Boundary 0.12.0 Released!

We’re excited to announce the release of Boundary 0.12! For more information, check out our blog post. You can now download the Boundary 0.12 binary, and the latest Docker image from our Docker Hub repository.

If you believe you have found a security issue in Boundary, please responsibly disclose by emailing Our security policy and our PGP key can be found here.


Multi-hop sessions [HCP-only]

Boundary can now establish sessions to targets through “multiple-hops” of workers secured through reverse-proxy. This eliminates the need to expose workers on private networks, enclaves, and disconnected networks directly to clients.

Credential injection using Vault SSH signed certificates [HCP-only]

Boundary can now inject SSH certificates signed by Vault, providing a more secure method to protect SSH targets.

Addresses on targets

Administrators can now optionally assign a network address directly on a target, eliminating the requirement of attaching a host.

Credential templating

Vault credentials can now be mapped directly to a user within a target, instead of needing separate targets per user credential.

Key lifecycle management [OSS-only]

You can now manage the life cycles of both key encryption keys (KEKs) and data encryption keys (DEKs) using the new key rotation and key version destruction functionality.

JSON credentials

Administrators can now create and broker JSON blobs to authorized users connecting to machines. This allows for more flexibility in the credentials that can be brokered.

Authentication UX improvements

Users no longer need to provide an auth method ID in the command line during authentication. If none is provided, the “primary” auth method ID will be used.

For more information about the new features and improvements introduced in Boundary 0.12, please see the release notes and 0.12 CVE fix.


The Boundary Team