Vault 2.0.0-rc1 released!
Chris Foran
Hi all,
The Vault team is announcing the release candidates for 2.0.0. Release candidates must not be used in production, but your feedback is critical for a smooth final release.
The 2.0.0 Community Edition and Enterprise release candidates are available on our releases portal[1,10].
As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing secu...@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].
Major upgrade considerations for Vault 2.0.0 are:
LDAP Secrets Engine - For existing LDAP static roles in Vault Enterprise, the rotation period for the credentials associated with each role will be migrated from the plugin to the central rotation manager. Please reference the important changes for details on the behavior change.
Major features and improvements in Vault 2.0.0 are:
SCIM Identity Provisioning - Automate identity lifecycle management by provisioning entities and groups in Vault from external identity platforms.
SPIFFE JWT-SVID support - Let authenticated workloads request JWT-SVIDs from Vault so they can participate in SPIFFE-based identity workflows.
Visual policy generator - Create policies faster and reduce manual policy authoring by generating ACL policy snippets from the Vault GUI.
Feature introduction pages - The Vault GUI now provides guided overviews for key Vault capabilities that help you understand core features without leaving the GUI.
Namespace onboarding workflow - Answer a few key questions in the Vault GUI to create new namespaces then continue in the GUI, CLI, or Terraform.
WIF for Secret Sync to CSPs - Use workload identity federation (WIF) instead of storing static credentials to setup secret sync with AWS, GCP or Azure
AWS KMS multi-region keys - Create and replicate managed keys across AWS regions so you can support multi-region encryption and disaster recovery workflows.
Local accounts secrets engine - Use Vault to manage Linux local accounts and rotate credentials for automated local account credential management.
LDAP static role rotation enhancements - Manage LDAP static credentials with more flexibility by adding initial passwords, self-managed rotation, schedules, and retry controls.
Rotation policies - Standardize how Vault handles failed automated rotations by defining reusable retry behavior for supported roles.
Public CA integration: Extending Vault’s capabilities to integrate and orchestrate public CA certificate issuance and lifecycle management
Envelope Encryption: Ability for customers to encrypt/decrypt data on clients without sending data to Vault
Multi-cluster event notifications: Ability for customers to get event notifications for their secondary clusters as well and take action as necessary.
See the Changelog at [3] for the full list of improvements and bug fixes.
See the Feature Deprecation Notice and Plans page [8] for our upcoming feature deprecation plans.
Community [6] and Enterprise [7] Docker images will be available soon.
---
Upgrading
See [4] for general upgrade instructions and [5] for upgrade instructions and known issues.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [9].
We hope you enjoy Vault 2.0.0-rc1!
Sincerely, The Vault Team