In August 2023, HashiCorp changed Vault's license from the permissive Mozilla Public License (MPL 2.0) to the Business Source License (BSL 1.1). The community responded by forking Vault into OpenBao, now governed by the Linux Foundation.
This article is for DevOps engineers and platform teams evaluating whether to stick with Vault or migrate to OpenBao. If you're a small development team looking for secrets management without the operational overhead, skip to the simpler alternatives.
The License Split, Explained
The core difference starts with licensing:
| HashiCorp Vault | OpenBao | |
|---|---|---|
| License | BSL 1.1 | MPL 2.0 |
| Commercial hosting | Restricted | Unrestricted |
| Governance | HashiCorp (IBM) | Linux Foundation |
| Source available | Yes | Yes |
| OSI-approved open source | No (BSL) | Yes (MPL 2.0) |
BSL 1.1 lets you use, copy, modify, and redistribute Vault, but you cannot offer it as a competing hosted service. For most companies running Vault internally, this changes nothing. For cloud providers, managed service vendors, or companies embedding Vault in their product, it's a blocker.
MPL 2.0 has no such restrictions. You can do anything with OpenBao, including running it as a commercial service.
Feature Comparison
Both tools share the same core architecture; they diverged from the same codebase. The APIs are largely compatible today, though they've started diverging: OpenBao adds features Vault doesn't have (free Namespaces, CEL policies) and vice versa. Plugin compatibility is high but not guaranteed, so always test third-party plugins against OpenBao before migrating production workloads.
Features Available in Both
- Dynamic secrets (database, cloud providers, PKI)
- Encryption as a service (Transit engine)
- Kubernetes auth and sidecar injection
- Key/Value secrets engine (v1 and v2)
- OIDC, LDAP, AppRole, and token auth methods
- Audit logging
- Seal/unseal with auto-unseal support
- High Availability with Raft or Consul storage
- CLI, HTTP API, and web UI
Where OpenBao Pulls Ahead
| Feature | OpenBao | Vault |
|---|---|---|
| Namespaces | Free (OSS core) | Enterprise only |
| Horizontal Read Scalability | v2.5.0+ (standby nodes serve reads) | Enterprise only (Performance Standby) |
| License | MPL 2.0 (no restrictions) | BSL 1.1 (hosting restricted) |
| Governance | Linux Foundation, community-driven | HashiCorp/IBM corporate |
| CEL Policy Support | Expanding (roadmap) | Sentinel (Enterprise) |
Namespaces for free is the single biggest practical differentiator. In Vault, multi-tenant isolation via Namespaces requires an Enterprise license (pricing is deal-dependent, but typically six figures annually for large deployments). In OpenBao, it's available to everyone. If you're running a platform team serving multiple product teams, this alone can justify the switch.
Horizontal Read Scalability was introduced in OpenBao 2.5.0 (early 2026). Standby nodes can serve read requests locally instead of forwarding everything to the leader. This is equivalent to Vault Enterprise's Performance Standby Nodes (again, free in OpenBao). Note that this only benefits read-heavy workloads; write operations still go through the leader.
Where Vault Still Wins
| Feature | Vault | OpenBao |
|---|---|---|
| Disaster Recovery Replication | Enterprise | Not available |
| Performance Replication | Enterprise | Not available |
| Automated Snapshots | Enterprise | Not available |
| Sentinel Policies | Enterprise | Not available (CEL planned) |
| Ecosystem maturity | 10+ years, massive | ~2 years, growing |
| Vendor support | HashiCorp/IBM support contracts | Community-driven |
| Terraform integration | Native (same company) | Compatible but third-party |
If you need cross-datacenter replication or paid support SLAs, Vault Enterprise is still the only option. OpenBao's ecosystem is growing but younger; the real gap isn't blog posts, it's the depth of battle-tested production deployments. Vault has 10+ years of production stories, hardened Helm charts, and a massive plugin ecosystem. OpenBao inherits the codebase but not the institutional knowledge. When things break at 3am, the community Slack is not the same as a HashiCorp support ticket.
Migration: Vault to OpenBao
Because OpenBao forked from Vault and maintains broad API compatibility, migration is feasible, but it's not a drop-in swap. Plan for a proper migration project, not a weekend hack.
The Happy Path
For a simple Raft-backed deployment:
# 1. Export your Vault data
vault operator raft snapshot save vault-backup.snap
# 2. Install OpenBao
docker pull ghcr.io/openbao/openbao:latest
# 3. Restore the snapshot into OpenBao
bao operator raft snapshot restore vault-backup.snap
What Actually Changes
The snapshot gets your KV data and policies across. But several things don't transfer cleanly:
- CLI and environment variables: The binary is
bao, notvault. Environment variables change fromVAULT_ADDRtoBAO_ADDR,VAULT_TOKENtoBAO_TOKEN, etc. Every script, CI pipeline, and Dockerfile that referencesvaultneeds updating. - Auth tokens: Existing Vault tokens are not valid in OpenBao. Every client, CI runner, and service account needs to re-authenticate. Plan for a coordinated cutover or run both in parallel.
- Seal configuration: If you use auto-unseal (AWS KMS, GCP CKMS, Transit), verify that OpenBao supports your seal type and re-configure it. The seal stanza syntax is the same, but test it in staging first.
- Auth method mounts: Auth backends (OIDC, LDAP, AppRole) are restored from the snapshot, but external IdP configurations may reference Vault-specific callback URLs that need updating.
- Third-party plugins: Most Vault plugins work with OpenBao, but there's no compatibility guarantee. Test each plugin in a staging environment. Pay particular attention to database plugins and custom auth backends.
- Terraform: The Vault provider works with OpenBao by pointing
VAULT_ADDRat your OpenBao instance. But if you're using Vault-specific features that OpenBao doesn't support, those resources will fail. - Helm charts: OpenBao publishes its own Helm chart. Don't use the HashiCorp Vault Helm chart; the image names, binary paths, and default configs differ.
Migration Strategy
For production deployments, we'd recommend:
- Stand up OpenBao in a staging environment alongside Vault
- Restore a snapshot and validate your specific auth methods, plugins, and policies
- Run parallel for a few weeks; new writes go to OpenBao, reads still work on both
- Cut over clients in batches, starting with non-critical services
- Decommission Vault once all clients are migrated and you've confirmed audit log parity
Which Should You Choose?
Choose OpenBao if:
- You need Namespaces but don't want to pay for Vault Enterprise
- You're a cloud provider or SaaS that can't accept BSL restrictions
- Open-source governance matters to your organization
- You want horizontal read scalability without an Enterprise license
- You're starting fresh with no existing Vault investment
Choose HashiCorp Vault if:
- You need Disaster Recovery or Performance Replication
- You require vendor support contracts and SLAs
- Your team already has deep Vault expertise and tooling
- You need Sentinel Policies for compliance
- You're in a regulated industry that requires commercial vendor backing
Do You Actually Need Either?
Here's the honest take: both OpenBao and Vault are complex systems designed for enterprises with dedicated platform teams. They require:
- Infrastructure to run (servers, HA, backups)
- Operational expertise (unsealing, policy management, monitoring)
- Ongoing maintenance (upgrades, security patches, storage management)
If you need dynamic secrets, PKI, encryption as a service, or multi-tenant isolation, yes, you need one of these tools. That's what they're built for.
But if your use case is "my team needs to share environment variables securely", neither Vault nor OpenBao is the right tool. You're looking at weeks of setup for a problem that simpler tools solve in minutes.
Simpler Alternatives for Teams Without Platform Engineers
| Tool | Best For | Setup Time |
|---|---|---|
| Doppler | Teams wanting a managed platform | ~10 minutes |
| Infisical | Self-hosted open source | ~30 minutes |
| Keyway | GitHub-native teams, .env workflow | < 1 minute |
| dotenvx | Solo devs, encrypted .env files | ~5 minutes |
These tools trade power for simplicity. No unsealing, no policy language, no HA configuration. If you outgrow them, you can always migrate to Vault or OpenBao later; the reverse is much harder.
The Bottom Line
OpenBao is the real open-source successor to Vault. It delivers enterprise features (Namespaces, horizontal read scalability) that Vault gates behind expensive licenses, under permissive MPL 2.0 governance. For organizations where open-source licensing is a hard requirement, or where Vault Enterprise pricing doesn't fit, OpenBao is the strongest alternative available.
But "open source" doesn't mean "simple." Both tools carry significant operational weight, and OpenBao's younger ecosystem means fewer production war stories to learn from. Before choosing between them, make sure you actually need that level of infrastructure.
For further reading:
- OpenBao documentation, official docs and getting started guide
- OpenBao 2.5.0 release notes, horizontal read scalability details
- Best Doppler Alternatives, broader secrets management comparison
- Are .env Files Still Safe in 2026?, why plaintext secrets are a growing risk