HashiCorp Vault and BSL 1.1: What It Means and What to Do About It

What Changed with HashiCorp's Licence
What It Means for Vault Enterprise Users
OpenBao: The Open-Source Alternative
DuoKey SD-HSM: Enterprise Security Without the Hardware
The Migration Path
Expected Benefits

In August 2023, HashiCorp announced it was relicensing Vault - along with its other products - under the Business Source Licence 1.1 (BSL 1.1). The change was framed as a measure against large cloud providers monetising HashiCorp products without contributing back. For enterprise Vault users, the implications go further.

What Changed with HashiCorp's Licence

Prior to August 2023, HashiCorp Vault was distributed under the Mozilla Public Licence 2.0 (MPL 2.0) - a genuine open-source licence approved by the Open Source Initiative. Any organisation could use, study, modify, and distribute Vault without restriction.

BSL 1.1 is not an open-source licence. It prohibits using the software in a "competing product or service." The definition of "competing" is set unilaterally by HashiCorp and can change without notice. After four years, BSL code converts to a specified open-source licence - but by then, the next version is already under BSL.

In practical terms: Vault is now proprietary software. You are a customer of HashiCorp, not a participant in an open ecosystem.

What It Means for Vault Enterprise Users

If you are running HashiCorp Vault Enterprise, the licence change compounds an already significant cost structure:

Per-client-token pricing: Vault Enterprise charges approximately 500 EUR per client token per year. An organisation with 200 tokens pays 100,000 EUR annually in licensing alone - before infrastructure, operations, or auto-unseal costs.
Annual price increases: HashiCorp has consistently raised Vault Enterprise prices 10–15% per year. Combined with token growth as infrastructure scales, costs can double every two to three years.
Auto-unseal dependency: Production-grade auto-unseal requires either expensive cloud KMS services or physical HSM hardware - both carrying additional cost and vendor lock-in.
Vendor dependency: With BSL in place, your negotiating position at renewal is weak. There is no credible community fork under the old licence to fall back on - until now.

The result is a compounding cost spiral with increasing vendor dependency and no natural escape valve under the old model.

OpenBao: The Open-Source Alternative

OpenBao is a community-maintained fork of HashiCorp Vault, created in response to the BSL licence change and now governed by the Linux Foundation. It is distributed under MPL 2.0 - a genuine open-source licence.

Key facts about OpenBao:

100% API compatibility with HashiCorp Vault: Every auth method, secrets engine, and policy works identically. Applications require zero code changes.
Governed by the Linux Foundation Technical Steering Committee: No single company controls the roadmap. The project cannot be relicensed without community consensus.
Zero per-token licensing: OpenBao is free to use at any scale. There are no per-token fees, no renewal negotiations, no surprise price increases.
Active development: OpenBao is maintained by organisations that depend on it in production, including DuoKey's certified EU partner - an OpenBao co-maintainer and Linux Foundation TSC member.

For organisations running Vault today, OpenBao represents a direct migration target. The API is identical, the tooling is compatible, and the migration path is well-established.

DuoKey SD-HSM: Enterprise Security Without the Hardware

OpenBao solves the licensing problem. But enterprise deployments still need reliable auto-unseal, seal wrap, and 24/7 managed operations. This is where DuoKey SD-HSM and DuoKey SD HSM come in.

Auto-Unseal and Seal Wrap via MPC

DuoKey SD-HSM replaces cloud KMS and physical HSM hardware with Multi-Party Computation (MPC). Instead of a single hardware boundary holding the unseal key, MPC distributes key material across multiple independent parties. The key never exists in plaintext - not in transit, not in memory, not on disk.

This is not a workaround for missing HSM hardware. It is architecturally stronger. A physical HSM is a single point of failure: compromise the device and you compromise the key. With MPC, an attacker must simultaneously compromise multiple geographically and organisationally separated nodes to obtain anything useful.

For a detailed comparison, see MPC vs HSM: Which Key Management Approach Secures Your Enterprise?

DuoKey SD HSM

DuoKey provides a fully managed deployment delivered by the same team that co-maintains the project:

24/7 monitoring, alerting, and incident response
Automated upgrades and security patching
High-availability configuration from day one
EU-hosted, full data sovereignty
Flat-fee pricing - costs do not scale with your token count

This removes the operational burden that makes self-managed Vault or OpenBao difficult at scale. Your team focuses on using secrets, not managing the infrastructure that protects them.

The Migration Path

A typical migration from HashiCorp Vault Enterprise to DuoKey SD HSM takes two to four weeks with zero application downtime and zero code changes.

Week 1 - Assessment: DuoKey inventories your Vault deployment - namespaces, policies, secrets engines, auth methods, and integrations. A migration plan with timeline and risk mitigation is agreed.

Weeks 1–2 - Deployment: DuoKey deploys managed OpenBao with HA configuration. DuoKey SD-HSM MPC is configured for auto-unseal and seal wrap. Infrastructure is validated.

Weeks 2–3 - Data migration: Secrets, policies, and configurations are migrated using proven tooling. All client integrations are tested against the new cluster.

Weeks 3–4 - Cutover: Applications are redirected to OpenBao by updating VAULT_ADDR. Performance and error monitoring confirms the migration. Vault Enterprise is decommissioned.

Gradual migration - running Vault and OpenBao in parallel during the transition - is fully supported.

Expected Benefits

Organisations that have completed this migration consistently see the following outcomes:

60–80% reduction in secrets management TCO. Eliminating per-token licensing and replacing physical HSM or cloud KMS with DuoKey SD-HSM MPC removes the two largest cost drivers. For a 200-token deployment previously paying 100,000 EUR/year in Vault licensing alone, savings are immediate and substantial.

No code changes required. The 100% API compatibility between OpenBao and Vault means your applications continue operating without modification. No refactoring, no regression testing, no retraining.

Stronger security posture. MPC-based auto-unseal eliminates the single points of failure inherent in both cloud KMS and physical HSM auto-unseal. Keys never exist in plaintext anywhere in the system.

Predictable, flat costs. DuoKey SD HSM is flat-fee. Adding new services does not add to your licensing bill. Infrastructure growth is no longer a cost event.

Long-term licence stability. OpenBao under Linux Foundation governance cannot be relicensed by a single vendor decision. What is free today remains free.

If you are planning a Vault renewal or evaluating your options ahead of a cost review, the migration to OpenBao with DuoKey SD-HSM is worth examining in detail. The API compatibility removes the usual risk of switching secrets management platforms, and the economics are straightforward.

Learn more about the DuoKey solution for OpenBao or book a call with our team to discuss your specific deployment.