HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for pre-release version v2.x (rc). View latest version.

Vault release notes

Release notes provide an at-a-glance summary of key updates.

We encourage you to upgrade to the latest release of Vault to take advantage of continuing improvements, critical fixes, and new features.

Review changes at a glance

Review historic breaking changes, new behavior, and known issues at a glance with the historic change tracker.

Major releasePreview dateGA date
2.x.x2026-04-01TBD

Summary

Vault 2.x.x focuses on reducing manual setup and operational friction for teams that manage identity, secrets, and encryption across large environments. The release helps operators connect Vault to existing identity systems, deliver workload identity in SPIFFE-based environments, and sync secrets to external platforms without depending on long-lived cloud credentials.

Vault 2.x.x also helps teams manage distributed infrastructure with less custom glue code and fewer one-off workflows. Operators can standardize credential rotation, support multi-region key management, automate Linux local account management, and use more guided UI workflows when they onboard teams, create policies, and discover Vault capabilities.

Vault 2.0.0

New features
Enterprise

  • SCIM identity provisioning - Automate identity lifecycle management by provisioning entities and groups in Vault from external identity platforms.
  • SPIFFE JWT-SVID support - Let authenticated workloads request JWT-SVIDs from Vault so they can participate in SPIFFE-based identity workflows.
  • Visual policy generator - Create policies faster and reduce manual policy authoring by generating ACL policy snippets from the Vault GUI.
  • Feature introduction pages - The Vault GUI now provides guided overviews for key Vault capabilities that help you understand core features without leaving the GUI.
  • Namespace onboarding workflow - Answer a few key questions in the Vault GUI to create new namespaces then continue in the GUI, CLI, or Terraform.
  • Secret Sync - Use workload identity federation (WIF) to sync secrets to external systems without storing static credentials.
  • AWS KMS multi-region keys - Create and replicate managed keys across AWS regions so you can support multi-region encryption and disaster recovery workflows.
  • Local accounts secrets engine - Use Vault to manage Linux local accounts and rotate credentials for automated local account credential management.
  • LDAP static role rotation enhancements - Manage LDAP static credentials with more flexibility by adding initial passwords, self-managed rotation, schedules, and retry controls.
  • Rotation policies - Standardize how Vault handles failed automated rotations by defining reusable retry behavior for supported roles.

Bug fixes and security patches

  • Credential rotation: Vault Agent template backoff reduces aggressive retries during secret rotation so that agents create less unnecessary network traffic and server load.
  • identity: Repair the integrity of duplicate and/or dangling entity aliases.

Improvements

  • The Vault UI navigation now organizes features around common operator tasks so users can find related capabilities faster.
  • In-product feature descriptions explain what features do and when to use them so that users can evaluate capabilities in context.
  • Azure secrets engine adds role metadata support, separates static credential import, and lowers the minimum TTL for static roles to 30 days so operators can manage Azure roles with more consistency.
  • Event notifications support subscriptions from secondary clusters for events on the primary cluster so multi-cluster deployments can react with lower latency.
  • External plugin management is easier in the Vault GUI so operators can manage external versions of built-in plugins without relying only on the API or CLI.
  • IBM Passport Advantage Online license support lets Vault Enterprise use IBM Passport Advantage Online license keys so customers can reduce licensing fulfillment delays.
  • Support for an additional licensing framework aligns pricing with workload, automation, and machine identity growth so billing better reflects platform usage.
  • JWT auth updates improve JWT-based authentication workflows.
  • Rotation retries use exponential backoff and orphan handling so Vault can retry failed root and static credential rotations without overloading the system. Vault 2.0.0 supports LDAP static roles in addition to the engines that already support root rotation.

Feature deprecations and EOL

Deprecated in 2.0.0Retired in 2.0.0
NoneNone

Please refer to the deprecation notices for up-to-date information on feature deprecations and plans.

Edit this page on GitHub