December 11 2023

The open revolt against HashiCorp: OpenBao is born

License change in HashiCorp software triggers challenge with Linux Foundation support

OpenBao-Vault-Fork-HashiCorp

Last week, the rebellion against HashiCorp over its adoption of a competition-restricting license for its Terraform software intensified. News emerged during the Open Source Summit in Tokyo, Japan that the Linux Foundation intends to support the development of an open source alternative to Vault, the company's secret management project.

Sebastian Stadil, co-founder and CEO of Scalr and one of the organizers of OpenTofu, a fork of Terraform, revealed details about the project called OpenBao. OpenBao is a fork of Vault, a software that helps developers manage secrets like passwords, tokens, certificates, API keys, and the like.

OpenBao exists to provide a software solution for managing, storing, and distributing sensitive data, including secrets, certificates, and keys. The OpenBao community intends to provide this software under an OSI-approved open-source license, driven by a community operating under open governance principles.

A modern system requires access to multiple secrets: database credentials, API keys for external services, credentials for communication in a service-oriented architecture, etc. Figuring out who accesses which secrets is already very difficult and platform-specific. Adding key rotation, secure storage, and detailed audit logs is nearly impossible without a custom solution. This is where OpenBao comes in.

The main features of OpenBao are:

  1. Secure Storage of Secrets: Arbitrary secret keys/values ​​can be stored in OpenBao. OpenBao encrypts these secrets before writing them to persistent memory, so accessing raw memory is not enough to access your secrets. OpenBao can write to disk, Consul and more.
  2. Dynamic Secrets: OpenBao can generate secrets on demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks OpenBao for credentials, and OpenBao will generate an AWS key pair with valid permissions upon request. After creating these dynamic secrets, OpenBao automatically revokes them at the end of the lease period.
  3. Data Encryption: OpenBao can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location like a SQL database without having to design their own encryption methods.
  4. Lease and Renewal: All secrets in OpenBao have an associated location. At the end of the lease, OpenBao automatically revokes that secret. Customers can renew leases via integrated renewal APIs.
  5. Revocation: OpenBao has built-in support for secret revocation. OpenBao can revoke not only individual secrets, but also a tree of secrets, for example, all secrets read by a specific user or all secrets of a particular type. Revocation assists in key rotation and locking down systems in the event of an intrusion.

Vault, along with other HashiCorp products such as Boundary, Consul, Nomad, Packer, Terraform, Vagrant and Waypoint, has been placed under the Business Source License, which prevents other cloud companies from offering the software as a competitive product. As a result, rivals forked the Vault code under an OSI-compliant license, Mozilla PLv2, to ensure continued access to the technology.

Sebastian Stadil SCALR

Stadil, during the conference, said: “If there are two identical projects and one is open source and the other is not, I personally believe that the moral choice is to use the open source project and help it in some way.”

Stadil explained to The Register that the OpenTofu release candidate is expected soon and that OpenBao will begin accepting new contributions. OpenBao is being incubated at the Linux Foundation, led by IBM developers through LF Edge, an edge computing initiative. The project is not yet officially approved by IBM, but before it is considered “completed” by the Linux Foundation, it must meet certain criteria to demonstrate its likely durability.

During Stadil's presentation, concerns were expressed about the vitality and longevity of the OpenTofu and OpenBao projects, which are still considered recent. Stadil declined to speak on behalf of other companies, but recommended visiting project repositories to note who contributes to two projects as an indicator of company support.

Asked what HashiCorp's reason was for relicensing its software, Stadil said the official line is that Terraform is vital to the internet and there has long been a desire to have it under the oversight of the Linux Foundation.

Stadil concluded by saying, “If HashiCorp wanted to join us in OpenTofu in the future, we would be excited to see that happen.” He declined to speculate on HashiCorp's internal decision-making process.

HashiCorp, according to Stadil, was burning cash, and with rising interest rates, it wouldn't be surprising to see the software company take steps to generate more revenue. HashiCorp did not immediately respond to a request for comment.

On Thursday, the software company reported revenue of $146,1 million for its fiscal third quarter of 2024, up 17 percent year over year. This resulted in a GAAP net loss of $39,5 million, down from $72 million in the same period last year.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds owns the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Facebook, Inc. owns the rights to Facebook®; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV This site is not affiliated, sponsored, or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a registered trademark at European level by MANAGED SERVER SRL Via Enzo Ferrari, 9 62012 Civitanova Marche (MC) Italy.

Back to top