Hi folks,
The Vault team is announcing the release of Vault 1.10.0!
Open-source binaries can be downloaded at [1]. Enterprise binaries are available to customers as well.
As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing security@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].
The major features and improvements in 1.10 are:
- Database Plugin Multiplexing: External database plugins now use a single process for multiple database connections, reducing memory consumption. The Oracle database plugin [3] is the first to leverage this capability.
- Login MFA: 1.10 adds MFA for logins to open source Vault, replacing the deprecated [9] Legacy OSS MFA, which will be removed in Vault 1.11. Login MFA is configurable on individual namespaces. The current Step-up Enterprise MFA feature [4] remains unchanged.
- Client Count Improvements: 1.10 adds ability to view client counts per auth mount (UI and API) and changes to clients over months (API), providing more granular visibility into clients.
- Mount Migration: Vault 1.10 expands remounting capabilities. It adds support for remounting auth methods to the existing remount support for secrets engines. In Enterprise, it is possible to move secret engines and auth methods mounted at a namespace path to a different namespace path.
- Server Side Consistent Tokens: In Vault 1.10 the token format is changing. The new token format will allow more control over our consistency model, allowing performance standby nodes to decide whether to forward requests if they are behind the active node. The token prefix has also been updated, to make it easier for static-analysis code scanning tools to scan for Vault tokens.
- Public Key Infrastructure - Managed Key integration: 1.10 adds the ability to use hardware security modules as well as cloud key management systems to create, store and utilize CA private keys. PKCS#11 HSMs (Enterprise license required), Azure Key Vault, and AWS KMS are supported.
- Vault as an OIDC provider - General Availability: 1.10 now moves Vault’s OIDC provider functionality to generally available and has added Proof Key for Code Exchange (PKCE) support.
- Vault Agent Telemetry: Starting in 1.10 the Vault Agent now has support for a new metrics endpoint and telemetry metrics around run time, authentication success, authentication failures, cache hits, cache misses, proxy success, and proxy client errors.
See the Changelog at [5] for the full list of improvements and bug fixes and the release documentation pages at [12].
See the Feature Deprecation Notice and Plans page [9] for our upcoming feature deprecation plans.
OSS [7] and Enterprise [8] Docker images will be available soon.
Upgrading
See [6] for general upgrade instructions, and [11] for upgrade notes on 1.10 specifically.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [10].
We hope you enjoy Vault 1.10.0!
Sincerely, The Vault Team
[1] Vault v1.10.0 Binaries | HashiCorp Releases
[2] Security at HashiCorp
[3] Oracle - Database - Secrets Engines | Vault by HashiCorp
[4] MFA Support - Vault Enterprise | Vault by HashiCorp
[5] vault/CHANGELOG.md at main · hashicorp/vault · GitHub
[6] Upgrading Vault - Guides | Vault by HashiCorp
[7] Docker Hub
[8] Docker Hub
[9] Feature Deprecation Notice | Vault by HashiCorp
[10] Vault - HashiCorp Discuss
[11] Upgrading to Vault 1.10.x - Guides | Vault by HashiCorp
[12] Release Notes | Vault by HashiCorp