Enterprise for OpenBao

The open source Vault alternative, backed by its #1 contributor

OpenSSF Governed MPL 2.0 Licensed #1 Project Contributor
of all OpenBao commits from our team
0%
GitHub stars and growing
0+
active contributors, 76 in the last quarter
0+
potential savings vs Vault Enterprise
0x

The Vault landscape has changed

The Fork in the Road

Your Vault contract is up for renewal. Which path reduces risk?

The Status Quo

IBM and Hashicorp Vault

Acquired for $6.4B in Feb 2025. Vault is now IBM Software.

Compounding Cost Increases

£200K+/year with pricing hikes at every contract renewal. Seat-based licensing inflates with headcount.

Opaque Security Posture

CVE patches follow IBM's disclosure timeline. No dedicated threat modelling, proactive testing, or incident response services.

Vendor Dependency

Support through IBM infrastructure queues. Product roadmap driven by IBM's commercial priorities, not yours.

Innovation Stagnation

Enterprise features behind paywalls. Missing modern updates: no CEL policy engine, no Self-Init, no Transactional Storage.

BSL 1.1 Licence

Restricts competing commercial use. Not true open source. Each file re-licenses to MPL 2.0 only after 4 years.

VS

The Open Source Path

ControlPlane Enterprise for OpenBao

Built by the #1 contributor. Supported by world-leading engineers.

Up to 10x Cost Savings

From £20K/year for support. No seat-based licensing. Pricing scales with deployment, not headcount.

End-to-End Enterprise Security

Continuously updated threat models, proactive security testing, and incident response integration.

Direct Access to the #1 Contributor

37% of all OpenBao commits, 5,000+ contributions. Ex-HashiCorp Vault CryptoSec team.

Faster Innovation, Free

Namespaces, Horizontal Read Scalability now GA and free. CEL engine, Self-Init, Transactional Storage are OpenBao-only.

MPL 2.0 Licence

OSI-approved, no usage restrictions. OpenSSF and Linux Foundation governance. No licence risk.

Strategic Lock-In or Open Source Freedom

Book a Migration Assessment →

What makes it enterprise-ready

Why OpenBao?

Drop-in Vault replacement
Same API compatibility, and drop-in replacement for most use cases. MPL 2.0 licensed and truly open source. Under Linux Foundation and OpenSSF governance since June 2025.
Enterprise validation
Proven by leading organisations including GitLab, SAP, NVidia, Epic Games, Proton, G-Research and more
CRA compliance proof
EU Cyber Resilience Act reporting begins September 2026. Managed and governed open source from software supply chain experts.

We created Vault at HashiCorp, and operationalised it for tier 1 banks

Why ControlPlane?

CREATED

Alex Scheel, Founding Engineer

Former TSC Chair and #1 OpenBao contributor: 37% of all project activity, 5,000+ contributions. Ex-HashiCorp Vault CryptoSec team: built PKI, transit, KMIP, ACME, CA rotation, OCSP, and cross-cluster unification.

INTEGRATED

GitLab Native Integration

GitLab chose OpenBao as its native Secrets Manager (18.8+ Ultimate). ControlPlane’s expertise spans the full lifecycle from code to pipeline and production operations at scale.

DEPLOYED

Tier 1 Global Banks

Financial services depth at the highest security tier including case studies at Citigroup, JPMC, and Morgan Stanley. Regulated industry deployment is our core expertise.

Open source leadership

Multiple CNCF TAG Security co-chairs, OpenSSF core contributors, FINOS AI leadership. CISO for OpenUK, open source maintainers.

Proven enterprise playbook

Built Flux Enterprise for Morgan Stanley and others: we’re building the same model for OpenBao.

Global coverage

Global support with teams in North America, EMEA, and APAC. No other OpenBao vendor covers these markets.

Same hands. Same expertise. From Vault to OpenBao.

OpenBao's Lineage

2015–2023

The Origin

Our team builds Vault's CryptoSec layer, PKI, and Transit at HashiCorp.

2023–2025

In Production

Operationalised at scale for 30M+ users. Selected as GitLab's native Secrets Manager.

2026+

The Future

Founding OpenSSF members and leading OpenBao maintainer combine to lead ControlPlane's open source Vault alternative.

Feature-by-feature comparison

OpenBao vs Vault Enterprise

FeatureOpenBaoVault Enterprise (IBM)Notes
Core Capabilities
OpenBao-Only Features
Enterprise Features
Governance & Cost

Everything you need

Comprehensive Secrets Management

Hardened Distroless Containers
Images and security configuration for OpenBao and core plugins
SBOM and CVE Patching
In-sync with upstream releases, continuous scanning and CVE patching for OpenBao images
Horizontal Scalability
HA clusters allow Standby Nodes to serve reads locally and only forward writes to the Active Node
Enterprise Image Repositories
Highly available, OCI-compliant secure image repositories
FIPS-Compliant Builds
FIPS 140-3 validated builds of OpenBao in dedicated images
HSM and Cloud KMS Auto-Unseal
Automatically secure and unseal master keys using Hardware Security Modules or Cloud KMS
Professional Services
World-leading expertise to securely design, deploy, and operate OpenBao clusters at scale
Multi-tenancy
Achieve true multi-tenancy and isolation through Namespaces

Migration Services

A proven, zero-downtime upgrade path from Vault

Assessment

From £5K

Audit current Vault deployment, document secrets engines, auth methods, custom plugins, identify non-compatible features, produce detailed migration plan.

Execution

Call Us

Parallel deployment alongside Vault, clean-room secrets migration, zero-downtime application cutover, validation and security testing, rollback plan.

Post-Migration Support

Included in subscription

Monitoring and resilience, performance tuning, legacy decommissioning. Typical timeline: 2-8 weeks depending on complexity.

Named enterprise adopters

Trusted by Industry Leaders

GitLab logo

GitLab

Native Secrets Manager integration (18.8+ Ultimate). ADR 007 formally chose OpenBao.

NVIDIA logo

NVIDIA

Builds NVIDIA Cloud Functions with OpenBao

Broadcom logo

Broadcom

Bundles OpenBao with VMWare Cloud Foundation

Funded Development Roadmap

Every known gap vs Vault Enterprise has a funded development track

Development

PostgreSQL for Horizontal Scalability, Disaster Recovery

v2.7.0 (2026)

Development

ControlGroups

v2.7.0 (2026)

Development

External keys

v2.7.0 (2026)

Exploratory

Emergency & Parallel Unseal

v2.8.0+ (2026-2027)

Exploratory

KMIP server

v2.9.0+ (2027)

Exploratory

CEL for Policies

v2.9.0+ (2027)

On roadmap

Search

v2.9.0+ (2027)

On roadmap

Cross-plugin communication

v2.9.0+ (2027)

Image exists

FIPS validation

2028

Background

Supporting Sustainable Open Source

Frequently Asked Questions

Yes. OpenBao v2.5.0 GA shipped February 2026. The project has 5,466 GitHub stars, 100+ active contributors, and 5 CVEs responsibly disclosed and patched in 2025. GitLab runs OpenBao in production as its native Secrets Manager.
Yes. OpenBao maintains API compatibility with Vault, making it a drop-in replacement for most use cases. Our migration services include assessment, parallel deployment, phased cutover, and validation. Typical timelines are 2-8 weeks depending on complexity.
A FIPS-compliant OpenBao image exists today. Formal FIPS 140-3 validation is on our funded development roadmap. Alex Scheel, who built Vault’s original cryptographic layer at HashiCorp, is leading this work.
Automated DR replication is on the funded development roadmap for 2026-2027. The Horizontal Scalability Working Group is actively working on this. In the interim, manual DR procedures are documented and supported.
OpenBao is MPL 2.0. OSI-approved, true open source with no usage restrictions. Vault switched to BSL 1.1 in 2023, which restricts competing commercial use. Each Vault source file re-licenses to MPL 2.0 four years after publication, but new releases stay under BSL.
ControlPlane employs OpenBao’s #1 contributor (37% of all project activity) as our founding engineer. We have a track record of operationalising open source in the world’s most complex environments and building enterprise offerings around commercial open source, including with Flux CD. Contrary to some providers, we provide global support. This includes North America, EMEA and APAC, so you get help whatever your business hours may be.
If you need self-hosted, regulated, cloud-agnostic secrets management with no vendor lock-in, OpenBao is the answer. SaaS solutions add another external dependency and may not meet data residency requirements. OpenBao gives you full control of your secrets infrastructure.

Ready to escape Vault lock-in?

Talk to the team that built Vault's cryptographic layer and now leads the open source alternative.

  • No-obligation consultation
  • Transparent pricing