Vault
Vault Enterprise license keys
Enterprise
Appropriate Vault Enterprise license required
Vault Enterprise 1.8 introduced EULA enhancements and license keys that control the availability of features. You must have a Vault Enterprise binary (evaluation or non-evaluation) downloaded from releases.hashicorp.com to use a Vault Enterprise license key. Vault Enterprise license keys do not apply to HCP Vault Dedicated clusters.
How license keys work
License keys for Vault Enterprise determine how long you can use Vault and the availability of product features.
Each license key has a start date and an expiration date:
- You cannot start, restart, or unseal any Vault versions released after the expiration date. As a result, you also cannot update Vault with security fixes released after the expiration date.
- You can start, restart, and unseal Vault versions released before the expiration date.
Some license keys also enforce a termination date. If your license key enforces a termination date, you cannot start, restart, or unseal any version of Vault after the termination date. Existing, unsealed nodes continue to operate normally until they restart or have to unseal again.
| Key type | Issue date | Termination date |
|---|---|---|
| Commercial | After September 2025 | 60 days after expiration |
| Commercial | Before September 2025 | Non-terminating, or 10 years after expiration |
| Trial | Any | On, or one day after, expiration |
To review the dates on a license key, run
vault license inspect for a local key,
or vault license get to query the license
key of a Vault cluster.
You must comply with the terms of your Vault Enterprise license agreement, regardless of any automated license key enforcement behaviors. Continued use of Vault Enterprise after your subscription license period expires may violate the terms of your license agreement.
PKI-only license keys
Vault Enterprise 1.21 introduced licensing for clusters based on the number of certificates issued through the PKI secrets engine. The license key for a cluster licensed on the basis of certificates issued automatically sets the cluster to run in PKI-only mode. Cluster behavior changes while running in PKI-only mode in the following ways:
Restricted mounts. A PKI-only cluster rejects all API requests to secret engine mounts other than the PKI secrets engine. The restriction does not apply to authentication or system API paths.
Client counting. A PKI-only cluster hides the Client Usage dashboard in the Vault UI because the metric is irrelevant for license utilization purposes on that cluster.
Additional resources
Automatically load a Vault enterprise license - Configure Vault to automatically load your enterprise license.
Automated license utilization reporting - Learn about the data HashiCorp collects automatically to meter Enterprise license utilization and how to enable or disable automated reporting
Manual license utilization reporting - Learn how to manually export, review, and send license utilization data to HashiCorp through the Vault CLI or HCP web portal.
Anonymous product usage reporting - Learn about the anonymized data HashiCorp collects automatically for product usage reporting and how to enable or disable data collection.