Vault 1.17.0, 1.16.4, and 1.15.10 released!

Hi all,

The Vault team is announcing the GA release of 1.17, as well as the release of Vault Enterprise 1.16.4 and 1.15.10.

The 1.17 Community Edition release can be downloaded at [1]. Enterprise binaries are also available on our release portal [2]. Community [7] and Enterprise [8] Docker images are also available.

As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing and do not use the public issue tracker. Our security policy and our PGP key can be found at [3].

The major features and improvements in these releases are:

  • Seal HA (Enterprise): To ensure high availability of Vault, admin users can configure multiple KMS with independent seal keys for auto-unseal and seal wrapping, thus ensuring that Vault is continually operating even with non-availability of a given seal backend.
  • PKI-Enrollment over Secure Transport (EST) (Enterprise): With native support for EST protocol, customers can easily automate certificate enrollment of devices (e.g Network, IoT…) & services, at scale.
  • PKI-Certificate Metadata (Enterprise): Business context information (metadata) can be supplied with certificate signing request and upon issuance of the certifcate, the associated metadata can be retrieved.
  • Cipher-based Message Authentication Code (CMAC) (Enterprise): Transit engine supports the CMAC authenticated message digest algorithm based on AES (Advanced Encryption Standard). AES-CMAC is commonly used for message integrity and authenticity in protocols (TLS, IPSec…).
  • Separation of ACME clients (Enterprise): Client counting now distinguishes ACME clients from non-entity clients.
  • Replication lag detection (Enterprise): Allows users to know when a downstream Vault node or cluster is lagging significantly behind its primary/leader.
  • Safer method to increase namespace and mount limits (Enterprise): Adds a field to increase storage entry size only for namespaces and mounts without risking other entries degrading in performance.
  • Adaptive Overload Protection (Enterprise Beta): Automatically prevents overloads caused by too many write requests. This feature, disabled by default, replaces the now deprecated beta Request Limiter in the 1.16 release with a more targeted approach to overload handling.
  • Workload Identity Federation (Enterprise): Added Workload Identify Federation to the GCP Secrets Engine, GCP Auth Method, Azure Secrets Engine, Azure Auth Method, and AWS Auth Method
  • Auto Auth Improvements: Vault Agent and Vault Proxy configured with Auto Auth will attempt to re-authenticate to the Vault Cluster if the Auto Auth token is revoked, exceeds its maximum number of retries, or is invalid.

This release also fixes a bug where not setting autopilot_upgrade_version in Vault config would result in the inability to complete an autopilot automated upgrade.

See the Changelog at [4] for the full list of improvements and bug fixes.

See the Feature Deprecation Notice and Plans page [9] for our upcoming feature deprecation plans.


See [5] for general upgrade instructions and [6] for upgrade instructions and known issues.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [10].

We hope you enjoy Vault 1.17.0!

Sincerely, The Vault Team

[1] Vault v1.17.0 Binaries | HashiCorp Releases
[4] vault/ at main · hashicorp/vault · GitHub
[6] Release Notes | Vault | HashiCorp Developer
[10] Vault - HashiCorp Discuss

1 Like