your first secret sync end-to-end. - [Architecture & Security Model](https://docs.kubermatic.com/secureguard/main/architecture/llms-full.txt): Component architecture, authentication flow, multi-cluster routing, and the zero-knowledge security model behind Kubermatic SecureGuard. - [Installation & Deployment](https://docs.kubermatic.com/secureguard/main/installation/llms-full.txt): Deploy Kubermatic SecureGuard across managed, bring-your-own-provider, and bring-your-own-ESO modes, with production hardening guidance. - [OpenBao Basics](https://docs.kubermatic.com/secureguard/main/openbao-basics/llms-full.txt): Understand OpenBao — the open-source, production-grade secrets vault bundled with Kubermatic SecureGuard — including secret engines, auth methods, and unsealing. - [External Secrets Operator (ESO) Basics](https://docs.kubermatic.com/secureguard/main/eso-basics/llms-full.txt): How the External Secrets Operator synchronizes secrets from OpenBao (and other providers) into native Kubernetes Secrets within SecureGuard. - [User Guide](https://docs.kubermatic.com/secureguard/main/user-guide/llms-full.txt): A feature-by-feature tour of the SecureGuard dashboard — managing ExternalSecrets, stores, push secrets, clusters, and federation from a read-mostly control room. - [Advanced Configuration](https://docs.kubermatic.com/secureguard/main/advanced-configuration/llms-full.txt): Enterprise configuration for SecureGuard — custom OIDC identity providers, RBAC via impersonation, multi-cluster deployments, the ESO version catalog, and short-lived remote tokens. - [Federation — Cross-Cluster Secret Distribution](https://docs.kubermatic.com/secureguard/main/federation/llms-full.txt): Serve secret data to many clusters from a central SecureGuard instance over mTLS without exposing the backend secret stores — the federation broker, CRDs, fedclient, and resolution modes. - [Security Hardening Guide](https://docs.kubermatic.com/secureguard/main/security-hardening/llms-full.txt): Production security best practices for SecureGuard — TLS, OIDC/Dex hardening, RBAC via impersonation, network policies, container security, CSP, and supply-chain controls. - [Upgrade Guides](https://docs.kubermatic.com/secureguard/main/upgrade-guides/llms-full.txt): Best practices for upgrading SecureGuard components — OpenBao snapshots, ESO CRD upgrades, and rolling updates for the UI, proxy, and SG Agent. - [Troubleshooting & FAQ](https://docs.kubermatic.com/secureguard/main/troubleshooting/llms-full.txt): Common operational issues and resolutions for SecureGuard — dashboard access, authentication, OpenBao sealing, ESO sync errors, proxy 403s, and multi-cluster connectivity. - [Glossary](https://docs.kubermatic.com/secureguard/main/glossary/llms-full.txt): Plain-language definitions of every key term used across the SecureGuard documentation — from secrets and vaults to ESO resources, OIDC, and federation. - [API Reference](https://docs.kubermatic.com/secureguard/main/api-reference/llms-full.txt): REST API of the SecureGuard backend proxy — authentication endpoints, cluster management, the Kubernetes API proxy, the route allowlist, and error semantics.