Vault release notes

Release	RC date	GA date
1.21.x	2025-10-09	2025-10-22

Release notes provide an at-a-glance summary of key updates to new versions of Vault Enterprise. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Vault code on GitHub.

We encourage you to upgrade to the latest release of Vault to take advantage of continuing improvements, critical fixes, and new features.

Review changes at a glance

Review historic breaking changes, new behavior, and known issues at a glance with the historic change tracker and LTS update tracker pages.

Executive summary

Vault Enterprise 1.21 minimizes operational burden, improves pricing visibility, and provides increased pricing support.

Highlights

Static role support for Azure enabled workflows that require managed, long-lived Azure credentials.
Smoother integration with bring-your-own DNS, AWS, Azure Privatelink, and custom domains.
Expanded Terraform Vault Provider support for provisioning and resource management with Terraform.
Emerging security policy management with IBM Z RACF passphrase support.
Enhanced logging and auditing that increases traceability and compliance.
Machine identity and authentication support for SPIFFE frameworks.

New features

Feature	Summary	Benefit
SPIFFE authentication	Use the SPIFFE authentication plugin to leverage SPIFFE frameworks based SVIDS. With the SPIFFE plugin, clients can authenticate to Vault and request SVIDs to authenticate in SPIFFE environment.	Increases flexibility to authenticate workloads with SPIFFE authentication methods and enables new workloads that require SPIFFE.
MFA TOTP self-enrollment	Configure multi-factor authentication in Vault to let clients self-enroll with QR codes during login when they do not have TOTP configured.	Eliminates the need for operators to manually generate and send enrollment QRs to users affected by MFA TOTP policies.
KV v2 version attribution	Call the metadata endpoint for the KV v2 plugin to fetch the human-readable name of the user who created a specfic secret version.	Simplifies information gathering by replacing manual audit log reviews with a straightforward metadata query.
Cumulative client counts endpoint	Easily query the number of Vault clients consumed by a namespace and all its descendants.	Provides easier access to client utilization data in environments with nested namespace structures.
Root rotation for Snowflake key-pairs	Perform on-demand and scheduled rotations for key-pair root credentials in the Snowflake plugin.	Fully automates the rotation of key-pair root credentials for Snowflake
Static roles in the Azure Secret Engine	Rotate Azure static roles tied to long-lived credentials on demand with initialization or imported credentials.	Simplify lifecycle management for long-lived Azure credentials for key workflows instead of juggling dynamic secrets that Vault revokes when the workflow client disconnects.

Existing feature improvements

Feature	Summary	Improvement
Client count dashboard	View a list of individual clients in each client count aggregate from the new Client list tab in the client count dashboard.	Simplifies data access for preliminary analysis.
Secret recovery	Use the Vault GUI, CLI, or API to automatically load snapshots, recover database static roles or SSH config CA/managed keys, and recover secrets as copies instead of overwriting the original.	Lets you delegate recovery of individual secrets without overwriting data and provide a granular, flexible recovery mechanism for technical and non-technical users.
Attestation evidence for credential rotation	Use Vault server logs to review the details for successful and failed automated root rotations and static role rotation for the database and LDAP secrets engines.	Improved transparancy and confidence that root credential rotation happened properly for less complicated compliance checks.
RACF passphrase support in the LDAP plugin	Use RACF passphrases (up to 100 characters) with the LDAP secrets engine plugin.	Supports longer, more secure RACF passphrases and helps you keep up with changing security policy requirements.
Eventing in the LDAP Secrets Engine	The LDAP secrets engine now emits events including rotation success and failure events.	Expands functionality of the LDAP secrets engine plugin with new events.
Dedicated rotation URL for LDAP authentication	The LDAP authentication plugin supports root account rotation with a dedicated URL.	Supports root account rotation even when you configure the plugin with the Global Catalog URL of an AD Forest.
Counter of PKI certificates issued	Track the monthly total number of PKI certificates issued cluster-wide by a given Vault cluster.	Improved visibility into PKI usage.
License utilization and product usage data updates	Vault collects and reports additional data points to HashiCorp for improved license utilization reporting and anonymized product usage reporting.	Improved product insights and roadmap prioritization.

Bug fixes

None.

Vault companion updates

Companion	Summary	Benefit
Vault Secrets Operator	Map Vault secrets directly into application pods with shared volumes as protected secrets using CSI drivers.	Deliver secrets from Vault to Kubernetes workloads in deployments that restrict the use of native K8s secrets.
Vault Secrets Store CSI provider	Red Hat certified the Vault Secrets Store CSI provider for use on OpenShift.	Use Vault Secret Store even in environments that require Red Hat Open Shift certification for all system components.
MS SQL external key management provider	Grant database administrators full control over the versions of `transit` keys used to wrap and unwrap data encryption keys for SQL Server.	Reduce the number of keys and simplify the database restore process from encrypted backups.

Feature deprecations and EOL

Deprecated in 1.21.x	Retired in 1.21.x
None	Snowflake DB password authentication
Exact-match list comparison on allowed_parameters and denied_parameters

Please refer to the deprecation notices for up-to-date information on feature deprecations and plans.