Blog

Choosing a secrets storage: HashiCorp Vault vs OpenBao

October 9, 2025
Sergio Rua
Blog

Choosing a secrets storage: HashiCorp Vault vs OpenBao

October 9, 2025
Authentication
,
Ci Cd Pipeline
,
High Availability
,
Passwords
,
Devsecops
,
Security
,
Secrets
,
Sergio Rua
Choosing a secrets storage: HashiCorp Vault vs OpenBao

Introduction

For a long time we have been recommending and installing HashiCorp Vault as the core secrets engine database to many of ours customers.

HashiCorp Vault is currently licensed under the Business Source License (BSL) 1.1. This license allows you to copy, modify, create derivative works, redistribute, and make non-production use of Vault. It also permits limited production use under specific conditions, such as not offering Vault as a hosted or embedded service to third parties in competition with HashiCorp’s paid versions.

This is a change from previous versions where Vault may have used more permissive open source licenses like MPL 2.0 directly. The BSL restricts commercial competitive use for an initial period before converting to an open source license.

Some of ours customers expressed concerns about this licence change and so it seems to Open Source community. When this happened, the open source community created forks that are now supported by the community. Two of the most well-known forks are opentofu, as an alternative to terraform and openbao, replacing Vault.

What’s OpenBao

OpenBao is a community-driven, open-source secret management platform focused on securely storing, managing, and distributing sensitive data such as secrets, certificates, and keys. It is developed under open governance principles with the goal of providing an OSI-approved open-source software solution.

OpenBao offers secure secret storage by encrypting data before writing it to persistent storage, ensuring that access to raw storage alone does not compromise the secrets. Like other systems, it supports dynamic secrets that are generated on-demand for environments such as Kubernetes or SQL databases and automatically revoked after their lease expires.

When compared to HashiCorp Vault, OpenBao distinctly emphasizes community leadership and open governance, offering its software under an OSI-approved license. Vault, on the other hand, adopts a staged licensing model starting with the Business Source License, which restricts certain competing commercial uses initially before converting to an open-source MPL license after four years.

What do we use OpenBao for?

We take advantage of every single feature, from SSL certificates creation (PKI) to dynamic credentials for the databases we manage. It has become our single source of truth for secrets. Who needs post-its anymore!

We are also very proud of the way we manage access to the database. Essentially, no one has the database credentials. In a way, not even the applications. The credentials are requested to OpenBao/Vault with a very short time-to-live. This is how both DBAs and applications securely access the database. You can read more about it in this blog post:

Rotating database credentials | Digitalis Blog

Setting up OpenBao in HA

We noticed when talking to our customers that it is not well understood how OpenBao (or Vault) work in HA. When OpenBao is running in High Availability (HA) mode, servers operate in one of two states: active or standby. In a cluster where multiple OpenBao servers share the same storage backend, only one server is active at any given time, processing all requests. The other servers remain in a hot standby state, ready to take over if the active server becomes unavailable. If the active server fails, seals, or loses connectivity, one of the standby servers will be promoted to active. Note that only servers that are unsealed can serve as standby; sealed servers cannot handle requests or act as standby nodes. This setup ensures continuous availability while preventing conflicts by having only one active instance at a time.

Not all storage backends support HA, therefore choosing the right one becomes very important.

What are your options?

When we discuss this with customers, we typically balance three key factors:

"Is high availability (HA) a must?"

"What’s your budget?"

"Are you running on-premises, hybrid, or in the cloud?"

If HA is not required, for example, if OpenBao is not critical and customers can afford some downtime, you have a much broader range of backend options that can suit most budgets.

In cloud environments, the most cost-effective option is object storage like Amazon S3. For on-premises setups, you can consider S3-compatible solutions like MinIO, or even writing to disk (as long as it’s backed up frequently).

If HA is required, S3 is unfortunately not suitable. However, Google Cloud Storage (GCS) does support HA. Other options we typically consider include:

  • Integrated Storage: A solid default, but it can be tricky to manage split-brain scenarios.
  • Google Cloud Storage: A great choice, possibly the cheapest and easiest to set up with HA support.
  • DynamoDB: A good option if you're on AWS.
  • Consul: Very performant, but requires additional operational overhead and suffers from the same RAFT-related complexities as Integrated Storage.
  • etcd: Similar to Consul in terms of trade-offs.

If you're in a cloud environment, we recommend starting with the options above. If none of them work for your use case, or if you're on-premises, then consider alternatives like MySQL, PostgreSQL, or Zookeeper.

Final Words: Why Vault or OpenBao?

Managing secrets, especially database credentials, securely and efficiently is a cornerstone of modern infrastructure. Tools like Vault and OpenBao offer a powerful, flexible, and secure way to handle this challenge.

By dynamically generating short-lived credentials, these tools eliminate the need for hardcoded secrets, reduce the blast radius of a breach, and simplify credential rotation. This is particularly valuable for databases, where static credentials are often a weak point in security posture.

Some key benefits include:

  • Dynamic Secrets: Credentials are generated on-demand and expire automatically, reducing the risk of long-lived secrets being leaked or misused.
  • Fine-Grained Access Control: Policies can be tailored to specific roles, teams, or applications, ensuring least-privilege access.
  • Auditability: Every request for credentials is logged, providing full visibility into who accessed what and when.
  • Cloud and Platform Agnostic: Whether you're on-prem, in the cloud, or somewhere in between, Vault and OpenBao can adapt to your environment.
  • Seamless Integration: These tools integrate well with CI/CD pipelines, Kubernetes, and service meshes, making them ideal for modern DevOps workflows.

In short, if you're serious about security, automation, and operational resilience, adopting Vault or OpenBao for secrets management, especially for database credentials, is a smart move.

I for one welcome our new robot overlords

Subscribe to newsletter

Subscribe to receive the latest blog posts to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Read More

View all
Category one
Category two
Category three
Category four
Category

The AWS Outage and the Return of the Single Point of Failure

A stark reminder that over‑reliance on a single provider re‑creates the centralised risks the internet was meant to avoid.
Read more
Category

How to Reset a Lost Cassandra Superuser Password

This post explains why different Apache Cassandra versions handle authentication differently, and provides a step‑by‑step recovery guide for resetting lost superuser passwords.
Read more
Category

Vibe Coding: Hype or the Future of Programming?

“Vibe Coding: Building Apps with AI as Your Programming Buddy”
Read more

Ready to Transform 

Your Business?

Let’s Talk