Vault
Vault 1.19.0 release notes
GA date: 2025-03-05
Release notes provide an at-a-glance summary of key updates to new versions of Vault. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Vault code on GitHub.
We encourage you to upgrade to the latest release of Vault to take advantage of continuing improvements, critical fixes, and new features.
Important changes
| Change | Description |
|---|---|
| Support change (1.16.x) | 1.16.x moves to long term support and 1.19 becomes the current LTS version. |
| New behavior (1.19.0) | Changed behavior for Ed25519 signatures in Transit plugin |
| New behavior (1.19.0) | Duplicate identity cleanup and forced deduplication |
| Breaking change (1.19) | LDAP security improvement impacting user DN search with upndomain |
| New behavior (1.19.0) | Anonymized cluster data returned with license utilization |
| Known issue (1.19.x, 1.18.x, 1.17.x, 1.16.x) | Duplicate HSM keys creation when migrating to HSM from Shamir |
| New behavior (1.19.0) | Uppercase values are no longer forced to lower case |
Feature deprecations and EOL
| Deprecated in 1.19.x | Retired in 1.19.x |
|---|---|
| None | Active Directory plugin |
Please refer to the Deprecation Plans and Notice page for up-to-date information on feature deprecations and plans or the Feature Deprecation FAQ for general questions about our deprecation process.
Vault companion updates
Companion updates are Vault updates that live outside the main Vault binary.
None.
Community updates
Follow the learn more links for more information, or browse the list of Vault tutorials updated to highlight changes for the most recent GA release.
| Release | Update | Description |
|---|---|---|
| Faster availability after restart | GA | Identity loading on restart is up to 40% faster and Vault logs include new diagnostic information to troubleshoot cluster slowness with the `post_unseal_trace_directory` configuration setting. Learn more: `post_unseal_trace_directory` parameter details |
| Raft integrated storage | ENHANCED | Corrects a previous issue with Raft nodes generating stale data by preventing stale nodes from servicing requests to the cluster. |
Enterprise updates
| Release | Update | Description |
|---|---|---|
| Identity | ENHANCED | Opt-in resolution of accidental duplicates in the identity system with a gated feature to force deduplication. Learn more: Find and resolve duplicate Vault identities |
| Autopilot | ENHANCED | Improved upgrade stability with better cluster leadership reconciliation. Learn more: Autopilot overview |
| Database support | ENHANCED | Onboard static database accounts without immediate rotation, precise timing, or coordinating with maintenance windows. Learn more: Onboarding static DB users |
| Events | ENHANCED | Vault now sends event notifications to subscribers on all Vault nodes within a cluster. |
| ENHANCED | Notification subscriptions for secret deletion no longer requires a root token. | |
| Plugin support | ENHANCED | Run Vault Enterprise plugins external to Vault. Running plugins externally is useful in deployments when the plugin requires different environment variable values than the Vault binary. |
| Automated root credential rotation | GA | Use a rotation manager to regularly rotate credentials for AWS (secrets, authN), Azure (secrets, authN), GCP (secrets, authN), LDAP (secrets, authN), and DB plugins without manual intervention. |
| AWS plugin | ENHANCED | Vault now supports AWS static role credentials for multiple AWS accounts with a single mount path to better manage AWS credentials at scale. Learn more: STS AssumeRole |
| GUI support for WIF plugin configuration | GA | Use the Vault GUI to enable and configure WIF with AWS, Azure, and GCP |
| PKI: Constrained CA support | GA | Use the PKI plugin to instantiate intermediate CAs with customer defined constraints (permitted URI , IPs, excluded DNS, etc.) and delegate PKI administration. Learn more: PKI plugin API |