Secrets Management Platforms Compared
Choosing a secrets management platform affects your licensing costs, operational model, API compatibility, and data sovereignty for years. This page compares OpenBao against HashiCorp Vault Enterprise, Vault Community (BSL), Infisical, AWS Secrets Manager, and Azure Key Vault.
Quick comparison
| OpenBao | Vault Enterprise | Vault Community (BSL) | Infisical | AWS Secrets Manager | Azure Key Vault | |
|---|---|---|---|---|---|---|
| License | MPL 2.0 | Commercial | BSL 1.1 | MIT | Proprietary | Proprietary |
| Cost model | Free + ops | Per-client pricing | Free (BSL-restricted) | Free tier + paid | Per-secret/month | Per-operation |
| API compatibility | Vault API | Vault API | Vault API | Own API | Own API | Own API |
| Dynamic secrets | Yes | Yes | Yes | Limited | No | No |
| PKI/certificates | Yes | Yes | Yes | No | No | Yes |
| Transit encryption | Yes | Yes | Yes | No | No | Yes |
| HSM support | Yes | Yes | No | No | CloudHSM | Azure HSM |
| Data sovereignty | Your infra | Your infra | Your infra | SaaS or self-host | AWS regions | Azure regions |
| Managed by VSHN | Yes | No | No | No | No | No |
Vault Enterprise pricing
HashiCorp Vault Enterprise pricing is per-client: each application, service, or user that authenticates counts as a client. Pricing is not publicly listed. Based on available market data and customer reports, estimates range from $1 to $3 per client per month, with enterprise contracts typically starting at $50,000 per year.
IBM completed its acquisition of HashiCorp in 2024. For context, since IBM acquired Red Hat in 2019, Red Hat subscription prices have increased approximately 10% per year consistently. The same pattern should be expected for Vault Enterprise.
OpenBao has zero software licensing cost. VSHN managed operations are priced at a fixed monthly rate regardless of client count.
Estimated annual cost by client count
| Clients | Vault Enterprise (est.) | OpenBao + VSHN managed ops |
|---|---|---|
| 100 | $1,200 - $3,600/year | Fixed monthly rate - contact us |
| 500 | $6,000 - $18,000/year | Fixed monthly rate - contact us |
| 2,000 | $24,000 - $72,000/year | Fixed monthly rate - contact us |
Caveat: Vault Enterprise pricing is not publicly listed. The estimates above are based on available market data and customer reports. Contact HashiCorp for a current quote.
The fork: why OpenBao exists
In August 2023, HashiCorp changed Vault's license from MPL 2.0 to BSL 1.1 (Business Source License). BSL 1.1 restricts use in competing hosted services. In 2024, IBM acquired HashiCorp.
OpenBao forked from Vault in response to the license change. It is maintained under the Linux Foundation, uses MPL 2.0, and is fully API-compatible with Vault. Migrating from Vault to OpenBao is a configuration change, not a rewrite. Your existing Vault clients, scripts, and Terraform resources work without modification.
Vault Enterprise
HashiCorp Vault Enterprise is the mature commercial offering with the longest track record.
Strengths: namespaces for multi-tenancy, Sentinel policies for fine-grained access control, performance replication across clusters, disaster recovery replication, enterprise support SLA, and a large community of operators with deep operational knowledge.
Limitations: per-client pricing scales linearly with adoption. BSL 1.1 license restricts certain use cases. IBM's acquisition history with Red Hat shows consistent annual price increases, making long-term cost planning harder. You are dependent on a single vendor for the entire secrets management stack.
Fits when: your organisation is already committed to Vault Enterprise, requires Sentinel policies or performance replication, and accepts the licensing cost and IBM vendor dependency.
Vault Community (BSL)
The Vault Community edition is free to run, but the BSL 1.1 license restricts use in competing service offerings.
Strengths: free to run, same API as Vault Enterprise and OpenBao, broad documentation and community resources.
Limitations: BSL 1.1 is not an open source license by OSI definition. The restriction clause creates legal ambiguity for SaaS companies and internal platform teams that offer Vault as a shared service. You still rely on HashiCorp (now IBM) for fixes and security patches.
Fits when: you run Vault Community for internal use, BSL restrictions do not apply to your use case, and you manage the operational burden yourself.
Infisical
Infisical is a developer-first secrets platform built for application teams. It takes a different approach from Vault: a web dashboard, native integrations, and built-in secret rotation.
Strengths: developer-friendly web UI, native integrations with GitHub Actions, Kubernetes, Docker, and CI systems, built-in secret rotation for common services, and MIT license for the self-hosted version.
Limitations: Infisical does not have dynamic secrets - each secret is a stored value, not generated per-request. No PKI or certificate management. No transit encryption engine. No HSM support. Infisical and Vault solve different problems: Infisical is a secrets store; Vault is a secrets platform.
Fits when: your team needs a developer-friendly secrets store with a UI and does not require dynamic secrets, PKI, or transit encryption.
Hyperscaler options: AWS Secrets Manager and Azure Key Vault
Both AWS Secrets Manager and Azure Key Vault integrate tightly with their respective cloud ecosystems.
Strengths: zero infrastructure to manage, native IAM integration, tight integration with cloud-native services (Lambda, EC2, App Service), built-in audit trails.
Limitations: US company jurisdiction applies regardless of data region. No dynamic secrets generation. No transit encryption engine. No portability - secrets stored in AWS Secrets Manager cannot be retrieved by an Azure workload without cross-cloud calls. AWS Secrets Manager charges $0.40 per secret per month plus $0.05 per 10,000 API calls. Azure Key Vault charges per operation. Costs grow with secret count and access frequency.
Fits when: your entire workload runs on a single hyperscaler, US jurisdiction is acceptable, and you need only static secret storage with IAM access control.
When to choose each
Choose OpenBao + VSHN managed operations if you want Vault API compatibility without per-client licensing, need data sovereignty on Swiss infrastructure, or are migrating away from Vault Enterprise and want a drop-in replacement under MPL 2.0.
Choose Vault Enterprise if your organisation requires Sentinel policies or performance replication, is already under an enterprise contract, and accepts per-client pricing and IBM vendor dependency.
Choose Vault Community (BSL) if you run an internal deployment, manage operations yourself, and BSL restrictions do not apply to your use case.
Choose Infisical if your primary need is a developer-friendly secrets store with a web UI and native CI integrations, and you do not need dynamic secrets or a PKI engine.
Choose AWS Secrets Manager or Azure Key Vault if your workloads run exclusively on one hyperscaler, US jurisdiction is acceptable, and you need basic secret storage with native IAM integration.
Next steps
Assessing a Vault-to-OpenBao migration or comparing licensing costs for your client count? Book a consultation. We review your current setup and give you a concrete cost comparison.