[ANN] Vault 1.7.0 Released

Hi folks,

The Vault team is happy to announce the release of Vault 1.7!

Open-source binaries can be downloaded at [1]. Enterprise binaries are available to customers as well.

As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing security@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].

The key features and improvements in this release are:

  • Integrated Storage Autopilot : Vault 1.7 adds dead server cleanup, server stabilization for new nodes joining a cluster, and a health check API to our integrated storage backend.
  • Lease Expiration Improvements: We have improved our handling of lease expirations to prevent lease expirations from blocking Vault startup.
  • Client Controlled Consistency (Enterprise): With Vault 1.7, it will be possible for Vault clients to control Vault consistency via request headers.
  • Automatic Barrier Key Rotation: In Vault 1.7 the barrier key will be rotated automatically to reduce the risk of nonce reuse cryptanalysis.
  • Tokenization (Enterprise; GA): Tokenization supports creating irreversible “tokens” from sensitive data. Tokens can be used in less secure environments, protecting the original data. Tokenization released as a preview in Vault 1.6, and is now Generally Available.
  • Database Secrets Engine (UI): Vault’s UI now allows you to configure database secrets engines and dynamic database credential generations for MongoDB.
  • Terraform Cloud/Enterprise Secrets Engine: Vault can now dynamically generate API tokens for Terraform Cloud and Terraform Enterprise.
  • Snowflake Secrets Engine: Vault can now manage static and dynamic credentials for Snowflake.
  • Key Management Secrets Engine (Enterprise; GA): Key Management Secrets Engine, released for preview in Vault 1.6, is now Generally Available with support for Azure Key Vault. Additionally, support for AWS KMS has been added (beta).
  • OpenLDAP Secrets Engine: OpenLDAP Secrets can now manage dynamic LDAP credentials.
  • Vault Agent: Vault Agent can now support a persistent cache in Kubernetes environments, streamlining the handoff of leases and tokens between an init and sidecar container.
  • AWS Secrets: IAM tags can now be added to dynamic user credentials.

See the Changelog at [3] for the full list of improvements and bug fixes.

OSS [5] and Enterprise [6] Docker images will be available soon.


See [4] for general upgrade instructions.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [7].

We hope you enjoy Vault 1.7!

Sincerely, The Vault Team

[1] https://releases.hashicorp.com/vault/1.7.0
[2] Security at HashiCorp
[3] vault/CHANGELOG.md at master · hashicorp/vault · GitHub
[4] Upgrading Vault - Guides | Vault by HashiCorp
[5] Docker Hub
[6] Docker Hub
[7] https://discuss.hashicorp.com/c/vault
[8] Password Policies | Vault by HashiCorp