The Vault team is happy to announce the release of Vault 1.7!
Open-source binaries can be downloaded at . Enterprise binaries are available to customers as well.
As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing email@example.com and do not use the public issue tracker. Our security policy and our PGP key can be found at .
The key features and improvements in this release are:
- Integrated Storage Autopilot : Vault 1.7 adds dead server cleanup, server stabilization for new nodes joining a cluster, and a health check API to our integrated storage backend.
- Lease Expiration Improvements: We have improved our handling of lease expirations to prevent lease expirations from blocking Vault startup.
- Client Controlled Consistency (Enterprise): With Vault 1.7, it will be possible for Vault clients to control Vault consistency via request headers.
- Automatic Barrier Key Rotation: In Vault 1.7 the barrier key will be rotated automatically to reduce the risk of nonce reuse cryptanalysis.
- Tokenization (Enterprise; GA): Tokenization supports creating irreversible “tokens” from sensitive data. Tokens can be used in less secure environments, protecting the original data. Tokenization released as a preview in Vault 1.6, and is now Generally Available.
- Database Secrets Engine (UI): Vault’s UI now allows you to configure database secrets engines and dynamic database credential generations for MongoDB.
- Terraform Cloud/Enterprise Secrets Engine: Vault can now dynamically generate API tokens for Terraform Cloud and Terraform Enterprise.
- Snowflake Secrets Engine: Vault can now manage static and dynamic credentials for Snowflake.
- Key Management Secrets Engine (Enterprise; GA): Key Management Secrets Engine, released for preview in Vault 1.6, is now Generally Available with support for Azure Key Vault. Additionally, support for AWS KMS has been added (beta).
- OpenLDAP Secrets Engine: OpenLDAP Secrets can now manage dynamic LDAP credentials.
- Vault Agent: Vault Agent can now support a persistent cache in Kubernetes environments, streamlining the handoff of leases and tokens between an init and sidecar container.
- AWS Secrets: IAM tags can now be added to dynamic user credentials.
See the Changelog at  for the full list of improvements and bug fixes.
OSS  and Enterprise  Docker images will be available soon.
See  for general upgrade instructions.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at .
We hope you enjoy Vault 1.7!
Sincerely, The Vault Team
 Security at HashiCorp
 vault/CHANGELOG.md at master · hashicorp/vault · GitHub
 Upgrading Vault - Guides | Vault by HashiCorp
 Docker Hub
 Docker Hub
 Password Policies | Vault by HashiCorp