Vault 1.16.1 released!

Release Notifications
1

Hi all,

The Vault team is announcing the release of Vault 1.16.1!

The Community Edition binary can be downloaded at [1]. Enterprise binaries are available to customers as well.

Please note that Vault 1.16.1 is the first Enterprise release of the Vault 1.16 series. Vault 1.16.0 Enterprise binaries were deprecated due to a regression, which has now been fixed in the 1.16.1 release.

Per our announcements, the Vault Enterprise 1.16 release series is the first long-term support release of Vault Enterprise

As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing security@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].

The major features and improvements in this release are:

  • Default Lease Count Quota (Enterprise) applies a new global default lease count quota of 300k leases for all new installations of Vault (upgraded clusters not included).
  • Request limiter option to enable adaptive concurrency limits (Enterprise Beta) for resource-constrained HTTP request paths, preventing excessive load on the Vault server. This is an opt-in feature.
  • Seal HA (Enterprise Beta): To ensure high availability of Vault, admin users can configure multiple KMS providers for securing independent seals for auto-unseal and seal wrapping in the event that the current seal provider (KMS) is non-operational. Note: This feature is in Beta and not intended for production use.
  • PKI Enrollment over Secure Transport (EST) (Enterprise Beta): with native support for EST protocol, customers can easily automate certificate enrollment of EST compatible devices at scale. Note: This feature is in Beta and not intended for production use.
  • Vault Secrets Sync (Enterprise GA) syncs secrets from the source in Vault to native secrets managers in AWS, Azure, GCP, GitHub, and Vercel
  • Increased batch size for WAL writes (Enterprise) improves write throughput for customers using Integrated Storage
  • Manual snapshot reporting (Enterprise) allows users to create manual exports of product-license metering data to report to HashiCorp.
  • Containerized Vault Plugins (on Linux only) enable plugins to run in protected runtime environments such as gVisor
  • Plugin environment variables now override environment variables for the Vault server, allowing per-plugin settings for HTTP_PROXY, among others
  • Plugin Workload Identity (Enterprise) Vault can generate identity tokens for plugins to use in workload identity federation authentication flows. This allows the AWS secret engine to be configured without sensitive security credentials.
  • Event Notifications (Enterprise) alert subscribers of supported Vault events, enabling immediate follow-up actions
  • Customizable UI Banners (Enterprise) deliver time-sensitive messages from Vault administrators to users logging in to the Vault UI
  • Vault Proxy Static Secret Caching (Enterprise) now supports caching static (KVv1 and KVv2) secrets - multiple requests to Vault Proxy by the same user for the same secret will only require a single request to the Vault server
  • Vault Audit Log Filtering (Enterprise) allows users to configure filters that determine which audit entries are sent to which audit devices
  • Controlled Access to Unauthenticated Endpoints gives admins more control over how unauthenticated endpoints in Vault can be accessed and in some cases what information they return
  • Experimental raft-wal option for backing log store removes the risk of infinite snapshot loops for follower nodes in large-scale Integrated Storage deployments

See the Changelog at [3] for the full list of improvements and bug fixes.

See the Feature Deprecation Notice and Plans page [8] for our upcoming feature deprecation plans.

Community [6] and Enterprise [7] Docker images will be available soon.

Upgrading

See [4] for general upgrade instructions and [5] for upgrade instructions and known issues.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [9].

We hope you enjoy Vault 1.16.1!

Sincerely, The Vault Team

[1] Vault v1.16.1 Binaries | HashiCorp Releases
[2] Security at HashiCorp
[3] vault/CHANGELOG.md at main · hashicorp/vault · GitHub
[4] Upgrading Vault - Guides | Vault | HashiCorp Developer
[5] https://developer.hashicorp.com/vault/docs/v1.16.x/release-notes
[6] https://hub.docker.com/r/hashicorp/vault
[7] https://hub.docker.com/r/hashicorp/vault-enterprise
[8] Feature Deprecation Notice | Vault | HashiCorp Developer
[9] Vault - HashiCorp Discuss