Vault Enterprise Licensing: Expiration, Termination, and What to Expect – HashiCorp Help Center

The information contained in this article has been verified as up‑to‑date on the date of the original publication of the article. HashiCorp endeavors to keep this information up‑to‑date and correct, but it makes no representations or warranties of any kind, express or implied, about the ongoing completeness, accuracy, reliability, or suitability of the information provided.

All information contained in this article is for general information purposes only. Any reliance you place on such information as it applies to your use of your HashiCorp product is therefore strictly at your own risk.

Introduction

Vault Enterprise uses licensing to manage access to Enterprise-only features and verify EULA compliance. Every Enterprise Vault node validates its license during certain lifecycle events. According to the documentation, Vault performs license verification:

During upgrades
Any time a node starts, restarts, or unseals

Understanding how Vault behaves during these events, especially when licenses reach their Expiration Time or Termination Time, helps operators avoid unexpected interruptions and plan renewals proactively.

Scenario

Customers often ask:

“What happens when my Vault Enterprise license expires?”
“Will Vault stop working immediately?”
“What’s the difference between Expiration Time and Termination Time?”
“Why does Vault still run even though the license is expired?”

These questions arise because Vault exposes both Expiration Time and Termination Time in its license outputs (vault license get and vault license inspect), but their operational meaning is not always obvious.

This article explains the meaning of these fields and clarifies what Vault does and does not guarantee when licenses enter expired or terminated states.

Recommendation

1. Understand License Expiration vs. License Termination

Expiration Time (Soft Enforcement)

The Expiration Time marks when the license is considered expired. Vault evaluates the license during lifecycle events such as start, restart, unseal, and upgrade. Whether startup succeeds depends on the Vault binary’s build date relative to the license expiration.

The documented behavior is:

Expired license + Vault build date before expiration → startup succeeds
Expired license + Vault build date after expiration → startup fails
Vault does not continuously enforce expiration during runtime; the enforcement happens when the license check is triggered at a lifecycle event.

To check your Vault build date, you can run the following commands. I’ve also included sample output for reference. Please note that the examples are only demonstrations and are not from the same Vault node.

$vault version-history

Note:
Use of this command requires a server running Vault 1.10.0 or greater.
Version tracking was added in 1.9.0. Earlier versions have not been tracked.


Version  Installation Time     Build Date
-------  -----------------     ----------
1.14.1   2023-08-21T23:20:50Z  2023-07-21T23:04:42Z
1.14.6   2023-11-21T20:51:24Z  2023-11-06T17:58:28Z
1.17.1   2024-07-04T03:23:03Z  2024-06-25T16:39:02Z
1.19.7   2026-01-16T22:35:06Z  2025-07-24T13:33:12Z
1.21.1   2026-01-16T22:48:39Z  2025-11-18T13:05:11Z
1.19.11  2026-02-04T17:23:02Z  2025-10-22T02:44:18Z

$vault status

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.19.1
Build Date      2025-04-02T15:43:36Z
Storage Type    inmem
Cluster Name    vault-cluster-1e76691a
Cluster ID      c4ca5956-383b-20cc-7a7d-494e0b01f045
HA Enabled      false

Termination Time (Hard Enforcement)

Some commercial licenses include a Termination Time, which represents a strict cutoff.

When the termination time has passed:

Vault may fail to start
A valid license must be provided before normal operation can continue

2. Evaluation License Behavior

Evaluation licenses behave differently from standard commercial licenses:

Short‑term use (often 30 days)
Include a 1‑day grace period
After expiration, Vault seals and cannot unseal until a valid license is applied

Evaluation licenses should be renewed or replaced before expiration to avoid service interruption.

3. Why the Vault Build Date Matters

Vault enforces expiration differently depending on when the Vault binary was built. The documented enforcement rules are:

If the Vault binary was built before the license expired → startup succeeds even if expired
If built after the license expired → startup fails

This explains:

Why Vault may continue running even after expiration
Why Vault may successfully restart in some environments after expiration
(only if the build date is before the expiration time)

4. Why Upgrades Always Fail with an Expired or Terminated License

“You cannot properly upgrade Vault with a terminated or expired license.”

There are two reasons upgrades fail:

Upgrade restriction

Upgrades cannot proceed with expired or terminated licenses.

Upgrades introduce a newer Vault binary

Upgrading replaces Vault with a version whose build date is almost always after your license expiration.

According to the startup behavior matrix:

Expired license + build date after expiration = startup fails

So after an upgrade, Vault cannot start until a valid license is applied.

This means:

Vault may keep running after expiration (no startup event has occurred).
Vault may restart successfully if using a build older than expiration.
Upgrades always fail, because they both:
- explicitly require a valid license, and
- replace Vault with a newer build date that fails the startup check.

5. How to Check License Status

View the active license

vault license get

This exposes fields including expiration_time, start_time, and termination_time.

Example:

$ vault license get
Key                          Value
---                          -----
expiration_time              2022-05-17T23:59:59Z
features                     [HSM Performance Replication DR Replication MFA Sentinel Seal Wrapping Control Groups Performance Standby Namespaces KMIP Entropy Augmentation Transform Secrets Engine Lease Count Quotas Key Management Secrets Engine Automated Snapshots]
license_id                   060d7820-fa59-f95c-832b-395db0aeb9ba
performance_standby_count    9999
start_time                   2021-05-17T00:00:00Z
termination_time             2031-05-17T23:59:59Z

Inspect a license file or value

vault license inspect /path/to/license

This displays the signed license contents including expiration and termination timestamps.

6. When to Contact Your HashiCorp Account Team

Customers should contact their HashiCorp Account Team for:

Renewing Enterprise licenses
Requesting new license keys
Questions about license duration or contract terms

Summary of Expected Behavior

Valid License → Vault starts normally.
Expired License
- Vault may still start if the binary pre‑dates expiration.
- Vault fails to start if the binary is newer than the expiration.
Terminated License → Vault may fail to start or unseal until a new license is provided.
Evaluation License → After expiration + grace period, Vault seals and cannot unseal without a valid license.

Additional Information

PKI‑Only Licensing (Vault Enterprise 1.21+)

Vault Enterprise 1.21 introduced PKI-only licenses. These licenses place the cluster in a restricted mode where:

Only the PKI secret engine may be used
All other secret engine mounts reject API requests
Auth and system paths remain available

Use PKI-only licensing only for clusters meant exclusively for certificate issuance.

Links to related articles

Vault Enterprise Licensing Overview
https://developer.hashicorp.com/vault/docs/license

vault license get CLI Command
https://developer.hashicorp.com/vault/docs/commands/license/get

vault license inspect CLI Command
https://developer.hashicorp.com/vault/docs/commands/license/inspect

Autoloading Enterprise Licenses
https://developer.hashicorp.com/vault/docs/license/autoloading