HASHICORP AND TERRAFORM

Vault BSL Exposure and Alternatives

By OpenSource Risk Experts · June 14, 2026

Vault BSL exposure and alternatives is the question facing every team that built its secrets management on HashiCorp Vault before the license changed. When HashiCorp moved Vault to the Business Source License 1.1 as of August 2023, alongside Terraform, Consul, Nomad, and Packer, the code stayed visible but the terms of use narrowed. For most enterprises running Vault to secure their own systems, the immediate impact is limited. For vendors and service providers who offer Vault competitively, the exposure is real. This article separates the two cases and lays out the alternatives worth weighing.

We write from the buyer side, as an independent advisory paid only by the buyer. This is not legal advice. For interpretation of the Business Source License, we point you to your own counsel. The aim is to help you decide whether to act, and if so, how.

What the Vault BSL actually restricts

The Business Source License is a source available license, not a closed one. The Vault source remains public and readable. What the license adds is a restriction on competitive production use and a delay, commonly four years per version, after which that version converts to an open license. The crucial phrase is competitive. The restriction targets using Vault to offer a product or service that competes with HashiCorp, now part of IBM. Running Vault internally to manage your own secrets is a different activity from selling a Vault based service to others.

This is why exposure varies so widely between Vault users. Two organizations can run the same software and carry entirely different risk depending on how they use it. The mechanics of the license family are set out in HashiCorp BSL what changed and what it means, and the same change applied to the other tools in Consul, Nomad, and Packer under the BSL.

Who carries Vault exposure and who does not

The lowest exposure sits with the internal user. An enterprise running Vault to store and rotate its own credentials, sign certificates, and broker access to its own systems is generally not engaged in competitive use. That said, the line should be confirmed against the license text and your own counsel rather than assumed, because the details of your deployment can matter. The middle ground holds organizations whose use sits near the edge of competitive, such as a platform team that exposes Vault backed services to many internal business units that resemble customers.

The highest exposure sits with vendors and service providers. A company that offers a managed secrets service built on Vault, or bundles Vault into a product it sells, is in the zone the license most wants to restrict. Service providers face this directly, as covered in HashiCorp BSL and managed service providers. The test for whether your specific use is competitive is treated in is your Terraform use competitive under the BSL, and the same logic applies to Vault.

OPENBAO

The community fork of Vault under an open license. Closest feature match and migration path for most teams.

CLOUD NATIVE MANAGERS

Provider secrets managers reduce operational burden but tie you to one cloud and may not match every Vault feature.

COMMERCIAL LICENSE

Stay on Vault under a negotiated agreement when migration is costly and your exposure is competitive.

The alternatives and how to weigh them

The most direct alternative is OpenBao, a community fork of Vault created under an open license in response to the relicensing, governed to give users the stability the original no longer offers. For teams whose concern is the license rather than a specific HashiCorp feature, OpenBao usually offers the closest match and the smoothest migration, in the same way OpenTofu serves former Terraform users. The migration discipline that worked for Terraform applies here, as set out in migrating from Terraform to OpenTofu step by step.

Cloud native secrets managers are a second path, trading operational burden for vendor lock and a possible feature gap. A commercial license from HashiCorp, now IBM, is a third, and the right choice when migration is costly and your exposure is genuinely competitive. The decision is rarely about the license alone. It is about migration cost, feature parity, operational fit, and your tolerance for a future change. Quantifying that tradeoff across your estate is the work, and assessing it across teams follows the method in Terraform BSL exposure and assessing your risk.

Deciding whether to act

The honest answer for many internal Vault users is that no immediate action is required, only documentation of the decision and a watch on how your use evolves. For users near or inside the competitive zone, the decision deserves a structured comparison of migration against a negotiated license, sized in numbers your board can read. The wrong move is to act in haste on either side, ripping out Vault when your use is plainly internal, or ignoring a real competitive exposure because the code still runs. The full HashiCorp landscape sits in the HashiCorp and Terraform pillar.

When you want your Vault use classified, your exposure sized, and the alternatives compared on real numbers, our relicensing exposure review traces the blast radius and gives you the basis for a sound decision.

Questions buyers ask.

What is Vault BSL exposure?

Vault BSL exposure is the risk created when HashiCorp moved Vault to the Business Source License 1.1 as of August 2023. The license restricts competitive production use and converts to an open license after a delay, commonly four years per version. For most internal secrets management the impact is limited, but vendors and service providers who offer Vault competitively carry real exposure.

Does the Vault BSL affect internal use?

Internal use to manage your own secrets is generally outside the competitive use restriction, but you should confirm against the license and your own counsel. The restriction targets offering Vault as a competing product or service, not running it to secure your own systems.

What are the alternatives to Vault under the BSL?

The main openly licensed alternative is OpenBao, a community fork of Vault under an open license created in response to the relicensing. Cloud native secrets managers from the major providers and other open source secrets tools are also options, each with a different migration cost and feature gap to weigh.

Should we migrate off Vault or buy a commercial license?

It depends on how you use Vault and your tolerance for migration cost. If your use is purely internal you may not need to act at all. If you carry competitive exposure, weigh a migration to OpenBao or another tool against a commercial license negotiated from the buyer side.

Is this legal advice?

No. We provide commercial and licensing risk advisory, not legal advice. For interpretation of the Business Source License and compliance questions, we recommend your own counsel.