A comprehensive demonstration project showing how to set up and integrate OpenBao (open-source HashiCorp Vault fork) for secrets management across different deployment scenarios and application frameworks.
OpenBao Vault is free from complex licensing restrictions and can be used inside an enterprise with no contracts or ongoing fees, while HashiCorp Vault's licensing now places limits on certain types of enterprise usage due to its adoption of the Business Source License (BSL).13
- Since August 2023, HashiCorp Vault uses the Business Source License (BSL 1.1).46
- BSL allows internal and personal use within organizations, but restricts users from offering Vault as a competitive SaaS product or as part of a competitive offering versus HashiCorp.6
- Enterprises that do not intend to compete with HashiCorp commercially (such as SaaS hosting) can generally use Vault internally for free, but the license is not OSI-approved open source, and some use cases (especially externalized services) could fall afoul of restrictions.7
- OpenBao is a community-led fork of HashiCorp Vault, primarily created in response to the BSL shift.
- OpenBao is licensed under the Mozilla Public License 2.0 (MPL 2.0), which is OSI-approved and truly open source.3
- The MPL 2.0 license allows enterprise use, modification, and distribution, including commercial deployments, with none of the competitive usage restrictions found in HashiCorp's BSL.3
- OpenBao is positioning itself as fully free for enterprise use, including features formerly in Vault's paid editions.2
| Feature | HashiCorp Vault | OpenBao Vault |
|---|---|---|
| License type | BSL 1.1 (source-available) 4 | MPL 2.0 (OSI open source) 1 |
| Free for internal enterprise use | Yes, with limitations 5 | Yes, unconditionally 3 |
| Free for SaaS/competitive use | No 6 | Yes 1 |
| Open source recognized by OSI | No 7 | Yes 1 |
| Paid enterprise features | Yes 8 | No; all enterprise features free 2 |
- For maximum legal safety and guaranteed open-source compliance with no fees or contracts, OpenBao Vault is the preferred choice for enterprises, especially if vendor neutrality or future-proof licensing is a concern.13
- HashiCorp Vault may still be usable for internal non-SaaS usage in some enterprise settings, but licensing restrictions make it less attractive where full freedom is required.57
vBarbaros (victor.barbarosh@gmail.com)
This repository contains:
- DEMO_README.md - Complete OpenBao setup guide with two deployment options:
- Docker container deployment (isolated, portable)
- System service deployment (native performance)
- SPRING_BOOT_DEMO.md - Spring Boot application integration with OpenBao
- flask-app/ - Working Flask application with OpenBao integration
- FLASK_DEMO.md - Flask integration guide and documentation
- spring-boot-app/ - Working Spring Boot application with OpenBao integration
- OpenBao installation and configuration
- Vault initialization and unsealing
- AppRole authentication setup
- Secret storage and retrieval
- Application integration patterns
- Security best practices
- Troubleshooting guides
-
Choose your deployment method:
- For containerized setup: Follow Docker instructions in
DEMO_README.md - For system service: Follow Service instructions in
DEMO_README.md
- For containerized setup: Follow Docker instructions in
-
Application integration:
- Java/Spring Boot: See
SPRING_BOOT_DEMO.md - Python/Flask: See
flask-app/FLASK_DEMO.md
- Java/Spring Boot: See
-
Demo secrets:
- Username:
demo_db_user - Password:
demo_db_pwd - Path:
secret/database/demo
- Username:
After completing OpenBao setup, start the demo applications:
Flask Application:
cd flask-app
./run.sh- Runs on: http://localhost:5000
- Test:
curl http://localhost:5000/db-credentials
Spring Boot Application:
cd spring-boot-app
./run.sh- Runs on: http://localhost:8080
- Test:
curl http://localhost:8080/db-credentials
Both applications retrieve demo database credentials from OpenBao using AppRole authentication.
- Linux/macOS system
- Docker (for container deployment)
- Root/sudo access (for service deployment)
- curl, jq utilities
- Java 11+ (for Spring Boot demo)
- Python 3.8+ (for Flask demo)
- Store unseal keys securely and separately
- Use restricted file permissions (600) for credential files
- Enable TLS in production environments
- Implement secret rotation policies
- Enable audit logging for compliance