Vault 1.17.0-rc1, 1.16.3, 1.15.9, and 1.14.13 released!

Hi all,

The Vault team is announcing the release candidate for 1.17, the release of Vault Community Edition 1.16.3, and Vault Enterprise 1.16.3, 1.15.9, and 1.14.13. Release candidates must not be used in production, but your feedback is critical for a smooth final release.

The 1.17 Community Edition release candidate and 1.16.3 Community Edition binary can be downloaded at [1], [10]. Enterprise binaries are available to customers as well.

As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].

The major features and improvements in these releases are:

  • Seal HA (Enterprise): To ensure high availability of Vault, admin users can configure multiple KMS with independent seal keys for auto-unseal and seal wrapping, thus ensuring that Vault is continually operating even with non-availability of a given seal backend.
  • PKI-Enrollment over Secure Transport (EST) (Enterprise) : With native support for EST protocol, customers can easily automate certificate enrollment of devices (e.g Network, IoT…) & services, at scale.
  • PKI-Certificate Metadata (Enterprise): Business context information (metadata) can be supplied with certificate signing request and upon issuance of the certifcate, the associated metadata can be retrieved.
  • Cipher-based Message Authentication Code (CMAC) (Enterprise): Transit engine supports the CMAC authenticated message digest algorithm based on AES (Advanced Encryption Standard). AES-CMAC is commonly used for message integrity and authenticity in protocols (TLS, IPSec…).
  • Separation of ACME clients (Enterprise): Client counting now distinguishes ACME clients from non-entity clients.
  • Replication lag detection (Enterprise): Allows users to know when a downstream Vault node or cluster is lagging significantly behind its primary/leader.
  • Safer method to increase namespace and mount limits (Enterprise): Adds a field to increase storage entry size only for namespaces and mounts without risking other entries degrading in performance.
  • Adaptive Overload Protection (Enterprise Beta): Automatically prevents overloads caused by too many write requests. This feature, disabled by default, replaces the now deprecated beta Request Limiter in the 1.16 release with a more targeted approach to overload handling.
  • Workload Identity Federation (Enterprise): Added Workload Identify Federation to the GCP Secrets Engine, GCP Auth Method, Azure Secrets Engine, Azure Auth Method, and AWS Auth Method
  • Auto Auth Improvements: Vault Agent and Vault Proxy configured with Auto Auth will attempt to re-authenticate to the Vault Cluster if the Auto Auth token is revoked, exceeds its maximum number of retries, or is invalid.

See the Changelog at [3] for the full list of improvements and bug fixes.

See the Feature Deprecation Notice and Plans page [8] for our upcoming feature deprecation plans.

Community [6] and Enterprise [7] Docker images will be available soon.


See [4] for general upgrade instructions and [5] for upgrade instructions and known issues.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [9].

We hope you enjoy Vault 1.17.0-rc1, 1.16.3, 1.15.9, and 1.14.13!

Sincerely, The Vault Team

[1] Vault v1.17.0-rc1 Binaries | HashiCorp Releases

[2] Security at HashiCorp

[3] vault/ at main · hashicorp/vault · GitHub

[4] Upgrading Vault - Guides | Vault | HashiCorp Developer

[5] Release Notes | Vault | HashiCorp Developer



[8] Deprecation notices | Vault | HashiCorp Developer

[9] Vault - HashiCorp Discuss

[10] Vault v1.16.3 Binaries | HashiCorp Releases