OpenBao Sovereignty: The Open-Source Fork That Exists Because of Sovereignty
OpenBao is the sovereignty story. When HashiCorp changed Vault's license from open source (MPL 2.0) to the Business Source License in August 2023 — and was then acquired by IBM in 2024 — the community forked the project under the Linux Foundation as OpenBao.
If you're running HashiCorp Vault today, your secrets management depends on software controlled by IBM (US) under a restrictive license. Your secrets — API keys, database credentials, encryption keys, certificates — are managed by a tool whose future is determined by a US corporation subject to the CLOUD Act.
Why OpenBao is the sovereign choice for secrets management
OpenBao maintains full API compatibility with HashiCorp Vault while restoring open-source governance:
- Open source (MPL 2.0) — the license HashiCorp abandoned, now protected under Linux Foundation governance
- No corporate owner — governed by the Linux Foundation, not a single company
- Full Vault compatibility — existing clients, Terraform providers, and integrations work without changes
- Swiss-only operations — VSHN deploys and operates OpenBao on Swiss cloud infrastructure with encrypted storage and strict access controls
- Deep codebase expertise — VSHN engineers work with the OpenBao codebase daily and follow the Linux Foundation community
Secrets management sovereignty compared
| Dimension | HashiCorp Vault | AWS Secrets Manager | Azure Key Vault | Google Secret Manager | VSHN Managed OpenBao |
|---|---|---|---|---|---|
| Ownership | IBM (USA) | Amazon (USA) | Microsoft (USA) | Google (USA) | VSHN AG (Switzerland) |
| Governing law | US law | US law | US law | US law | Swiss law |
| CLOUD Act | Exposed | Exposed | Exposed | Exposed | Not exposed |
| License | BSL (not open source) | Proprietary | Proprietary | Proprietary | MPL 2.0 (open source) |
| Governance | IBM | Amazon | Microsoft | Linux Foundation | |
| Key management | Cloud HSM (US providers) | AWS CloudHSM | Azure Managed HSM | Cloud HSM | Swiss infrastructure, encrypted at rest |
| Key custody | Provider or customer | AWS-managed | Microsoft-managed | Google-managed | Strict operator access controls |
| Operations team | Customer or IBM | USA | USA | USA | Switzerland (Swiss-only option) |
VSHN sovereignty self-assessment
We applied the EU's Cloud Sovereignty Framework (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's EUR 180M sovereign cloud tender in April 2026 — three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.
This is a self-assessment, not a formal SEAL certification. We publish it for transparency so customers can evaluate our sovereignty profile using the same structured criteria the EU uses.
| # | Dimension | Weight | Assessment | Evidence |
|---|---|---|---|---|
| SOV-1 | Strategic | 15% | Strong | Swiss AG, no foreign parent, all shareholders Swiss citizens (Commercial Register) |
| SOV-2 | Legal | 10% | Strong | Swiss law (GTC), no CLOUD Act, EU adequacy decision |
| SOV-3 | Data & AI | 10% | Strong | Swiss DCs by default. Sovereign key management via Managed OpenBao on Swiss infrastructure |
| SOV-4 | Operational | 15% | Strong | Swiss 24/7 ops, Swiss-only support option. All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | Strong | Infrastructure-agnostic — customer chooses provider. Open-source software |
| SOV-6 | Technology | 15% | Strong | 100% open source. VSHN contributes to K8up (CNCF), Crossplane providers, Project Syn |
| SOV-7 | Security | 10% | Strong | ISO 27001, ISAE 3402 Type II, Swiss SOC. FINMA-regulated customers |
| SOV-8 | Environmental | 5% | Moderate | DC operators: Green Datacenter AG (ISO 22301/27001/27701), Exoscale sustainability. VSHN CSR policy |
Overall: SEAL-3 equivalent — the same level achieved by the winners of the EU's own sovereignty tender. No provider worldwide achieved SEAL-4, as it requires fully EU/EEA-sourced hardware supply chains and open-source foundations — structural gaps shared by every cloud provider.
Get a sovereignty assessment for your secrets management
Still running HashiCorp Vault? We assess your sovereignty profile and plan migrations to OpenBao. Our engineers have migrated production Vault clusters to OpenBao and understand the platform at the source code level.