upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-06-09 08:55:13 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

[DOCS] Add change tracker and prep docs for 1.20 (#30874)

Browse source 
* pull in 1.19 doc updates for backport to 1.20

* add 1.20 to hsm entry
This commit is contained in:
Sarah Chavis 2025-06-05 17:22:21 -07:00 committed by GitHub
parent c93729cafa
commit ff23007a15
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
16 changed files with 343 additions and 482 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
website/content/docs/updates/change-tracker.mdx Normal file
View file

@ -0,0 +1,31 @@
---
layout: docs
page_title: Change tracker
description: >-
History of important upgrade changes for Vault updateds
---
# Vault change tracker
Summary tables of important changes that may affect your ability to upgrade
Vault.
## Changes for 1.20.x
@include 'release-notes/change-summary/1_20.mdx'
## Changes for 1.19.x
@include 'release-notes/change-summary/1_19.mdx'
## Changes for 1.18.x
@include 'release-notes/change-summary/1_18.mdx'
## Changes for 1.17.x
@include 'release-notes/change-summary/1_17.mdx'
## Changes for 1.16.x
@include 'release-notes/change-summary/1_16.mdx'

306
website/content/docs/updates/important-changes.mdx
View file

@ -15,9 +15,17 @@ valid_change_types: >-
# Important changes
**Last updated**: 2025-06-05
Always review important or breaking changes and remediation recommendations
before upgrading Vault.
## New behavior
None.
## Breaking changes
## Breaking configuration change for disable_mlock ((#disable_mlock-config))
| Change | Affected version | Affected deployments
@ -83,88 +91,17 @@ the 10 minute window do not require a nonce and succeed as expected.
To cancel a rekey operation, provide the nonce value from the
`/sys/rekey/init` or `sys/rekey-recovery-key/init` response.
## Transit support for Ed25519ph and Ed25519ctx signatures ((#ed25519))
## Bugs
| Change | Affected version | Affected deployments
| ------------ | ---------------- | --------------------
| New behavior | 1.19.0 | Transit plugins using Ed25519 keys
None.
Prior versions of sign and verify API endpoints backed by an Ed25519 key ignored
`prehashed=true` or `hash_algorithm=sha2-512` parameters. As a result, the
endpoint always returned or verified a Pure Ed25519 signature.
## Known issues
The Transit plugin now assumes input hashed using the SHA-512 algorithm and
returns an Ed25519ph or Pure Ed25519 signature based on the configuration of
`prehashed` and `hash_algorithm` parameters:
### Duplicate unseal/seal wrap HSM keys ((#hsm-keys)) <EnterpriseAlert inline="true" />
| Vault edition | `prehashed` | `hash_algorithm` | Return value
| ------------- | ---------- | --------------------------- | ------------
| Enterprise | not set | not set | Pure Ed25519
| Enterprise | false | any value other than sha2-512 | Pure Ed25519
| Enterprise | false | sha2-512 | Error
| Enterprise | true | any value other than sha2-512 | Error
| Enterprise | true | sha2-512 | Ed25519ph
| CE | not set | not set | Pure Ed25519
| CE | false | any value other than sha2-512 | Pure Ed25519
| CE | false | sha2-512 | Error
| CE | true | any value other than sha2-512 | Error
| CE | true | sha2-512 | Error
## Identity system duplicate cleanup ((#dedupe)) <EnterpriseAlert inline="true" />
| Change | Affected version | Affected deployments
| ------------ | ---------------- | --------------------
| New behavior | 1.19.0 | any
Vault 1.19.0 includes a feature flag that, when enabled, forces deduplication of
existing identities and forbids duplicate identities going forward. Once
activated, the deduplication feature corrects historical identity bugs with a
one-time deduplication process and restores Vault to secure, default behavior.
Vault does not enforce deduplication until you activate the relevant feature
flag.
### Recommendation
Vault 1.19.0 also includes improved reporting in server logs to help diagnose
whether you have duplicate identities in your Vault instance.
After upgrading, review your server logs for identity duplicate reporting.
refer to the [resolve duplicate identities](/vault/docs/secrets/identity/deduplication)
guides to understand deduplication log messages, determine if you need to take
action, make the necessary updates, and ensure the forced deduplication process
resolves safely.
## LDAP user DN search with `upndomain` ((#ldap))
| Change | Affected version | Affected deployments
| -------- | ---------------- | --------------------
| Breaking | 1.19.x | any
Security improvements to
[`hashicorp/cap/ldap`](https://github.com/hashicorp/cap/tree/main/ldap) ensure
that user DN searches with `upndomain` configured return an error if the search
returns more than one result.
### Recommendation
In previous Vault versions, DN searches with `upndomain` configured returned the
last user found for searches with multiple results. Review and update any code
that performs DN searches to handle multi-result errors and/or revise the search
to ensure a single result.
Refer to [the Github PR](https://github.com/hashicorp/cap/pull/151) for more
details.
## Duplicate unseal/seal wrap HSM keys ((#hsm-keys)) <EnterpriseAlert inline="true" />
| Change | Affected version | Affected deployments
| ----------- | ------------------------------ | --------------------
| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | HSM-HA configurations migrating from Shamir to HSM-backed unseal/seal wraps.
| Change | Status | Affected version | Affected deployments
| ----------- | ------ | -------------------------------------- | --------------------
| Known issue | Open | 1.20.x, 1.19.x, 1.18.x, 1.17.x, 1.16.x | HSM-HA configurations migrating from Shamir to HSM-backed unseal/seal wraps.
Vault may create duplicate HSM keys when you migrate from Shamir to an
HSM-backed unseal configuration for high availability (HA) HSM deployments. Key
@ -177,218 +114,7 @@ Duplicate HSM keys can cause the following errors:
[seal-wrapped values](/vault/docs/enterprise/sealwrap#wrapped-parameters).
- nodes fail to unseal after a restart with errors such as `CKR_DATA_INVALID`.
### Recommendation
#### Recommendation
Always run Vault with `generate_key = false` and manually create all required
keys within the HSM during the setup process.
## Anonymized cluster data returned with license utilization ((#anon-data)) <EnterpriseAlert inline="true" />
| Change | Affected version | Affected deployments
| ------------ | ---------------- | --------------------
| New behavior | 1.19.0 | any
As of version 1.19.0 Vault Enterprise collects
[anonymous usage data](/vault/docs/enterprise/license/product-usage-reporting#anonymous-product-usage-reporting)
about the running Vault cluster and automatically sends the cluster usage data
along with the standard utilization data currently reported through automated
license reporting.
## RADIUS authentication is no longer case sensitive ((#case-sensitive))
| Change | Affected version | Affected deployments
| ------------ | ---------------- | --------------------
| New behavior | 1.19.0 | any
As of Vault 1.19.0 the RADIUS authentication plugin does not enforce case
sensitivity on entered credentials.
## Login/token renewal failures after group changes ((#group-writes))
| Change | Affected version | Affected deployments
| ----------- | ---------------- | --------------------
| Known issue | 1.19.0 | any
Performance standby nodes cannot persist updated group membership to storage.
As a result, standby nodes return a `500` error during login or token renewal if
the external group associated with the client entity changes.
### Recommendation
Direct all logins and token renewals to the active/primary node.
Or upgrade to Vault 1.19.3+
## Strict validation for Azure auth login requests ((#strict-azure))
| Change | Affected version | Affected deployments
| ------------ | -------------------------------- | --------------------
| New behavior | 1.19.1, 1.18.7, 1.17.14, 1.16.18 | any
Azure auth plugin requires `resource_group_name`, `vm_name`, and `vmss_name` to match the JWT claims on login
Vault versions before 1.19.1, 1.18.7, 1.17.14, and 1.16.18 did not strictly
validate the `resource_group_name`, `vm_name`, and `vmss_name` parameters
against their token claims for clients logging in with Azure authentication.
### Recommendation
Review the [Token validation](/vault/docs/auth/azure#token-validation) section
of the Azure authN plugin guide for more information on the new validation
requirements.
## Static LDAP role rotations on upgrade ((#ldap-static-role-rotations))
| Change | Affected version | Affected deployments
| ------------ | ---------------------------------------------------------------------- | --------------------
| Known issue | 1.19.0 - 1.19.1, 1.18.5 - 1.18.7, 1.17.12 - 1.17.14, 1.16.16 - 1.16.18 | any
Vault automatically rotates existing static roles tied to LDAP credentials once
when upgrading to an affected version. After the one-time rotation, the static
roles behave as expected.
### Recommendation
If you rely on LDAP static roles, upgrade to Vault 1.19.3+, 1.18.9+, 1.17.16+,
or 1.16.20+.
## Static DB role rotations on upgrade ((#db-static-role-rotations))
| Change | Affected version | Affected deployments
| ------------ | ----------------------------------------------------------------------- | --------------------
| Known issue | 1.19.0 - 1.19.2, 1.18.5 - 1.18.8, 1.17.12 - 1.17.15, 1.16.16 - 1.16.19 | any
Any database static role that was created prior to Vault 1.15.0 will be affected upon upgrading to the affected Vault versions.
Vault will automatically rotate static database credentials once, for all roles created prior to 1.15.0, when upgrading to affected versions.
After the one-time rotation, the static roles behave as expected.
### Recommendation
Upgrade to 1.19.3+, 1.18.9+, 1.17.16, 1.16.20+
## Vault log file missing subsystem logs ((#missing-logs))
| Change | Affected version | Affected deployments
| ------------ | -------------------------------- | --------------------
| Bug | 1.16.0, 1.17.13, 1.18.6, 1.19.0 | any
Log entries, including plugin logs, for Vault deployments using `log_file` do
not capture all relevant information even though the information appears as
expected in standard error and standard output.
### Recommendation
Upgrade to one of the following Vault versions: 1.16.18+, 1.17.14+, 1.18.7+,
1.19.1+
## Automated rotation stops after unseal ((#rotation-stops))
| Change | Affected version | Affected deployments
| ------------ | ---------------- | --------------------
| Bug | 1.19.0 - 1.19.2 | any
After unsealing Vault, the rotation manager does not reinstate the rotation
queue. The stopped queue then causes automated root credential rotations to
stop.
### Recommendation
Update the root configuration on affected backends to recreate the rotation
schedule with the previous values.
<Tabs>
<Tab heading="AWS">
```shell-session
$ vault write aws/config/root \
rotation_schedule="<old_schedule>" \
rotation_window="<old_window>"
```
</Tab>
<Tab heading="GCP">
```shell-session
$ vault write gcp/config/root rotation_period="<old_period>"
```
</Tab>
</Tabs>
## Azure Auth fails to authenticate Uniform VMSS instances ((#azure-vmss))
| Change | Affected version | Affected deployments
| ------------ | -------------------------------------------------------------- | --------------------
| Bug | 1.16.18-1.16.20, 1.17.14-1.17.16, 1.18.7-1.18.9, 1.19.1-1.19.3 | any
A previous update to validate JWT claims against the provided VM, VMSS, and
resource group names without accounting for the uniform VMSS format introduced a
regression that causes Azure authentication from a uniform VMSS instance with a
user assigned managed identity on the VMSS to incorrectly return an error.
### Recommendation
Upgrade to one of the following Vault versions: 1.16.21+, 1.17.17+, 1.18.10+,
1.19.4+
## External Vault Enterprise plugins can't run on a standby node when it becomes active ((#external-enterprise-plugins))
| Change | Affected version | Affected deployments
| ------------ | -------------------------------------------------------------- | --------------------
| Bug | 1.16.17-1.16.20, 1.17.13-1.17.16, 1.18.6-1.18.9, 1.19.0-1.19.3 | any
External Enterprise plugins can't run on a standby node when it becomes active
because standby nodes don't extract the artifact when the plugin
is registered.
### Recommendation
As a workaround, add the plugin `.zip` artifact on every node and register the plugin on the
active node. Then, extract the contents of the zip file on the follower nodes
similar to the following folder structure for
`vault-plugin-secrets-keymgmt_0.16.0+ent_darwin_arm64.zip`.
```
<plugin-directory>/vault-plugin-secrets-keymgmt_0.16.0+ent_darwin_arm64
├── metadata.json
├── metadata.json.sig
└── vault-plugin-secrets-keymgmt
```
Alternatively, upgrade to one of the following Vault versions: 1.16.21+, 1.17.17+,
1.18.10+, 1.19.4+. See [Register external plugins](/vault/docs/plugins/register)
for more details.
## AWS STS configuration can fail if STS endpoints are unspecified ((#aws-fallback-sts))
| Change | Affected version | Affected deployments
| ------ | ---------------- | --------------------
| Bug | 1.19.0-1.19.3 | any
When configuring an sts endpoint in the AWS Secrets engine, or when upgrading Vault with such an endpoint,
if no sts_endpoint is set, the engine will return an error stating that the number of endpoints and regions do not match:
```
{"errors":["number of regions does not match number of endpoints"]}
```
### Recommendation
Explicitly set the default endpoint and region when configuring sts:
```
{
...
sts_region = "us-east-1"
sts_endpoint = "https://sts.amazonaws.com"
...
}
```

365
website/content/docs/updates/release-notes.mdx
View file

@ -7,42 +7,11 @@ description: >-
# Vault release notes
- **Version**: 1.19.x
- **GA date**: 2025-03-05
- **Version**: 1.20.x
- **GA date**: TBD
@include 'release-notes/intro.mdx'
## Previous releases
- Vault 1.18.x [release notes](/vault/docs/v1.18.x/release-notes/1.18.0) and
[important changes](/vault/docs/v1.18.x/upgrading/upgrade-to-1.18.x)
- Vault 1.17.x [release notes](/vault/docs/v1.17.x/release-notes/1.17.0) and
[important changes](/vault/docs/v1.17.x/upgrading/upgrade-to-1.17.x)
- Vault 1.16.x [release notes](/vault/docs/v1.16.x/release-notes/1.16.1) and
[important changes](/vault/docs/v1.16.x/upgrading/upgrade-to-1.16.x)
## Important changes
| Change | Affected releases | Description
|---------------- | ------------------------------ | -----------
| Support change | 1.16.x | 1.16.x moves to [long term support](/vault/docs/enterprise/lts) and 1.19 becomes the current LTS version.
| New behavior | 1.19.x | [Transit support for Ed25519ph and Ed25519ctx signatures](/vault/docs/updates/important-changes#ed25519)
| New behavior | 1.19.x | [Identity system duplicate cleanup](/vault/docs/updates/important-changes##dedupe)
| Breaking change | 1.19.x | [Security improvement for LDAP user DN search with `upndomain`](/vault/docs/updates/important-changes#ldap)
| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Duplicate unseal/seal wrap HSM keys](/vault/docs/updates/important-changes##hsm-keys)
| New behavior | 1.19.x | [Anonymized cluster data returned with license utilization](/vault/docs/updates/important-changes#anon-data)
| New behavior | 1.19.x | [Uppercase values are no longer forced to lower case](/vault/docs/updates/important-changes#case-sensitive)
| Known issue | 1.19.x | [Login/token renewal failures after group changes](/vault/docs/updates/important-changes#group-writes)
| New behavior | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Strict validation for Azure auth login requests](/vault/docs/updates/important-changes#strict-azure)
| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Unexpected LDAP static role rotations on upgrade](/vault/docs/updates/important-changes#ldap-static-role-rotations)
| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Unexpected DB static role rotations on upgrade](/vault/docs/updates/important-changes#db-static-role-rotations)
| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Vault log file missing subsystem logs](/vault/docs/updates/important-changes#missing-logs)
| Known issue | 1.19.x | [Automated rotation stops after unseal](/vault/docs/updates/important-changes#rotation-stops)
| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Azure Auth fails to authenticate Uniform VMSS instances](/vault/docs/updates/important-changes#azure-vmss)
| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [External Vault Enterprise plugins can't run on a standby node when it becomes active](/vault/docs/updates/important-changes#external-enterprise-plugins)
| Known issue | 1.19.x | [AWS STS secrets can fail if STS endpoints are unspecified](/vault/docs/updates/important-changes#aws-fallback-sts)
| Breaking | 1.20.x | [`disable_mlock` required for integrated storage](/vault/docs/updates/important-changes#disable_mlock-config)
## Feature deprecations and EOL
Deprecated in 1.20.x | Retired in 1.20.x
@ -52,18 +21,14 @@ Deprecated in 1.20.x | Retired in 1.20.x
@include 'release-notes/deprecation-note.mdx'
## Vault companion updates
## Important changes
Companion updates are Vault updates that live outside the main Vault binary.
**None**.
@include 'release-notes/change-summary/1_20.mdx'
## Community updates
Follow the learn more links for more information, or browse the list of
[Vault tutorials updated to highlight changes for the most recent GA release](/vault/tutorials/new-release).
## System management and operational updates
@include 'release-notes/section-notes/ops.mdx'
<table>
<thead>
@ -78,26 +43,13 @@ Follow the learn more links for more information, or browse the list of
<tr>
<td style={{verticalAlign: 'middle'}}>
Faster availability after restart
Pending
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>Pending</td>
<td style={{verticalAlign: 'middle'}}>
Identity loading on restart is up to 40% faster and Vault logs include new
diagnostic information to troubleshoot cluster slowness with the
`post_unseal_trace_directory` configuration setting.
Pending
<br /><br />
Learn more: <a href="/vault/docs/configuration#enable_post_unseal_trace">`post_unseal_trace_directory` parameter details</a>
</td>
</tr>
<tr>
<td style={{verticalAlign: 'middle'}}>
Raft integrated storage
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>ENHANCED</td>
<td style={{verticalAlign: 'middle'}}>
Corrects a previous issue with Raft nodes generating stale data by
preventing stale nodes from servicing requests to the cluster.
Learn more: <a href="/vault/docs/">TDB</a>
</td>
</tr>
@ -105,7 +57,9 @@ Follow the learn more links for more information, or browse the list of
</table>
## Enterprise updates
## Manage 3rd-party secrets
@include 'release-notes/section-notes/ops.mdx'
<table>
<thead>
@ -115,146 +69,173 @@ Follow the learn more links for more information, or browse the list of
<th style={{verticalAlign: 'middle'}}>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style={{verticalAlign: 'middle'}}>
Identity
Pending
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>ENHANCED</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>Pending</td>
<td style={{verticalAlign: 'middle'}}>
Opt-in resolution of accidental duplicates in the identity system with a
gated feature to force deduplication.
Pending
<br /><br />
Learn more: <a href="/vault/docs/upgrading/deduplication">Find and resolve duplicate Vault identities</a>
</td>
</tr>
<tr>
<td style={{verticalAlign: 'middle'}}>
Autopilot
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>ENHANCED</td>
<td style={{verticalAlign: 'middle'}}>
Improved upgrade stability with better cluster leadership reconciliation.
<br /><br />
Learn more: <a href="/vault/docs/concepts/integrated-storage/autopilot">Autopilot overview</a>
</td>
</tr>
<tr>
<td style={{verticalAlign: 'middle'}}>
Database support
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>ENHANCED</td>
<td style={{verticalAlign: 'middle'}}>
Onboard static database accounts without immediate rotation, precise
timing, or coordinating with maintenance windows.
<br /><br />
Learn more: <a href="/vault/docs/secrets/databases#onboarding-static-database-users">Onboarding static DB users</a>
</td>
</tr>
<tr>
<td rowSpan={2} style={{verticalAlign: 'middle'}}>
Events
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>ENHANCED</td>
<td style={{verticalAlign: 'middle'}}>
Vault now sends event notifications to subscribers on all Vault nodes
within a cluster.
</td>
</tr>
<tr>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>ENHANCED</td>
<td style={{verticalAlign: 'middle'}}>
Notification subscriptions for secret deletion no longer requires a root
token.
</td>
</tr>
<tr>
<td style={{verticalAlign: 'middle'}}>
Plugin support
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>ENHANCED</td>
<td style={{verticalAlign: 'middle'}}>
Run Vault Enterprise plugins external to Vault. Running plugins externally
is useful in deployments when the plugin requires different environment
variable values than the Vault binary.
</td>
</tr>
<tr>
<td style={{verticalAlign: 'middle'}}>
Automated root credential rotation
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
<td style={{verticalAlign: 'middle'}}>
Use a rotation manager to regularly rotate credentials for
AWS (
<a href="/vault/docs/secrets/aws#schedule-based-root-credential-rotation">secrets</a>,
&nbsp;
<a href="/vault/docs/auth/aws#schedule-based-root-credential-rotation">authN</a>
),
Azure (
<a href="/vault/docs/secrets/azure#root-credential-rotation">secrets</a>,
&nbsp;
<a href="/vault/api-docs/auth/azure#rotate-root">authN</a>
),
GCP (
<a href="/vault/docs/secrets/gcp#root-credential-rotation">secrets</a>,
&nbsp;
<a href="/vault/api-docs/auth/gcp#rotate-root-credentials">authN</a>
),
LDAP (
<a href="/vault/docs/secrets/ldap#root-credential-rotation">secrets</a>,
&nbsp;
<a href="/vault/docs/auth/ldap#root-credential-rotation">authN</a>
),
and <a href="/vault/docs/secrets/databases#schedule-based-static-role-rotation">DB plugins</a>
&nbsp;
without manual intervention.
</td>
</tr>
<tr>
<td style={{verticalAlign: 'middle'}}>
AWS plugin
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>ENHANCED</td>
<td style={{verticalAlign: 'middle'}}>
Vault now supports AWS static role credentials for multiple AWS accounts
with a single mount path to better manage AWS credentials at scale.
<br /><br />
Learn more: <a href="/vault/docs/secrets/aws#sts-assumerole">STS AssumeRole</a>
</td>
</tr>
<tr>
<td style={{verticalAlign: 'middle'}}>
GUI support for WIF plugin configuration
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
<td style={{verticalAlign: 'middle'}}>
Use the Vault GUI to enable and configure WIF with
&nbsp;<a href="/vault/docs/secrets/aws#setup">AWS</a>,
&nbsp;<a href="/vault/docs/secrets/aws#setup">Azure</a>, and
&nbsp;<a href="/vault/docs/secrets/gcp#setup">GCP</a>
</td>
</tr>
<tr>
<td style={{verticalAlign: 'middle'}}>
PKI: Constrained CA support
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
<td style={{verticalAlign: 'middle'}}>
Use the PKI plugin to instantiate intermediate CAs with customer defined
constraints (permitted URI , IPs, excluded DNS, etc.) and delegate PKI
administration.
<br /><br />
Learn more: <a href="/vault/api-docs/secret/pki">PKI plugin API</a>
Learn more: <a href="/vault/docs/">TDB</a>
</td>
</tr>
</tbody>
</table>
## Manage certificates
@include 'release-notes/section-notes/ops.mdx'
<table>
<thead>
<tr>
<th style={{verticalAlign: 'middle'}}>Release</th>
<th style={{verticalAlign: 'middle'}}>Update</th>
<th style={{verticalAlign: 'middle'}}>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style={{verticalAlign: 'middle'}}>
Pending
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>Pending</td>
<td style={{verticalAlign: 'middle'}}>
Pending
<br /><br />
Learn more: <a href="/vault/docs/">TDB</a>
</td>
</tr>
</tbody>
</table>
## Manage identities and authentication
@include 'release-notes/section-notes/identity.mdx'
<table>
<thead>
<tr>
<th style={{verticalAlign: 'middle'}}>Release</th>
<th style={{verticalAlign: 'middle'}}>Update</th>
<th style={{verticalAlign: 'middle'}}>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style={{verticalAlign: 'middle'}}>
Pending
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>Pending</td>
<td style={{verticalAlign: 'middle'}}>
Pending
<br /><br />
Learn more: <a href="/vault/docs/">TDB</a>
</td>
</tr>
</tbody>
</table>
## Manage static secrets
@include 'release-notes/section-notes/static-secrets.mdx'
<table>
<thead>
<tr>
<th style={{verticalAlign: 'middle'}}>Release</th>
<th style={{verticalAlign: 'middle'}}>Update</th>
<th style={{verticalAlign: 'middle'}}>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style={{verticalAlign: 'middle'}}>
Pending
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>Pending</td>
<td style={{verticalAlign: 'middle'}}>
Pending
<br /><br />
Learn more: <a href="/vault/docs/">TDB</a>
</td>
</tr>
</tbody>
</table>
## Secure sensitive data
@include 'release-notes/section-notes/sensitive-data.mdx'
<table>
<thead>
<tr>
<th style={{verticalAlign: 'middle'}}>Release</th>
<th style={{verticalAlign: 'middle'}}>Update</th>
<th style={{verticalAlign: 'middle'}}>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style={{verticalAlign: 'middle'}}>
Pending
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>Pending</td>
<td style={{verticalAlign: 'middle'}}>
Pending
<br /><br />
Learn more: <a href="/vault/docs/">TDB</a>
</td>
</tr>
</tbody>
</table>
## Support regulatory compliance
@include 'release-notes/section-notes/compliance.mdx'
<table>
<thead>
<tr>
<th style={{verticalAlign: 'middle'}}>Release</th>
<th style={{verticalAlign: 'middle'}}>Update</th>
<th style={{verticalAlign: 'middle'}}>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style={{verticalAlign: 'middle'}}>
Pending
</td>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>Pending</td>
<td style={{verticalAlign: 'middle'}}>
Pending
<br /><br />
Learn more: <a href="/vault/docs/">TDB</a>
</td>
</tr>

36
website/content/partials/release-notes/change-summary/1_16.mdx Normal file
View file

@ -0,0 +1,36 @@
Change | Found | Fixed | Recs | Edition | Issue
--------------- | ------- |-------- | ------- | ---------- | -----
Breaking change | 1.16.0 | N/A | **Yes** | All | [Docker image no longer contains curl](/vault/docs/v1.16.x/updates/important-changes#docker-image-no-longer-contains-curl)
New behavior | 1.16.0 | N/A | No | Enterprise | [Activity log changes](/vault/docs/v1.16.x/updates/important-changes#activity-log-changes)
New behavior | 1.16.0 | N/A | No | All | [Auto-rolled billing start date](/vault/docs/v1.16.x/updates/important-changes#auto-rolled-billing-start-date)
New behavior | 1.16.0 | N/A | **Yes** | All | [Default lease count quota enabled when upgrading from Vault versions before 1.9](/vault/docs/v1.16.x/updates/important-changes#default-lease-count-quota-enabled-when-upgrading-from-vault-versions-before-1-9)
New behavior | 1.16.0 | N/A | **Yes** | All | [External plugin variables take precedence over system variables](/vault/docs/v1.16.x/updates/important-changes#external-plugin-variables-take-precedence-over-system-variables)
New behavior | 1.16.0 | N/A | **Yes** | All | [LDAP auth login changes](/vault/docs/v1.16.x/updates/important-changes#ldap-auth-entity-alias-names-no-longer-include-upndomain)
New behavior | 1.16.0 | N/A | **Yes** | All | [Product usage reporting](/vault/docs/v1.16.x/updates/important-changes#product-usage-reporting)
New behavior | 1.16.0 | N/A | **Yes** | All | [Secrets Sync cannot be activated from chroot namespace](/vault/docs/v1.16.x/updates/important-changes#secrets-sync-cannot-be-activated-from-chroot-namespace)
New behavior | 1.16.0 | N/A | No | Enterprise | [Secrets Sync now requires setting a one-time flag before use](/vault/docs/v1.16.x/updates/important-changes#secrets-sync-now-requires-setting-a-one-time-flag-before-use)
New behavior | 1.16.18 | N/A | No | All | [Strict validation for Azure auth login requests](/vault/docs/v1.16.x/updates/important-changes#strict-azure)
Bug | 1.16.0 | 1.16.18 | Upgrade | All | [Vault log file missing subsystem logs](/vault/docs/v1.16.x/updates/important-changes#vault-log-file-missing-subsystem-logs)
Bug | 1.16.17 | 1.16.21 | **Yes** | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.16.x/updates/important-changes#external-ent-plugins)
Bug | 1.16.18 | 1.16.21 | Upgrade | All | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.16.x/updates/important-changes#azure-auth-fails-to-authenticate-uniform-vmss-instances)
Known issue | 1.16.0 | 1.16.3 | **Yes** | All | [Azure secrets engine role creation failing](/vault/docs/v1.16.x/updates/important-changes#azure-secrets-engine-role-creation-failing)
Known issue | 1.16.0 | 1.16.3 | **Yes** | All | [Cached activation flags for secrets sync on follower nodes are not updated](/vault/docs/v1.16.x/updates/important-changes#secret-sync-flag)
Known issue | 1.16.0 | No | **Yes** | Enterprise | [Duplicate identity groups created when concurrent requests sent to the primary and PR secondary cluster](/vault/docs/v1.16.x/updates/important-changes#duplicate-identity-groups-created-when-concurrent-requests-sent-to-the-primary-and-pr-secondary-cluster)
Known issue | 1.16.0 | No | **Yes** | All | [Duplicate unseal/seal wrap HSM keys](/vault/docs/v1.16.x/updates/important-changes#hsm-keys)
Known issue | 1.16.0 | 1.16.1 | Upgrade | All | [Error logging in with LDAP auth method](/vault/docs/v1.16.x/updates/important-changes#error-logging-in-with-ldap-auth-method)
Known issue | 1.16.0 | 1.16.1 | Upgrade | All | [Error logging in with LDAP auth method when anonymous group search is enabled](/vault/docs/v1.16.x/updates/important-changes#error-logging-in-with-ldap-auth-method-when-anonymous-group-search-is-enabled)
Known issue | 1.16.0 | No | **Yes** | All | [Existing clusters do not show the current Vault version in UI by default](/vault/docs/v1.16.x/updates/important-changes#existing-clusters-do-not-show-the-current-vault-version-in-ui-by-default)
Known issue | 1.16.0 | No | **Yes** | Enterprise | [Manual entity merges sent to a PR secondary cluster are not persisted to storage](/vault/docs/v1.16.x/updates/important-changes#manual-entity-merges-sent-to-a-pr-secondary-cluster-are-not-persisted-to-storage)
Known issue | 1.16.0 | 1.16.4 | **Yes** | All | [New nodes added by autopilot upgrades provisioned with the wrong version](/vault/docs/v1.16.x/updates/important-changes#new-nodes-added-by-autopilot-upgrades-provisioned-with-the-wrong-version)
Known issue | 1.16.0 | 1.16.3 | **Yes** | Enterprise | [Performance Standbys revert to Standby mode on unseal](/vault/docs/v1.16.x/updates/important-changes#performance-standbys-revert-to-standby-mode-on-unseal)
Known issue | 1.16.0 | No | **Yes** | All | [PKI OCSP GET requests can return HTTP redirect responses](/vault/docs/v1.16.x/updates/important-changes#pki-ocsp-get-requests-can-return-http-redirect-responses)
Known issue | 1.16.0 | 1.16.6 | **Yes** | Enterprise | [Potential DoS when using the deny_unauthorized proxy protocol behavior for a TCP listener](/vault/docs/v1.16.x/updates/important-changes#potential-dos-when-using-the-deny_unauthorized-proxy-protocol-behavior-for-a-tcp-listener)
Known issue | 1.16.0 | No | **Yes** | All | [Sending SIGHUP to vault standby node causes panic](/vault/docs/v1.16.x/updates/important-changes#sending-sighup-to-vault-standby-node-causes-panic)
Known issue | 1.16.0 | No | Upgrade | All | [Unwanted secret rotation for DB and LDAP roles on restart](/vault/docs/v1.16.x/updates/important-changes#database-and-ldap-secrets-engine-unwanted-secret-rotation-on-backend-restart)
Known issue | 1.16.1 | 1.16.2 | **Yes** | All | [Error configuring the JWT auth method](/vault/docs/v1.16.x/updates/important-changes#error-configuring-the-jwt-auth-method)
Known issue | 1.16.16 | No | No | All | [Authorization failure with Azure federated identity credentials](/vault/docs/v1.16.x/updates/important-changes#authorization-failures-using-azure-federated-identity-credentials)
Known issue | 1.16.16 | 1.16.20 | Upgrade | All | [Unexpected DB static role rotations on upgrade](/vault/docs/v1.16.x/updates/important-changes#database-static-role-rotations-on-upgrade)
Known issue | 1.16.16 | 1.16.20 | Upgrade | All | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.16.x/updates/important-changes#ldap-static-role-rotations-on-upgrade)
Known issue | 1.16.3 | 1.16.6 | **Yes** | All | [JWT auth login requires bound audiences on the role](/vault/docs/v1.16.x/updates/important-changes#jwt-auth-login-requires-bound-audiences-on-the-role)
Known issue | 1.16.3 | 1.16.7 | Upgrade | Enterprise | [Vault standby nodes not deleting removed entity-aliases from in-memory database](/vault/docs/v1.16.x/updates/important-changes#deleting-an-entity-aliases-does-not-remove-it-from-the-in-memory-database-on-standby-nodes)
Known issue | 1.16.7 | 1.16.9 | Upgrade | All | [Client tokens and token accessors audited in plaintext](/vault/docs/v1.16.x/updates/important-changes#client-tokens-and-token-accessors-audited-in-plaintext)

29
website/content/partials/release-notes/change-summary/1_17.mdx Normal file
View file

@ -0,0 +1,29 @@
Change | Found | Fixed | Recs | Edition | Issue
--------------- | ------- |-------- | ------- | ---------- | -----
Beta deprecated | 1.17.0 | N/A | No | All | [Request limiter deprecated](/vault/docs/v1.17.x/updates/important-changes#request-limiter)
Opt out feature | 1.17.0 | N/A | **Yes** | All | [PKI sign-intermediate now truncates `notAfter` field to signing issuer](/vault/docs/v1.17.x/updates/important-changes#pki-truncate)
New behavior | 1.17.0 | N/A | No | All | [Allowed audit headers now have unremovable defaults](/vault/docs/v1.17.x/updates/important-changes#audit-headers)
New behavior | 1.17.0 | N/A | **Yes** | All | [JWT auth login requires `bound_audiences` parameter on role](/vault/docs/v1.17.x/updates/important-changes#jwt-auth-login-requires-bound-audiences-on-the-role)
New behavior | 1.17.14 | N/A | No | All | [Strict validation for Azure auth login requests](/vault/docs/v1.17.x/updates/important-changes#strict-azure)
New behavior | 1.17.3 | N/A | **Yes** | All | [Secrets Sync SSRF Protection May Block Private Endpoints](/vault/docs/v1.17.x/updates/important-changes#secrets-sync-ssrf-protection-may-block-private-endpoints)
New behavior | 1.17.9 | N/A | No | All | [Default report months deprecated for `sys/internal/counters`](/vault/docs/v1.17.x/updates/important-changes#activity-log-changes)
New behavior | 1.17.9 | N/A | **Yes** | All | [Vault product usage metrics reporting](/vault/docs/v1.17.x/updates/important-changes#product-usage-reporting)
Bug | 1.17.0 | 1.17.17 | **Yes** | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.17.x/updates/important-changes#external-ent-plugins)
Bug | 1.17.0 | 1.17.14 | Upgrade | All | [Vault log file missing subsystem logs](/vault/docs/v1.17.x/updates/important-changes#vault-log-file-missing-subsystem-logs)
Bug | 1.17.14 | 1.17.17 | **Yes** | All | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.17.x/updates/important-changes#azure-auth-fails-to-authenticate-uniform-vmss-instances)
Known issue | 1.17.0 | 1.17.4 | **Yes** | All | [AWS Auth Role configuration requires an external_id](/vault/docs/v1.17.x/updates/important-changes#aws-auth-role-configuration-requires-an-external_id)
Known issue | 1.17.0 | 1.17.6 | **Yes** | All | [Cached activation flags for secrets sync on follower nodes are not updated](/vault/docs/v1.17.x/updates/important-changes#cached-activation-flags-for-secrets-sync-on-follower-nodes-are-not-updated)
Known issue | 1.17.0 | 1.17.5 | Upgrade | All | [Client tokens and token accessors audited in plaintext](/vault/docs/v1.17.x/updates/important-changes#client-tokens-and-token-accessors-audited-in-plaintext)
Known issue | 1.17.0 | 1.17.3 | Upgrade | All | [Deleting an entity-aliases does not remove it from the in-memory database on standby nodes](/vault/docs/v1.17.x/updates/important-changes#deleting-an-entity-aliases-does-not-remove-it-from-the-in-memory-database-on-standby-nodes)
Known issue | 1.17.0 | No | **Yes** | Enterprise | [Duplicate identity groups created when concurrent requests sent to the primary and PR secondary cluster](/vault/docs/v1.17.x/updates/important-changes#duplicate-identity-groups-created-when-concurrent-requests-sent-to-the-primary-and-pr-secondary-cluster)
Known issue | 1.17.0 | No | **Yes** | All | [Duplicate unseal/seal wrap HSM keys](/vault/docs/v1.17.x/updates/important-changes#seal-seal-wrapped-duplicate-hsm-keys)
Known issue | 1.17.0 | 1.17.2 | Upgrade | Enterprise | [Input data on Transit Generate CMAC Response](/vault/docs/v1.17.x/updates/important-changes#input-data-on-transit-generate-cmac-response)
Known issue | 1.17.0 | No | **Yes** | Enterprise | [Manual entity merges sent to a PR secondary cluster are not persisted to storage](/vault/docs/v1.17.x/updates/important-changes#manual-entity-merges-sent-to-a-pr-secondary-cluster-are-not-persisted-to-storage)
Known issue | 1.17.0 | No | **Yes** | All | [PKI OCSP GET requests can return HTTP redirect responses](/vault/docs/v1.17.x/updates/important-changes#pki-ocsp)
Known issue | 1.17.0 | No | Upgrade | All | [Unwanted secret rotation for DB and LDAP roles on restart](/vault/docs/v1.17.x/updates/important-changes#database-and-ldap-secrets-engine-unwanted-secret-rotation-on-backend-restart)
Known issue | 1.17.0 | 1.17.1 | Upgrade | All | [Vault Agent and Vault Proxy consume an excessive amount of CPU](/vault/docs/v1.17.x/updates/important-changes#vault-agent-and-vault-proxy-consume-an-excessive-amount-of-cpu)
Known issue | 1.17.0 | 1.17.3 | Upgrade | Enterprise | [Vault standby nodes not deleting removed entity-aliases from in-memory database](/vault/docs/v1.17.x/updates/important-changes#deleting-an-entity-aliases-does-not-remove-it-from-the-in-memory-database-on-standby-nodes)
Known issue | 1.17.1 | 1.17.2 | **Yes** | All | [Potential DoS when using the deny_unauthorized proxy protocol behavior for a TCP listener](/vault/docs/v1.17.x/updates/important-changes#potential-dos-when-using-the-deny_unauthorized-proxy-protocol-behavior-for-a-tcp-listener)
Known issue | 1.17.12 | No | No | All | [Authorization failure with Azure federated identity credentials](/vault/docs/v1.17.x/updates/important-changes#authorization-failures-using-azure-federated-identity-credentials)
Known issue | 1.17.12 | 1.17.16 | Upgrade | All | [Unexpected DB static role rotations on upgrade](/vault/docs/v1.17.x/updates/important-changes#database-static-role-rotations-on-upgrade)
Known issue | 1.17.12 | 1.17.16 | Upgrade | All | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.17.x/updates/important-changes#ldap-static-role-rotations-on-upgrade)

15
website/content/partials/release-notes/change-summary/1_18.mdx Normal file
View file

@ -0,0 +1,15 @@
Change | Found | Fixed | Recs | Edition | Issue
------------ | ------ |-------- | ------- | ---------- | -----
Beta removed | 1.18.0 | N/A | No | All | [Request limiter removed](/vault/docs/v1.18.x/updates/important-changes#request-limiter-configuration-removal)
New behavior | 1.18.0 | N/A | No | All | [Activity log changes](/vault/docs/v1.18.x/updates/important-changes#default-activity-log-querying-period)
New behavior | 1.18.0 | N/A | **Yes** | All | [Docker image no longer contains curl](/vault/docs/v1.18.x/updates/important-changes#docker-image-no-longer-contains-curl)
New behavior | 1.18.2 | N/A | **Yes** | All | [Anonymous product usage metrics collection](/vault/docs/v1.18.x/updates/important-changes#product-usage-reporting)
New behavior | 1.18.7 | N/A | No | All | [Strict validation for Azure auth login requests](/vault/docs/v1.18.x/updates/important-changes#azure-auth-plugin-requires-resource_group_name-vm_name-and-vmss_name-to-match-the-jwt-claims-on-login)
Bug | 1.18.0 | 1.18.7 | Upgrade | All | [Vault log file missing subsystem logs](/vault/docs/v1.18.x/updates/important-changes#vault-log-file-missing-subsystem-logs)
Bug | 1.18.6 | 1.18.10 | **Yes** | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.18.x/updates/important-changes#external-ent-plugins)
Bug | 1.18.7 | 1.18.10 | **Yes** | All | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.18.x/updates/important-changes#azure-auth-fails-to-authenticate-uniform-vmss-instances)
Known issue | 1.18.0 | No | **Yes** | All | [Duplicate unseal/seal wrap HSM keys](/vault/docs/v1.18.x/updates/important-changes#seal-seal-wrapped-duplicate-hsm-keys)
Known issue | 1.18.0 | 1.18.9 | **Yes** | All | [Unwanted secret rotation for DB and LDAP roles on restart](/vault/docs/v1.18.x/updates/important-changes#database-and-ldap-secrets-engine-unwanted-secret-rotation-on-backend-restart)
Known issue | 1.18.5 | No | No | All | [Authorization failure with Azure federated identity credentials](/vault/docs/v1.18.x/updates/important-changes#authorization-failures-using-azure-federated-identity-credentials)
Known issue | 1.18.5 | 1.18.9 | Upgrade | All | [Unexpected DB static role rotations on upgrade](/vault/docs/v1.18.x/updates/important-changes#database-static-role-rotations-on-upgrade)
Known issue | 1.18.5 | 1.18.9 | Upgrade | All | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.18.x/updates/important-changes#ldap-static-role-rotations-on-upgrade)

19
website/content/partials/release-notes/change-summary/1_19.mdx Normal file
View file

@ -0,0 +1,19 @@
Change | Found | Fixed | Recs | Edition | Issue
--------------- | ------ |------- | ------- | ---------- | -----
Support change | 1.19.0 | N/A | N/A | All | 1.16.x moves to [long term support](/vault/docs/enterprise/lts) and 1.19 becomes the current LTS version
Breaking change | 1.19.0 | N/A | **Yes** | All | [Security improvement for LDAP user DN search with upndomain](/vault/docs/v1.19.x/updates/important-changes#ldap)
New behavior | 1.19.0 | N/A | No | Enterprise | [Anonymized cluster data returned with license utilization](/vault/docs/v1.19.x/updates/important-changes#anon-data)
New behavior | 1.19.0 | N/A | **Yes** | All | [Identity system duplicate cleanup](/vault/docs/v1.19.x/updates/important-changes#dedupe)
New behavior | 1.19.0 | N/A | No | All | [RADIUS authentication is no longer case sensitive](/vault/docs/v1.19.x/updates/important-changes#case-sensitive)
New behavior | 1.19.0 | N/A | No | All | [Transit support for Ed25519ph and Ed25519ctx signatures](/vault/docs/v1.19.x/updates/important-changes#ed25519)
New behavior | 1.19.1 | N/A | **Yes** | All | [Strict validation for Azure auth login requests](/vault/docs/v1.19.x/updates/important-changes#strict-azure)
Bug | 1.19.0 | 1.19.3 | **Yes** | All | [Automated rotation stops after unseal](/vault/docs/v1.19.x/updates/important-changes#rotation-stops)
Bug | 1.19.0 | 1.19.4 | **Yes** | All | [AWS STS configuration can fail with unspecified STS endpoints](/vault/docs/v1.19.x/updates/important-changes#aws-fallback-sts)
Bug | 1.19.0 | 1.19.4 | **Yes** | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.19.x/updates/important-changes#external-ent-plugins)
Bug | 1.19.0 | 1.19.1 | Upgrade | All | [Vault log file missing subsystem logs](/vault/docs/v1.19.x/updates/important-changes#missing-logs)
Bug | 1.19.1 | 1.19.4 | **Yes** | All | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.19.x/updates/important-changes#azure-vmss)
Known issue | 1.19.0 | No | **Yes** | All | [Duplicate unseal/seal wrap HSM keys](/vault/docs/v1.19.x/updates/important-changes#hsm-keys)
Known issue | 1.19.0 | 1.19.3 | **Yes** | All | [Login/token renewal failures after group changes](/vault/docs/v1.19.x/updates/important-changes#group-writes)
Known issue | 1.19.0 | 1.19.3 | Upgrade | All | [Unexpected DB static role rotations on upgrade](/vault/docs/v1.19.x/updates/important-changes#db-static-role-rotations)
Known issue | 1.19.0 | 1.19.3 | Upgrade | All | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.19.x/updates/important-changes#ldap-static-role-rotations)
Known issue | 1.19.0 | 1.19.3 | **Yes** | All | [Unwanted secret rotation for DB and LDAP roles on restart](/vault/docs/v1.19.x/updates/important-changes#secret-rotate-on-restart)

4
website/content/partials/release-notes/change-summary/1_20.mdx Normal file
View file

@ -0,0 +1,4 @@
Change | Found | Fixed | Recs | Edition | Issue
--------------- | ------ |------- | ------- | ---------- | -----
Breaking change | 1.20.0 | N/A | **Yes** | All | [`disable_mlock` required for integrated storage](/vault/docs/v1.20.x/updates/important-changes#disable_mlock-config)
Known issue | 1.20.0 | No | **Yes** | All | [Duplicate unseal/seal wrap HSM keys](/vault/docs/v1.20.x/updates/important-changes#hsm-keys)

4
website/content/partials/release-notes/section-notes/3rd-party.mdx Normal file
View file

@ -0,0 +1,4 @@
Integrate Vault with the other elements of your development environment.
Generate and revoke on-demand credentials for database systems and cloud
providers like AWS, and control access to external information like encryption
keys and cloud credentials.

2
website/content/partials/release-notes/section-notes/certs.mdx Normal file
View file

@ -0,0 +1,2 @@
Configure Vault to work with certificate authorities like KMIP and PKI to manage
certificate life cycles and authenticate clients.

2
website/content/partials/release-notes/section-notes/compliance.mdx Normal file
View file

@ -0,0 +1,2 @@
Configure Vault as part of an HSM solution, FIPS compliant architecture, or
PKCS11 authN workflow.

3
website/content/partials/release-notes/section-notes/identity.mdx Normal file
View file

@ -0,0 +1,3 @@
Manage identities and control client access to sensitive information with
managed entities, identity tokens, OIDC workflows, and workload identity
federation (WIF).

0
website/content/partials/release-notes/section-notes/ops.mdx Normal file
View file

2
website/content/partials/release-notes/section-notes/sensitive-data.mdx Normal file
View file

@ -0,0 +1,2 @@
Define custom parameters to encrypt or tokenize sensitive data in transit and at
rest without storing the data in Vault.

3
website/content/partials/release-notes/section-notes/static-secrets.mdx Normal file
View file

@ -0,0 +1,3 @@
Store and rotate arbitrary secrets in Vault with the Key/Value and Cubbyhole
plugins. Vault encrypts data before writing out to persistent storage so
accessing the raw storage is insufficient to access the information.

4
website/data/docs-nav-data.json
View file

@ -967,6 +967,10 @@
"title": "Deprecation notices",
"path": "updates/deprecation"
},
{
"title": "Change tracker",
"path": "updates/change-tracker"
},
{
"title": "Full changelog",
"href": "https://raw.githubusercontent.com/hashicorp/vault/refs/heads/main/CHANGELOG.md"