Last week, the rebellion against HashiCorp over its adoption of a competition-restricting license for its Terraform software intensified. News emerged during the Open Source Summit in Tokyo, Japan that the Linux Foundation intends to support the development of an open source alternative to Vault, the company's secret management project.
Sebastian Stadil, co-founder and CEO of Scalr and one of the organizers of OpenTofu, a fork of Terraform, revealed details about the project called OpenBao. OpenBao is a fork of Vault, a software that helps developers manage secrets like passwords, tokens, certificates, API keys, and the like.
OpenBao exists to provide a software solution for managing, storing, and distributing sensitive data, including secrets, certificates, and keys. The OpenBao community intends to provide this software under an OSI-approved open-source license, driven by a community operating under open governance principles.
A modern system requires access to multiple secrets: database credentials, API keys for external services, credentials for communication in a service-oriented architecture, etc. Figuring out who accesses which secrets is already very difficult and platform-specific. Adding key rotation, secure storage, and detailed audit logs is nearly impossible without a custom solution. This is where OpenBao comes in.
The main features of OpenBao are:
- Secure Storage of Secrets: Arbitrary secret keys/values can be stored in OpenBao. OpenBao encrypts these secrets before writing them to persistent memory, so accessing raw memory is not enough to access your secrets. OpenBao can write to disk, Consul and more.
- Dynamic Secrets: OpenBao can generate secrets on demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks OpenBao for credentials, and OpenBao will generate an AWS key pair with valid permissions upon request. After creating these dynamic secrets, OpenBao automatically revokes them at the end of the lease period.
- Data Encryption: OpenBao can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location like a SQL database without having to design their own encryption methods.
- Lease and Renewal: All secrets in OpenBao have an associated location. At the end of the lease, OpenBao automatically revokes that secret. Customers can renew leases via integrated renewal APIs.
- Revocation: OpenBao has built-in support for secret revocation. OpenBao can revoke not only individual secrets, but also a tree of secrets, for example, all secrets read by a specific user or all secrets of a particular type. Revocation assists in key rotation and locking down systems in the event of an intrusion.
Vault, along with other HashiCorp products such as Boundary, Consul, Nomad, Packer, Terraform, Vagrant and Waypoint, has been placed under the Business Source License, which prevents other cloud companies from offering the software as a competitive product. As a result, rivals forked the Vault code under an OSI-compliant license, Mozilla PLv2, to ensure continued access to the technology.
Stadil, during the conference, said: “If there are two identical projects and one is open source and the other is not, I personally believe that the moral choice is to use the open source project and help it in some way.”
Stadil explained to The Register that the OpenTofu release candidate is expected soon and that OpenBao will begin accepting new contributions. OpenBao is being incubated at the Linux Foundation, led by IBM developers through LF Edge, an edge computing initiative. The project is not yet officially approved by IBM, but before it is considered “completed” by the Linux Foundation, it must meet certain criteria to demonstrate its likely durability.
During Stadil's presentation, concerns were expressed about the vitality and longevity of the OpenTofu and OpenBao projects, which are still considered recent. Stadil declined to speak on behalf of other companies, but recommended visiting project repositories to note who contributes to two projects as an indicator of company support.
Asked what HashiCorp's reason was for relicensing its software, Stadil said the official line is that Terraform is vital to the internet and there has long been a desire to have it under the oversight of the Linux Foundation.
Stadil concluded by saying, “If HashiCorp wanted to join us in OpenTofu in the future, we would be excited to see that happen.” He declined to speculate on HashiCorp's internal decision-making process.
HashiCorp, according to Stadil, was burning cash, and with rising interest rates, it wouldn't be surprising to see the software company take steps to generate more revenue. HashiCorp did not immediately respond to a request for comment.
On Thursday, the software company reported revenue of $146,1 million for its fiscal third quarter of 2024, up 17 percent year over year. This resulted in a GAAP net loss of $39,5 million, down from $72 million in the same period last year.