Enterprise for OpenBao
The open source Vault alternative, backed by its #1 contributor
Our core team created Vault at HashiCorp, operationalised it at GitLab, and have deployed it at the biggest tier 1 banks in the world.
- of all OpenBao commits from our team
- 0%
- GitHub stars and growing
- 0+
- active contributors, 76 in the last quarter
- 0+
- potential savings vs Vault Enterprise
- 0x
The Vault landscape has changed
The Fork in the Road
Your Vault contract is up for renewal. Which path reduces risk?
The Status Quo
IBM and Hashicorp Vault
Acquired for $6.4B in Feb 2025. Vault is now IBM Software.
Compounding Cost Increases
£200K+/year with pricing hikes at every contract renewal. Seat-based licensing inflates with headcount.
Opaque Security Posture
CVE patches follow IBM's disclosure timeline. No dedicated threat modelling, proactive testing, or incident response services.
Vendor Dependency
Support through IBM infrastructure queues. Product roadmap driven by IBM's commercial priorities, not yours.
Innovation Stagnation
Enterprise features behind paywalls. Missing modern updates: no CEL policy engine, no Self-Init, no Transactional Storage.
BSL 1.1 Licence
Restricts competing commercial use. Not true open source. Each file re-licenses to MPL 2.0 only after 4 years.
The Open Source Path
ControlPlane Enterprise for OpenBao
Built by the #1 contributor. Supported by world-leading engineers.
Up to 10x Cost Savings
From £20K/year for support. No seat-based licensing. Pricing scales with deployment, not headcount.
End-to-End Enterprise Security
Continuously updated threat models, proactive security testing, and incident response integration.
Direct Access to the #1 Contributor
37% of all OpenBao commits, 5,000+ contributions. Ex-HashiCorp Vault CryptoSec team.
Faster Innovation, Free
Namespaces, Horizontal Read Scalability now GA and free. CEL engine, Self-Init, Transactional Storage are OpenBao-only.
MPL 2.0 Licence
OSI-approved, no usage restrictions. OpenSSF and Linux Foundation governance. No licence risk.
Strategic Lock-In or Open Source Freedom
What makes it enterprise-ready
Why OpenBao?
- Drop-in Vault replacement
- Same API compatibility, and drop-in replacement for most use cases. MPL 2.0 licensed and truly open source. Under Linux Foundation and OpenSSF governance since June 2025.
- Enterprise validation
- Proven by leading organisations including GitLab, SAP, NVidia, Epic Games, Proton, G-Research and more
- CRA compliance proof
- EU Cyber Resilience Act reporting begins September 2026. Managed and governed open source from software supply chain experts.
We created Vault at HashiCorp, and operationalised it for tier 1 banks
Why ControlPlane?
Alex Scheel, Founding Engineer
Former TSC Chair and #1 OpenBao contributor: 37% of all project activity, 5,000+ contributions. Ex-HashiCorp Vault CryptoSec team: built PKI, transit, KMIP, ACME, CA rotation, OCSP, and cross-cluster unification.
GitLab Native Integration
GitLab chose OpenBao as its native Secrets Manager (18.8+ Ultimate). ControlPlane’s expertise spans the full lifecycle from code to pipeline and production operations at scale.
Tier 1 Global Banks
Financial services depth at the highest security tier including case studies at Citigroup, JPMC, and Morgan Stanley. Regulated industry deployment is our core expertise.
Open source leadership
Multiple CNCF TAG Security co-chairs, OpenSSF core contributors, FINOS AI leadership. CISO for OpenUK, open source maintainers.
Proven enterprise playbook
Built Flux Enterprise for Morgan Stanley and others: we’re building the same model for OpenBao.
Global coverage
Global support with teams in North America, EMEA, and APAC. No other OpenBao vendor covers these markets.
Same hands. Same expertise. From Vault to OpenBao.
OpenBao's Lineage
The Origin
Our team builds Vault's CryptoSec layer, PKI, and Transit at HashiCorp.
In Production
Operationalised at scale for 30M+ users. Selected as GitLab's native Secrets Manager.
The Future
Founding OpenSSF members and leading OpenBao maintainer combine to lead ControlPlane's open source Vault alternative.
Feature-by-feature comparison
OpenBao vs Vault Enterprise
| Feature | OpenBao | Vault Enterprise (IBM) | Notes |
|---|---|---|---|
| Core Capabilities | |||
| Core secrets engine | Yes | Yes | Full parity |
| Kubernetes integrations | Yes | Yes | Compatibility with ESO, CSI-Provider & Agent |
| Namespaces | GA (v2.3.1) | Yes | Was Vault Enterprise-only — now free |
| Horizontal Read Scalability | GA (v2.5.0) | Yes | Was Vault Enterprise-only — now free |
| OpenBao-Only Features | |||
| CEL policy engine | Yes | No | Modern policy evaluation (vs Sentinel) |
| Self-Init | Yes | No | Auto-configures without root token |
| Transactional storage | Yes | No | Reduces storage write bottlenecks |
| In-line authentication | Yes | No | Massively reduces lease counts |
| Enterprise Features | |||
| PKCS#11 HSM auto-unseal | Yes | Yes | Parity |
| Performance replication | Partial | Yes | Distributed Reads available |
| Automated DR replication | Partial | Yes | Automated w/ Postgres, Roadmap w/ RAFT |
| KMIP server | In progress | Yes | PKCS#11/KMS WG |
| FIPS validation | Image exists | Yes | Formal validation on funded roadmap |
| Governance & Cost | |||
| Governance | OpenSSF (Linux Foundation) | IBM Software division | Vendor-neutral vs vendor-dependent |
| License | MPL 2.0 (OSI-approved) | BSL 1.1 (not OSI-approved) | Major differentiator |
| Annual cost | Free plus Support (starting at £20k/year) | £1,500 to £10m+/year | 10x cost savings |
Everything you need
Comprehensive Secrets Management
- Hardened Distroless Containers
- Images and security configuration for OpenBao and core plugins
- SBOM and CVE Patching
- In-sync with upstream releases, continuous scanning and CVE patching for OpenBao images
- Horizontal Scalability
- HA clusters allow Standby Nodes to serve reads locally and only forward writes to the Active Node
- Enterprise Image Repositories
- Highly available, OCI-compliant secure image repositories
- FIPS-Compliant Builds
- FIPS 140-3 validated builds of OpenBao in dedicated images
- HSM and Cloud KMS Auto-Unseal
- Automatically secure and unseal master keys using Hardware Security Modules or Cloud KMS
- Professional Services
- World-leading expertise to securely design, deploy, and operate OpenBao clusters at scale
- Multi-tenancy
- Achieve true multi-tenancy and isolation through Namespaces
Migration Services
A proven, zero-downtime upgrade path from Vault
Assessment
From £5K
Audit current Vault deployment, document secrets engines, auth methods, custom plugins, identify non-compatible features, produce detailed migration plan.
Execution
Call Us
Parallel deployment alongside Vault, clean-room secrets migration, zero-downtime application cutover, validation and security testing, rollback plan.
Post-Migration Support
Included in subscription
Monitoring and resilience, performance tuning, legacy decommissioning. Typical timeline: 2-8 weeks depending on complexity.
Named enterprise adopters
Trusted by Industry Leaders
GitLab
Native Secrets Manager integration (18.8+ Ultimate). ADR 007 formally chose OpenBao.
Proton
Sponsors collaboration suite for OpenBao maintainers. Privacy-first infrastructure built on open source.
SAP
Full-time developers working on OpenBao via EU-funded ApeiroRA initiative (NextGenerationEU).
Funded Development Roadmap
Every known gap vs Vault Enterprise has a funded development track
KMIP server
PKCS#11/KMS Working Group
2026
Versioned documentation
2026
Automated DR failover
2026-2027
Performance replication
Horizontal Scalability Working Group
2026-2027
FIPS formal validation
Formal 140-3 validation pending
2028
React UI rewrite
UI Working Group
2027-2028
Supporting Sustainable Open Source
ControlPlane sponsors the TSC lead and core maintainers of the upstream OpenSSF OpenBao project, providing engineering and security expertise. We draw on 250 years of combined cloud native expertise in highly regulated, industry-leading DevSecOps environments.
We have a proven track record of open source collaboration and leadership, co-chairing the Linux Foundation’s Technical Advisory Group on Security (CNCF TAG Security), acting as pro-bono CISO for the open source non-profit OpenUK, and contributing to the Open Source Security Foundation (OpenSSF) and Fintech Open Source Foundation (FINOS) community working groups.
Our contributions aim to enhance the OpenBao project for the entire community and ensure its long-term sustainability.
Frequently Asked Questions
Ready to escape Vault lock-in?
Talk to the team that built Vault's cryptographic layer and now leads the open source alternative.
- No-obligation consultation
- Transparent pricing