Hi all,
The Vault team is announcing the release of Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.18, and 1.16.22. Vault 1.20.0 will be available first, followed by the other releases shortly.
The 1.20 Community Edition and Enterprise release candidates are available on our releases portal [1,10].
As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing security@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].
Major upgrade considerations for Vault 1.20 are:
- Reliability Improvements for Memory Management: Users of Vault Integrated Storage must configure the
disable_mlockoption before upgrading. Previously, the default was false. This value must now be explicitly configured or the Vault server will fail to start.
The major features and improvements in Vault 1.20 are:
- Development Cluster Configuration (Enterprise): Added
development_clusteras a field to Vault’s utilization reports, to assist with accurate license metering. - Event notifications data consistency (Enterprise): Event notifications include metadata to prevent stale data reads from secondary nodes during periods of high Vault load.
- Identity-based and collective rate limit quotas (Enterprise): Extends the rate limit quotas feature with new
group_byfield. Instead of relying on IPs, customers can now group_by entity ID or set collective limits on traffic going to a namespace, path, mount, or global. - PKI Support for SCEP (Enterprise): Vault PKI enables customers to automate certificate enrollment of network and end-user corporate devices that are compatible with SCEP (Simple Certificate Enrollment Protocol)
- Plugin Downloads: Support automatically downloading official HashiCorp secret and auth plugins from releases.hashicorp.com (beta)
- Secret Recovery (Enterprise): Adds the capability to load a snapshot and recover an individual secret from the snapshot, avoiding the need to restore the cluster from backup for a single value. In 1.20, this is only supported for KV_V1 and cubbyhole. If you have feedback on additional secrets engines to prioritize for 1.21, please reach out to your primary contact within HashiCorp or file a GitHub issue..
- Secrets Import (Beta): Enables customers to import KV-compatible secrets from multiple cloud service providers (AWS, GCP, Azure) to a Vault cluster.
- Snowflake Auth Support for Keypair: Enhanced authentication security via key pair authentication available now in Snowflake Database secrets engine.
- SSH Managed Keys (Enterprise): Enables customers to configure SSH secrets engine to delegate signing via HSMs, to address high assurance needs.
- Usage Dashboard (Enterprise): Adds the ability for users to have a cluster by cluster view of usage of Vault, what secrets engine are being used, how users are authenticating, the status of your clusters (including DR and PR), and global lease count quota consumption. Please reach out to your primary contact within HashiCorp for more information about future reporting enhancements, and keep an eye on our release notes.
See the Changelog at [3] for the full list of improvements and bug fixes.
See the Feature Deprecation Notice and Plans page [8] for our upcoming feature deprecation plans.
Community [6] and Enterprise [7] Docker images will be available soon.
Upgrading
See [4] for general upgrade instructions and [5] for upgrade instructions and known issues.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [9].
We hope you enjoy Vault 1.20!
Sincerely, The Vault Team
[1] Vault v1.20.0 Binaries | HashiCorp Releases
[2] Security at HashiCorp
[3] vault/CHANGELOG.md at main · hashicorp/vault · GitHub
[4] Upgrade Vault | Vault | HashiCorp Developer
[5] Vault release notes | Vault | HashiCorp Developer
[6] https://hub.docker.com/r/hashicorp/vault
[7] https://hub.docker.com/r/hashicorp/vault-enterprise
[8] Deprecation notices | Vault | HashiCorp Developer
[9] Vault - HashiCorp Discuss
[10] Vault v1.20.0+ent Binaries | HashiCorp Releases