OpenBao Sovereignty: The Open-Source Fork That Exists Because of Sovereignty
OpenBao is the sovereignty story. When HashiCorp changed Vault's license from open source (MPL 2.0) to the Business Source License in August 2023 — and was then acquired by IBM in 2024 — the community forked the project under the Linux Foundation as OpenBao.
If you're running HashiCorp Vault today, your secrets management depends on software controlled by IBM (US) under a restrictive license. Your secrets — API keys, database credentials, encryption keys, certificates — are managed by a tool whose future is determined by a US corporation subject to the CLOUD Act.
Why OpenBao is the sovereign choice for secrets management
OpenBao maintains full API compatibility with HashiCorp Vault while restoring open-source governance:
- Open source (MPL 2.0) — the license HashiCorp abandoned, now protected under Linux Foundation governance
- No corporate owner — governed by the Linux Foundation, not a single company
- Full Vault compatibility — existing clients, Terraform providers, and integrations work without changes
- Swiss HSM integration — VSHN operates OpenBao with Securosys CloudHSM, a Swiss hardware security module where VSHN cannot access your key material
- Active upstream contribution — VSHN and partner bespinian contribute code to the OpenBao project
Secrets management sovereignty compared
| Dimension | HashiCorp Vault | AWS Secrets Manager | Azure Key Vault | Google Secret Manager | VSHN Managed OpenBao |
|---|---|---|---|---|---|
| Ownership | IBM (USA) | Amazon (USA) | Microsoft (USA) | Google (USA) | VSHN AG (Switzerland) |
| Governing law | US law | US law | US law | US law | Swiss law |
| CLOUD Act | Exposed | Exposed | Exposed | Exposed | Not exposed |
| License | BSL (not open source) | Proprietary | Proprietary | Proprietary | MPL 2.0 (open source) |
| Governance | IBM | Amazon | Microsoft | Linux Foundation | |
| HSM support | Cloud HSM (US providers) | AWS CloudHSM | Azure Managed HSM | Cloud HSM | Securosys CloudHSM (Swiss) |
| Key custody | Provider or customer | AWS-managed | Microsoft-managed | Google-managed | Customer-controlled (VSHN cannot access) |
| Operations team | Customer or IBM | USA | USA | USA | Switzerland (Swiss-only option) |
VSHN sovereignty self-assessment
We applied the EU's Cloud Sovereignty Framework (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's EUR 180M sovereign cloud tender in April 2026 — three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.
This is a self-assessment, not a formal SEAL certification. We publish it for transparency so customers can evaluate our sovereignty profile using the same structured criteria the EU uses.
| # | Dimension | Weight | Assessment | Evidence |
|---|---|---|---|---|
| SOV-1 | Strategic | 15% | Strong | Swiss AG, no foreign parent, all shareholders Swiss citizens (Commercial Register) |
| SOV-2 | Legal | 10% | Strong | Swiss law (GTC), no CLOUD Act, EU adequacy decision |
| SOV-3 | Data & AI | 10% | Strong | Swiss DCs by default. Sovereign key management via Managed OpenBao + Swiss HSM |
| SOV-4 | Operational | 15% | Strong | Swiss 24/7 ops, Swiss-only support option. All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | Strong | Infrastructure-agnostic — customer chooses provider. Open-source software |
| SOV-6 | Technology | 15% | Strong | 100% open source. VSHN contributes to K8up (CNCF), Crossplane providers, Project Syn |
| SOV-7 | Security | 10% | Strong | ISO 27001, ISAE 3402 Type II, Swiss SOC. FINMA-regulated customers |
| SOV-8 | Environmental | 5% | Moderate | DC operators: Green Datacenter AG (ISO 22301/27001/27701), Exoscale sustainability. VSHN CSR policy |
Overall: SEAL-3 equivalent — the same level achieved by the winners of the EU's own sovereignty tender. No provider worldwide achieved SEAL-4, as it requires fully EU/EEA-sourced hardware supply chains and open-source foundations — structural gaps shared by every cloud provider.
Get a sovereignty assessment for your secrets management
Still running HashiCorp Vault? We assess your sovereignty profile and plan migrations to OpenBao. Our engineers contribute upstream and have migrated production Vault clusters to OpenBao.