# OpenBao Competence Center Switzerland

> Your OpenBao experts in Switzerland. Managed secrets management on Swiss cloud infrastructure with automated backups, high availability, and 24/7 support.


VSHN and our engineering partner bespinian migrate your secrets management from HashiCorp Vault to OpenBao, the community fork that stays open source. Same API, same workflows, zero licence fees. No per-client counting, no scaling penalty. Deployed and operated on Swiss cloud infrastructure with full data sovereignty.


## Pages

- [Homepage](https://www.openbao.ch/): OpenBao Experts Switzerland – Secrets Management | VSHN
- [OpenBao vs Vault vs Infisical: Platform Comparison](https://www.openbao.ch/comparison.md)
- [OpenBao and CIS Controls - Secrets Management Compliance | VSHN](https://www.openbao.ch/compliance.md)
- [Partner with VSHN on OpenBao | VSHN](https://www.openbao.ch/partners.md)
- [OpenBao Sovereignty — Swiss Secrets Hosting | VSHN](https://www.openbao.ch/sovereignty.md)

## Features

- **Deep OpenBao Engineering Expertise**: VSHN's engineers work with the OpenBao codebase daily: debugging, extending, and integrating it into production environments. We follow the Linux Foundation community closely and understand the platform at the source code level. Your consulting and managed service is backed by engineers who read the code, not just the documentation.

- **Vault to OpenBao Migration**: OpenBao retains full API and protocol compatibility with HashiCorp Vault. Existing clients, integrations, and Terraform providers work without code changes. VSHN helps you plan and execute the migration from Vault to OpenBao, including secrets engine configuration, policy migration, and integration testing. Your investment in Vault automation is preserved.

- **No Scaling Penalty — Predictable Costs**: Vault Enterprise charges per client identity or secret, and costs grow unpredictably as your platform scales. OpenBao has no per-client fees, no per-secret metering, and no feature gates. VSHN consulting is billed at CHF 250 per hour with no ongoing license cost. Your costs stay flat regardless of how many applications consume secrets.

- **Full Secrets Platform**: OpenBao covers the complete secrets lifecycle: key-value secret storage, dynamic credentials for databases and cloud providers, PKI certificate management, encryption as a service, identity-based access control, automated lease management with expiration and renewal, TOTP generation, and SSH certificate signing. One platform replaces multiple point solutions.

- **Swiss Cloud & Sovereign Key Custody**: Deploy OpenBao on Swiss cloud providers including cloudscale.ch and Exoscale, both operating data centers exclusively in Switzerland, on APPUiO, Managed OpenShift, Enterprise Private Cloud, or your own on-premises infrastructure. VSHN is Swiss-owned with no foreign parent company. All contracts are governed by Swiss law with no exposure to the US CLOUD Act. Your secrets stay in the jurisdiction you choose. Learn more in our [sovereignty assessment](/sovereignty/).

- **Swiss Sovereign Operations**: VSHN deploys and operates OpenBao exclusively on Swiss cloud infrastructure: cloudscale.ch, Exoscale, or your private cloud. No US-jurisdiction hyperscaler involved. Combined with 24/7 operations, encrypted storage, and strict access controls, this provides end-to-end sovereign secrets management that support-only vendors cannot offer.

- **Open Source — Drop-in, Walk Away**: OpenBao is licensed under MPL 2.0, maintained by the Linux Foundation. No proprietary extensions, no relicensing risk, no vendor lock-in. If you stop working with VSHN tomorrow, your OpenBao deployment keeps running unchanged, with zero migrations and zero infrastructure changes. Unlike Vault Enterprise, every feature is available to every user regardless of subscription tier.

- **Beyond a Support Subscription**: Some vendors sell phone support for your self-managed OpenBao. VSHN goes further: we architect, deploy, and operate OpenBao on your infrastructure with HA clustering, automated backups, monitoring, and 24/7 incident response. A fully managed OpenBao service on the VSHN Application Catalog is in development. Contact us for early access.


## What our OpenBao consulting includes

- Architecture design and deployment planning for OpenBao
- HashiCorp Vault to OpenBao migration: secrets, policies, auth methods
- High-availability configuration with three replicas and auto-unseal
- Encrypted storage and strict access controls for sovereign key management
- Integration with CI/CD pipelines, Kubernetes, and identity providers
- Deployment on cloudscale.ch, Exoscale, APPUiO, Managed OpenShift, Enterprise Private Cloud, or on-premises
- Ongoing 24/7 operational support and incident response
- Direct access to VSHN and bespinian engineers with deep OpenBao expertise
- Written scope and cost estimate in CHF within one business day

## OpenBao FAQ

### What is OpenBao?

OpenBao is an open-source secrets management solution hosted by the Linux Foundation. It is a community-driven fork of HashiCorp Vault, created in response to the license change from MPL to BSL. OpenBao provides identity-based secrets management, encryption services, dynamic credentials, PKI certificate management, and secure key-value storage. It retains full API compatibility with Vault, so existing integrations, tooling, and workflows continue to work without modification.


### How does OpenBao compare to HashiCorp Vault?

OpenBao is a direct fork of HashiCorp Vault, maintaining full API and protocol compatibility. The key difference is licensing: OpenBao uses the MPL 2.0 open-source licence while Vault moved to the Business Source License. Vault Enterprise charges per client identity or managed secret, creating unpredictable costs as you scale. OpenBao has no per-client fees, no feature gates, and no metering. OpenBao is governed by the Linux Foundation, ensuring community-driven development. Existing Vault clients, integrations, and Terraform providers work with OpenBao without code changes.


### How much does OpenBao cost compared to Vault Enterprise?

OpenBao itself is free, licensed under MPL 2.0 with no per-client or per-secret fees. Vault Enterprise typically charges based on client count, which grows unpredictably as your platform scales. VSHN consulting for OpenBao architecture, deployment, and migration is billed at CHF 250 per hour. For ongoing operations, VSHN provides 24/7 support and managed operations at predictable monthly rates without metering your secret count or client identities. You pay for operational expertise, not for how many applications consume secrets.


### What consulting services does VSHN offer for OpenBao?

VSHN provides end-to-end OpenBao consulting covering architecture design, deployment, Vault-to-OpenBao migration, high-availability configuration, and ongoing operational support. Our engineering partner bespinian brings deep Go and security expertise to the partnership. Engagements range from a one-day architecture review to multi-week implementation projects with 100 GB or more of secrets data.


### Does VSHN contribute to OpenBao development?

VSHN follows the OpenBao project closely and participates in the Linux Foundation community that governs it. Our engineers work with the OpenBao codebase daily: debugging, extending, and integrating it into customer environments. This deep familiarity means we can diagnose issues at the source code level, assess new releases for production readiness, and provide authoritative consulting based on hands-on experience rather than documentation alone.


### What is the difference between a support subscription and managed operations?

A support subscription gives you phone and ticket access when something breaks. You still architect, deploy, patch, and operate OpenBao yourself. VSHN managed operations goes further: we design the architecture, deploy HA clusters, configure auto-unseal, run automated backups, monitor health, and respond to incidents 24/7. If you stop working with us, your OpenBao deployment keeps running unchanged, with no migrations and no infrastructure changes.


### Can I run OpenBao on Swiss cloud infrastructure?

Yes. VSHN deploys OpenBao on Swiss cloud providers by default, including cloudscale.ch and Exoscale, both of which operate data centers exclusively in Switzerland. We also support deployment on APPUiO, Managed OpenShift, Enterprise Private Cloud, and on-premises infrastructure in your own data centre. VSHN is Swiss-owned with no foreign parent company. All contracts are governed by Swiss law. See our [sovereignty assessment](/sovereignty/) for details.


### How does VSHN ensure sovereign key management?

VSHN deploys OpenBao on Swiss cloud infrastructure (cloudscale.ch, Exoscale, or your private cloud) with encrypted storage at rest, strict operator access controls, and audit logging. Auto-unseal is configured so OpenBao restarts without manual intervention. Because VSHN controls the full infrastructure stack, not just a support contract, we enforce operational boundaries that support-only vendors cannot provide.


### Is a managed OpenBao service available?

A fully managed OpenBao service on the VSHN Application Catalog is currently in development. Once available, it will include automated provisioning, backups, monitoring, and SLAs up to 99.99% availability, the same quality as our other managed database and application services. In the meantime, VSHN offers consulting, deployment, and full operational support for your own OpenBao installations. Contact us for early access to the managed service.


### How does VSHN handle Vault to OpenBao migration?

We plan the migration with you, covering secrets engine mapping, policy migration, authentication method configuration, and integration testing. Since OpenBao maintains full API compatibility with Vault, most clients and automation work without changes. We run parallel environments during the transition to ensure zero downtime and validate that all secrets are accessible before decommissioning the old Vault installation.


### How do I get started with VSHN OpenBao consulting?

Contact us using the form below. Describe your project: whether it is a Vault migration, a new OpenBao deployment, an architecture review, or operational support for an existing installation. We provide a written scope and CHF cost estimate within one business day. There is no commitment at the scoping stage.


### How does OpenBao help with CIS Controls compliance?

OpenBao maps directly to several CIS Controls v8 requirements. For CIS Control 3 (Data Protection), OpenBao provides encryption as a service via the Transit engine, encrypted storage at rest with AES-256-GCM, and a centralized secrets inventory that replaces scattered credentials in config files. For CIS Control 6 (Access Control Management), OpenBao enforces policy-based least-privilege access, issues dynamic credentials with automatic expiration, and supports TOTP-based MFA. For CIS Control 18 (Penetration Testing), OpenBao's comprehensive audit log records every secret access and authentication attempt, providing the evidence trail security teams need to verify controls. VSHN operates OpenBao with ISO 27001-certified processes and provides ISAE 3402 Type II reports for regulated customers. See our [compliance mapping](/compliance/) for the full control-by-control breakdown.


### Can consulting firms use VSHN-managed OpenBao for client infrastructure?

Yes. Consulting firms and system integrators use VSHN-managed OpenBao to provide secrets management for client infrastructure. Each client runs on isolated infrastructure with dedicated OpenBao instances on Swiss cloud. VSHN handles operations, upgrades, and 24/7 monitoring while your team configures policies, secrets engines, and authentication methods for the client environment. Written service agreements simplify engagement structuring.


## Contact us

Ready to deploy OpenBao or migrate from HashiCorp Vault? Contact us for a free initial consultation. Consulting at CHF 250 per hour, no per-client fees, no licence surcharges. VSHN and bespinian bring deep OpenBao expertise to every engagement. Want to hear from a customer first? We can arrange a reference call.


Booking: #contact

---

## OpenBao vs Vault vs Infisical: Platform Comparison

# Secrets Management Platforms Compared

Choosing a secrets management platform affects your licensing costs, operational model, API compatibility, and data sovereignty for years. This page compares OpenBao against HashiCorp Vault Enterprise, Vault Community (BSL), Infisical, AWS Secrets Manager, and Azure Key Vault.

## Quick comparison

| | OpenBao | Vault Enterprise | Vault Community (BSL) | Infisical | AWS Secrets Manager | Azure Key Vault |
|---|---|---|---|---|---|---|
| **License** | MPL 2.0 | Commercial | BSL 1.1 | MIT | Proprietary | Proprietary |
| **Cost model** | Free + ops | Per-client pricing | Free (BSL-restricted) | Free tier + paid | Per-secret/month | Per-operation |
| **API compatibility** | Vault API | Vault API | Vault API | Own API | Own API | Own API |
| **Dynamic secrets** | Yes | Yes | Yes | Limited | No | No |
| **PKI/certificates** | Yes | Yes | Yes | No | No | Yes |
| **Transit encryption** | Yes | Yes | Yes | No | No | Yes |
| **HSM support** | Yes | Yes | No | No | CloudHSM | Azure HSM |
| **Data sovereignty** | Your infra | Your infra | Your infra | SaaS or self-host | AWS regions | Azure regions |
| **Managed by VSHN** | Yes | No | No | No | No | No |

## Vault Enterprise pricing

HashiCorp Vault Enterprise pricing is per-client: each application, service, or user that authenticates counts as a client. Pricing is not publicly listed. Based on available market data and customer reports, estimates range from $1 to $3 per client per month, with enterprise contracts typically starting at $50,000 per year.

IBM completed its acquisition of HashiCorp in 2024. For context, since IBM acquired Red Hat in 2019, Red Hat subscription prices have increased approximately 10% per year consistently. The same pattern should be expected for Vault Enterprise.

OpenBao has zero software licensing cost. VSHN managed operations are priced at a fixed monthly rate regardless of client count.

### Estimated annual cost by client count

| Clients | Vault Enterprise (est.) | OpenBao + VSHN managed ops |
|---|---|---|
| 100 | $1,200 - $3,600/year | Fixed monthly rate - contact us |
| 500 | $6,000 - $18,000/year | Fixed monthly rate - contact us |
| 2,000 | $24,000 - $72,000/year | Fixed monthly rate - contact us |

**Caveat:** Vault Enterprise pricing is not publicly listed. The estimates above are based on available market data and customer reports. Contact HashiCorp for a current quote.

## The fork: why OpenBao exists

In August 2023, HashiCorp changed Vault's license from MPL 2.0 to BSL 1.1 (Business Source License). BSL 1.1 restricts use in competing hosted services. In 2024, IBM acquired HashiCorp.

OpenBao forked from Vault in response to the license change. It is maintained under the Linux Foundation, uses MPL 2.0, and is fully API-compatible with Vault. Migrating from Vault to OpenBao is a configuration change, not a rewrite. Your existing Vault clients, scripts, and Terraform resources work without modification.

## Vault Enterprise

HashiCorp Vault Enterprise is the mature commercial offering with the longest track record.

**Strengths:** namespaces for multi-tenancy, Sentinel policies for fine-grained access control, performance replication across clusters, disaster recovery replication, enterprise support SLA, and a large community of operators with deep operational knowledge.

**Limitations:** per-client pricing scales linearly with adoption. BSL 1.1 license restricts certain use cases. IBM's acquisition history with Red Hat shows consistent annual price increases, making long-term cost planning harder. You are dependent on a single vendor for the entire secrets management stack.

**Fits when:** your organisation is already committed to Vault Enterprise, requires Sentinel policies or performance replication, and accepts the licensing cost and IBM vendor dependency.

## Vault Community (BSL)

The Vault Community edition is free to run, but the BSL 1.1 license restricts use in competing service offerings.

**Strengths:** free to run, same API as Vault Enterprise and OpenBao, broad documentation and community resources.

**Limitations:** BSL 1.1 is not an open source license by OSI definition. The restriction clause creates legal ambiguity for SaaS companies and internal platform teams that offer Vault as a shared service. You still rely on HashiCorp (now IBM) for fixes and security patches.

**Fits when:** you run Vault Community for internal use, BSL restrictions do not apply to your use case, and you manage the operational burden yourself.

## Infisical

Infisical is a developer-first secrets platform built for application teams. It takes a different approach from Vault: a web dashboard, native integrations, and built-in secret rotation.

**Strengths:** developer-friendly web UI, native integrations with GitHub Actions, Kubernetes, Docker, and CI systems, built-in secret rotation for common services, and MIT license for the self-hosted version.

**Limitations:** Infisical does not have dynamic secrets - each secret is a stored value, not generated per-request. No PKI or certificate management. No transit encryption engine. No HSM support. Infisical and Vault solve different problems: Infisical is a secrets store; Vault is a secrets platform.

**Fits when:** your team needs a developer-friendly secrets store with a UI and does not require dynamic secrets, PKI, or transit encryption.

## Hyperscaler options: AWS Secrets Manager and Azure Key Vault

Both AWS Secrets Manager and Azure Key Vault integrate tightly with their respective cloud ecosystems.

**Strengths:** zero infrastructure to manage, native IAM integration, tight integration with cloud-native services (Lambda, EC2, App Service), built-in audit trails.

**Limitations:** US company jurisdiction applies regardless of data region. No dynamic secrets generation. No transit encryption engine. No portability - secrets stored in AWS Secrets Manager cannot be retrieved by an Azure workload without cross-cloud calls. AWS Secrets Manager charges $0.40 per secret per month plus $0.05 per 10,000 API calls. Azure Key Vault charges per operation. Costs grow with secret count and access frequency.

**Fits when:** your entire workload runs on a single hyperscaler, US jurisdiction is acceptable, and you need only static secret storage with IAM access control.

## When to choose each

**Choose OpenBao + VSHN managed operations** if you want Vault API compatibility without per-client licensing, need data sovereignty on Swiss infrastructure, or are migrating away from Vault Enterprise and want a drop-in replacement under MPL 2.0.

**Choose Vault Enterprise** if your organisation requires Sentinel policies or performance replication, is already under an enterprise contract, and accepts per-client pricing and IBM vendor dependency.

**Choose Vault Community (BSL)** if you run an internal deployment, manage operations yourself, and BSL restrictions do not apply to your use case.

**Choose Infisical** if your primary need is a developer-friendly secrets store with a web UI and native CI integrations, and you do not need dynamic secrets or a PKI engine.

**Choose AWS Secrets Manager or Azure Key Vault** if your workloads run exclusively on one hyperscaler, US jurisdiction is acceptable, and you need basic secret storage with native IAM integration.

## Next steps

Assessing a Vault-to-OpenBao migration or comparing licensing costs for your client count? [Book a consultation](#contact). We review your current setup and give you a concrete cost comparison.


---

## OpenBao and CIS Controls - Secrets Management Compliance | VSHN

# OpenBao and Compliance Frameworks

Secrets management is a core control in every major security framework. OpenBao provides the technical capabilities; VSHN operates them on Swiss infrastructure with ISO 27001-certified processes. This page maps OpenBao features to the CIS Controls, ISO 27001, and FINMA requirements that Swiss enterprises face.

## CIS Controls v8 mapping

### CIS Control 3: Data Protection

CIS Control 3 requires organizations to develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

| Sub-control | OpenBao capability |
|---|---|
| 3.1 Establish data management process | OpenBao provides a centralized secrets inventory. All secrets are stored in defined paths with metadata, replacing scattered credentials in config files and environment variables. |
| 3.6 Encrypt data on end-user devices | OpenBao's Transit engine provides encryption as a service. Applications encrypt data through the API without handling raw keys. Keys never leave OpenBao. |
| 3.9 Encrypt data on removable media | Transit engine encrypts arbitrary data. Backup encryption uses sealed storage with auto-unseal keys stored separately from the data. |
| 3.10 Encrypt sensitive data in transit | All OpenBao API communication uses TLS. VSHN configures TLS certificates via the PKI engine, automating certificate lifecycle management. |
| 3.11 Encrypt sensitive data at rest | OpenBao encrypts all stored data at rest using AES-256-GCM. The encryption key is itself encrypted by an unseal key, providing defense in depth. |
| 3.12 Segment data processing | OpenBao namespaces and policies segment secrets by team, application, or environment. Access policies enforce least-privilege boundaries between segments. |

### CIS Control 6: Access Control Management

CIS Control 6 requires organizations to use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts.

| Sub-control | OpenBao capability |
|---|---|
| 6.1 Establish access granting process | OpenBao policies define who can access which secrets at which paths. Policies are code (HCL), reviewable in version control, and applied consistently. |
| 6.2 Establish access revoking process | Secrets have configurable TTLs with automatic expiration. Dynamic credentials (database, cloud) are generated on demand and revoked after use. Leaked credentials can be revoked immediately via the API. |
| 6.3 Require MFA for externally-exposed apps | OpenBao supports TOTP-based MFA for vault access. VSHN can integrate OpenBao authentication with your existing identity provider (OIDC, LDAP). |
| 6.4 Require MFA for remote network access | Service-to-service authentication uses short-lived tokens or AppRole credentials instead of static passwords, reducing the attack surface for remote access. |
| 6.5 Require MFA for administrative access | OpenBao operator access requires authentication through configured auth methods. VSHN enforces MFA for all administrative operations on managed infrastructure. |
| 6.7 Centralize access control | OpenBao serves as a single source of truth for secrets across all applications and environments. One policy engine governs access regardless of where the application runs. |
| 6.8 Define and maintain role-based access | OpenBao's policy system maps directly to role-based access control. Teams, applications, and CI/CD pipelines each get scoped policies that grant access only to the secrets they need. |

### CIS Control 18: Penetration Testing

CIS Control 18 requires organizations to test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls.

| Sub-control | OpenBao capability |
|---|---|
| 18.1 Establish penetration testing program | OpenBao's comprehensive audit log records every secret access, authentication attempt, and policy evaluation. This provides the evidence trail penetration testers need to verify that secrets management controls work as designed. |
| 18.3 Remediate penetration test findings | Dynamic credentials mean remediation can include rotating all affected secrets programmatically. If a test reveals exposed credentials, OpenBao revokes and reissues them through automation, not manual processes. |
| 18.5 Perform periodic internal penetration tests | OpenBao's audit logs let security teams verify that access policies are correctly enforced. Policy simulation (dry-run capability evaluation) lets teams test access boundaries without touching production secrets. |

## ISO 27001 alignment

VSHN holds [ISO 27001 certification](https://www.vshn.ch/wp-content/uploads/2025/12/ISO-27001-certificate-VSHN-2024.pdf) for its operations. OpenBao capabilities map to several Annex A controls:

| ISO 27001 Annex A | OpenBao capability |
|---|---|
| A.8.1 User endpoint devices | Transit encryption for data at rest on endpoints |
| A.8.3 Information access restriction | Policy-based access control with least-privilege enforcement |
| A.8.5 Secure authentication | AppRole, OIDC, LDAP, and Kubernetes auth methods with short-lived tokens |
| A.8.9 Configuration management | Declarative policies in version control, auditable configuration |
| A.8.24 Use of cryptography | Transit engine, PKI engine, key management without key exposure |
| A.8.25 Secure development lifecycle | Dynamic credentials for CI/CD eliminate static secrets in build pipelines |

## FINMA considerations

Swiss financial institutions subject to [FINMA Circular 2023/1](https://www.finma.ch/en/documentation/finma-circulars/) (Operational Risks and Resilience) need to demonstrate control over cryptographic key management and access credentials. OpenBao on Swiss infrastructure operated by an ISO 27001-certified Swiss company (VSHN) addresses:

- **Key management under Swiss law**: no exposure to US CLOUD Act or foreign government access
- **Audit trail**: every secret access logged with timestamp, identity, and operation
- **Operational resilience**: HA deployment with automated unseal, encrypted backups, and 24/7 incident response
- **Outsourcing documentation**: VSHN provides ISAE 3402 Type II reports for regulated customers

## How VSHN implements compliance-ready OpenBao

VSHN does not just deploy OpenBao. We configure it for auditability:

1. **Audit logging enabled by default** with tamper-evident log storage
2. **Policy-as-code** stored in version control with review workflows
3. **Automated credential rotation** for database, cloud, and PKI credentials
4. **Encrypted backups** with retention and off-site replication
5. **Access reviews** supported through OpenBao's lease and token introspection APIs

Need a compliance assessment for your secrets management? [Contact us](#contact) for a free consultation.


---

## Partner with VSHN on OpenBao | VSHN

# Partner with VSHN on OpenBao

You bring the customer relationship and secrets management expertise: strategy design, Vault-to-OpenBao migration, policy design, application integration. VSHN brings OpenBao cluster operations, HA setup, HSM integration, monitoring, upgrades, and 24/7 support. Together you deliver a complete OpenBao solution without either side building capabilities you don't have.

## How we collaborate

**Lead Partner model.** For each project, one of us is the customer's single point of contact. Who leads depends on the project, agreed per engagement. The Lead Partner drives the project, handles invoicing, and owns first-level support.

**Joint delivery.** You handle consulting, integration, and project management. VSHN handles infrastructure operations, monitoring, backups, and SLA. Or the other way around, depending on the project. Roles are agreed per engagement, not locked into a rigid structure.

**Flexible billing.** Invoice the customer together or separately, agreed per project. Both models are supported: each party invoices their share directly, or one party invoices the full amount and redistributes.

**Protected relationships.** No undercutting. Your customer stays your customer. Existing relationships are respected on both sides, with contractual protections for both parties.

## Division of labour for OpenBao

| Your role | VSHN's role |
|-----------|-------------|
| Secrets management strategy | OpenBao cluster operations |
| Vault-to-OpenBao migration | HA setup and failover |
| Policy design | HSM integration |
| Application integration | Monitoring, alerting, and 24/7 incident response |
| Project management and customer relationship | Upgrades and SLA |

## Partners delivering OpenBao

**[bespinian](https://bespinian.io)**. Cloud-native consulting firm specialising in bespoke solutions. Delivers secrets management strategy and Vault-to-OpenBao migrations on VSHN-operated infrastructure.

See all VSHN partners at [servala.com/partners](https://servala.com/partners/).

## Become a partner

Interested in delivering OpenBao secrets management together? Let's explore how we complement each other.

[Book a partnership discovery call](https://aarno.cal.vs.hn/15-openbao) or [start a partnership conversation](#contact).


---

## OpenBao Sovereignty — Swiss Secrets Hosting | VSHN

# OpenBao Sovereignty: The Open-Source Fork That Exists Because of Sovereignty

OpenBao is the sovereignty story. When HashiCorp changed Vault's license from open source (MPL 2.0) to the Business Source License in August 2023, and was then [acquired by IBM](https://www.ibm.com/blog/ibm-to-acquire-hashicorp/) in 2024, the community forked the project under the Linux Foundation as OpenBao.

If you're running HashiCorp Vault today, your secrets management depends on software controlled by IBM (US) under a restrictive license. Your secrets (API keys, database credentials, encryption keys, certificates) are managed by a tool whose future is determined by a US corporation subject to the CLOUD Act.

## Why OpenBao is the sovereign choice for secrets management

OpenBao maintains full API compatibility with HashiCorp Vault while restoring open-source governance:

- **Open source** (MPL 2.0): the license HashiCorp abandoned, now protected under Linux Foundation governance
- **No corporate owner**: governed by the Linux Foundation, not a single company
- **Full Vault compatibility**: existing clients, Terraform providers, and integrations work without changes
- **Swiss-only operations**: VSHN deploys and operates OpenBao on Swiss cloud infrastructure with encrypted storage and strict access controls
- **Deep codebase expertise**: VSHN engineers work with the OpenBao codebase daily and follow the Linux Foundation community

## Secrets management sovereignty compared

| Dimension | HashiCorp Vault | AWS Secrets Manager | Azure Key Vault | Google Secret Manager | VSHN Managed OpenBao |
|-----------|----------------|--------------------|-----------------|-----------------------|---------------------|
| **Ownership** | IBM (USA) | Amazon (USA) | Microsoft (USA) | Google (USA) | VSHN AG (Switzerland) |
| **Governing law** | US law | US law | US law | US law | Swiss law |
| **CLOUD Act** | Exposed | Exposed | Exposed | Exposed | Not exposed |
| **License** | BSL (not open source) | Proprietary | Proprietary | Proprietary | MPL 2.0 (open source) |
| **Governance** | IBM | Amazon | Microsoft | Google | Linux Foundation |
| **Key management** | Cloud HSM (US providers) | AWS CloudHSM | Azure Managed HSM | Cloud HSM | Swiss infrastructure, encrypted at rest |
| **Key custody** | Provider or customer | AWS-managed | Microsoft-managed | Google-managed | Strict operator access controls |
| **Operations team** | Customer or IBM | USA | USA | USA | Switzerland ([Swiss-only option](https://products.vshn.ch/support_plans.html#_option_switzerland_only_support)) |

## VSHN sovereignty self-assessment

We applied the EU's [Cloud Sovereignty Framework](https://commission.europa.eu/document/09579818-64a6-4dd5-9577-446ab6219113_en) (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's [EUR 180M sovereign cloud tender](https://ec.europa.eu/commission/presscorner/detail/en/ip_26_833) in April 2026. Three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.

*This is a self-assessment, not a formal SEAL certification. We publish it for transparency so customers can evaluate our sovereignty profile using the same structured criteria the EU uses.*

| # | Dimension | Weight | Assessment | Evidence |
|---|-----------|--------|-----------|----------|
| SOV-1 | Strategic | 15% | **Strong** | Swiss AG, no foreign parent, all shareholders Swiss citizens ([Commercial Register](https://zh.chregister.ch/cr-portal/auszug/auszug.xhtml?uid=CHE-275.566.226)) |
| SOV-2 | Legal | 10% | **Strong** | Swiss law ([GTC](https://products.vshn.ch/legal/gtc_en.html)), no CLOUD Act, [EU adequacy decision](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en) |
| SOV-3 | Data & AI | 10% | **Strong** | Swiss DCs by default. Sovereign key management via [Managed OpenBao](https://www.openbao.ch) on Swiss infrastructure |
| SOV-4 | Operational | 15% | **Strong** | Swiss 24/7 ops, [Swiss-only support option](https://products.vshn.ch/support_plans.html#_option_switzerland_only_support). All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | **Strong** | Infrastructure-agnostic — [customer chooses provider](https://servala.com/providers/). Open-source software |
| SOV-6 | Technology | 15% | **Strong** | 100% open source. VSHN contributes to [K8up](https://github.com/k8up-io) (CNCF), [Crossplane providers](https://github.com/vshn), [Project Syn](https://github.com/projectsyn) |
| SOV-7 | Security | 10% | **Strong** | [ISO 27001](https://www.vshn.ch/wp-content/uploads/2025/12/ISO-27001-certificate-VSHN-2024.pdf), ISAE 3402 Type II, Swiss SOC. [FINMA-regulated customers](https://www.vshn.ch/en/solutions/solutions-for-banks-and-financial-service-providers/) |
| SOV-8 | Environmental | 5% | **Moderate** | DC operators: Green Datacenter AG (ISO 22301/27001/27701), [Exoscale sustainability](https://www.exoscale.com/sustainability/). [VSHN CSR policy](https://handbook.vshn.ch/corporate_social_responsibility_policy.html) |

**Overall: SEAL-3 equivalent**, the same level achieved by the winners of the EU's own sovereignty tender. No provider worldwide achieved SEAL-4: it requires fully EU/EEA-sourced hardware supply chains and open-source foundations, structural gaps shared by every cloud provider.

Try Swiss infrastructure: [Servala](https://www.servala.com) (managed services, free trial), [Exoscale]({{partner:exoscale.signup_url}}) (Swiss IaaS). Want help choosing? [Contact us](#contact).

## Get a sovereignty assessment for your secrets management

Still running HashiCorp Vault? We assess your sovereignty profile and plan migrations to OpenBao. Our engineers have migrated production Vault clusters to OpenBao and understand the platform at the source code level.