Vault
Vault release notes
- Version: 1.20.x
- GA date: 2025-06-25
Release notes provide an at-a-glance summary of key updates to new versions of Vault. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Vault code on GitHub.
We encourage you to upgrade to the latest release of Vault to take advantage of continuing improvements, critical fixes, and new features.
Executive summary
Vault Enterprise 1.20.0 streamlines the user experience, and improves visibility and transparency around billing, auditing, and Vault usage. The latest version of Vault also introduces new capabilities related to cryptography, secret recovery, and provides enhanced ecosystem integrations for centralizing secrets.
Highlights
Improves support for chargeback and showback with enhanced visibility into the underlying source of costs.
Simplifies and enhances the user experience by improving namespace navigation, providing a customizable login function, and releasing a new secret recovery function.
Enhances and expands secure integrations by reducing friction on plugin distribution and supporting key-value-compatible secret import from AWS, Azure, and GCP.
Adds SCEP protocol support in Vault PKI for certificate automation and reduces IT footprint by eliminating the need for alternate PKI solutions explictly for SCEP integration.
Verified Vault PKI SCEP integrations with Azure Intune and JAMF for certificate automation reduce operational burdens such as outages or security breachs due to certificate expiry.
Enhances resilience by providing reliability improvements, control over traffic flows, and the ability to ensure fairness of Vault consumption across users and applications.
Better auditability and visibility into audit logs, certificates, Vault feature usage, and opinionated suggestions for improving Vault usage, including benchmarking that supports migrating from Consul to integrated storage.
Feature deprecations and EOL
| Deprecated in 1.20.x | Retired in 1.20.x |
|---|---|
| Duplicate HCL attributes | None |
| Snowflake DB password authentication | Â |
Please refer to the deprecation notices for up-to-date information on feature deprecations and plans.
Important changes
Breaking changes
| Found | Recommendations | Edition | Issue |
|---|---|---|---|
| 1.20.0 | Yes | All | disable_mlock required for integrated storage |
| 1.20.0 | Yes | All | Rekey cancellations use a nonce |
Known issues
| Found | Fixed | Workaround | Edition | Issue |
|---|---|---|---|---|
| 1.20.0 | No | Yes | All | Duplicate unseal/seal wrap HSM keys |
| 1.20.0 | 1.20.1 | Yes | Enterprise | Development cluster setting overwritten on secondary cluster reload |
| 1.20.0 | 1.20.1 | Yes | All | UI login fails for auth mounts with underscores and unauthenticated listing |
| 1.20.0 | 1.20.1 | Yes | All | UI navigation to a KV v2 secret with an underscore errors without permissions to read subkeys |
System administration and operational updates
| Update | Type | License | Description |
|---|---|---|---|
| Product usage data updates | Enhanced | Enterprise | Vault collects and reports additional data points to Hashicorp for improved product usage tracking. Learn more: Anonymous product usage reporting |
| Production vs. non-production cluster assignment | GA | Enterprise | Designate individual clusters as production or non-production. Vault reports individual cluster status to Hashicorp. Learn more: Development cluster configuration |
| Default login methods | GA | Enterprise | Configure default and back up login methods for Vault GUI to reduce complexity and confusion. Learn more: Manage custom login settings |
| Client count dashboard updates | Enhanced | Enterprise | Provides improved visibility into client count attribution, increases accuracy by removing estimates, and sets the current billing period in Vault GUI based on the current Vault configuration. Learn more: Client usage overview |
| Client count current month accuracy | Enhanced | Enterprise | Removed partial month estimates from client count to improve client count accuracy for the current month. Learn more: Partial month client count endpoint |
| GUI Namespace picker updates | Enhanced | Enterprise | Search, filter, and navigate to namespaces in the GUI without having to reauthenticate while enjoying reduced performance load and enhanced accessibility. Learn more: Manage namespaces in the Vault GUI |
| HTTP status telemetry | GA | Enterprise | Use Vault telemetry to track running total count by HTTP status codes. Learn more: vault.core.response_status_code |
| Cluster wide client telemetry | GA | Enterprise | Capture Vault telemetry to track the total count of distinct clients in a cluster. The metric updates every 10 minutes to support live reporting and alerting. Learn more: vault.client.billing_period.activity |
| Identity-based rate limit quotas | GA | Enterprise | Apply rate limit quotas by entity ID instead of IP for more granular and flexible control over traffic flow and easier management of misbehaving applications and users. Learn more: Resource quotas overview |
| Collective rate limit quotas | GA | Enterprise | Apply collective rate limit quotas to all traffic globally or by targeting a namespace, path, or mount to enforce collective limits without having to account for individual IP addresses. Learn more: Resource quotas overview |
| Secret recovery | GA | Enterprise | Recover an accidentally changed or deleted secret without performing a full cluster snapshot restoration, degrading the cluster, or impacting other items in the cluster. Learn more: Item recovery from a snapshot |
| GUI for TOTP | GA | Community | Users with TOTP access can use the Vault GUI to view their accounts, add a new account, see their hidden-by-default TOTP codes, and view timers for when their TOTPs expire. |
| Utilization reporting | GA | Enterprise | Review and identify the features used in a given cluster to determine where you might want to leverage additional Vault functionality. Learn more: /sys/utilization-report reference |
| Secrets import | Beta | Enterprise | Migrate existing secrets to Vault to centralize secrets management and realize the value of Vault faster. Learn more: Secrets import overview |
| Event notifications data consistency | GA | Enterprise | Event notifications include metadata to prevent stale data reads from secondary nodes during periods of high Vault load. Learn more: Event notifications overview |
| Plugin downloads | Beta | Enterprise | Use new endpoints to simplify downloading official HashiCorp secret and auth plugins from releases.hashicorp.com. Learn more: Register external plugins |
| Ephemeral resources support | GA | Enterprise | Use the Vault provider for Terraform with ephemeral resources and write-only attributes in key-value and database secret engines. Learn more: Vault provider for Terraform |
Manage 3rd-party secrets
Integrate Vault with the other elements of your development environment. Generate and revoke on-demand credentials for database systems and cloud providers like AWS, and control access to external information like encryption keys and cloud credentials.
| Update | Type | License | Description |
|---|---|---|---|
| Snowflake authentication support for key pairs | GA | Community | Implement enhanced authentication security with key pair authentication in the Snowflake database secrets engine. Learn more: Snowflake overview |
| Terraform support for dynamic team tokens | GA | Community | Implement dynamic team token generation in the Terraform Cloud secrets engine. Learn more: Terraform Cloud overview |
Manage certificates
Configure Vault to work with certificate authorities like KMIP and PKI to manage certificate life cycles and authenticate clients.
| Update | Type | License | Description |
|---|---|---|---|
| PKI support for SCEP certificate enrollment | GA | Community | Automate certificate enrollment of end-user and network devices that support SCEP protocol. End-user device integration validations include Azure In-Tune and Jamf MDM platforms. |