Vault Enterprise 2.0 is now generally available, delivering new capabilities to help organizations secure, scale, and simplify secrets management across modern infrastructure. This release strengthens identity-based access, improves credential lifecycle automation, and enables high-performance encryption for emerging workloads, while continuing to enhance usability and integrations across the ecosystem.
Key features in Vault Enterprise 2.0 include:
Secret distribution with workload identity federation to eliminate reliance on long-lived static credentials and improve security across hybrid and multi-cloud environments
Expanded credential rotation capabilities for Linux to reduce operational risk and enforce short-lived access
Envelope encryption for streaming and large-scale workloads to enable high-performance data protection without sacrificing centralized control
Enhanced integrations with Terraform, Kubernetes, and public certificate authorities to streamline infrastructure and application workflows
Improved user experience with a redesigned UI and guided onboarding to accelerate time to value and simplify Vault adoption
»Adoption of a new versioning pattern and support model
HashiCorp Vault is transitioning to a new release and support model aligned with IBM versioning and lifecycle practices, which is why the product is moving directly from version 1.21 to 2.0.0. This shift does not reflect a significant change in Vault architecture, as such version changes would normally represent, but rather reflects a move away from HashiCorp’s previous long-term support approach, and toward the IBM Support Cycle-2 policy, which is designed to provide clearer lifecycle expectations. Under this model, each major (“V”) milestone release will receive at least two years of standard support, with extended support options available to ensure continuity for mission-critical workloads. Extended support includes an initial third year with critical bug fixes, usage support, and select security updates, followed by ongoing support (years four through six) for usage guidance and known issue assistance. This approach delivers a more predictable and durable support framework while aligning Vault with the broader IBM product lifecycle strategy. For more detail on IBM versioning and support patterns, see: IBM Software product versioning explained and IBM Software Support Lifecycle Policies.
»Vault Enterprise leads in securing human and non-human identities
Identity management with Vault continues to evolve with new capabilities that support centralized policy management, reduce risks from long-lived secrets with improved rotation, and enforce traceability for increased auditability and transparency.
»Smarter rotation and simplified role management
Local account password rotation for RHEL, Ubuntu and additional Linux distributions is now generally available. With this capability, engineers and platform teams that use Vault can set secret management policies that reduce credential complexity and set rotation and lease time periods, as well as other criteria that limit breaches’ blast radius and impact at a policy-level.
Systems administrators now have central control of user account credentials on local Linux systems. Previously, they would have a gap in control, as local root users might use a common password shared across systems. Now, with password management in Vault, access to these systems can be controlled and audited, and overall risk is limited by unique time-bound passwords for each system.
In addition, systems administrators who need to manage thousands of machines across various data centers can rely on automation to update local account passwords without manually logging it for each system they manage. Automating this critical security task improves the overall posture by reducing the risk of manual errors and adding auditability for compliance reporting, key for continued acceleration and securing the growing number of machines.
Vault operators will now benefit from seamless Vault onboarding that will not require maintenance windows. Each account will now be able to rotate its own credentials, and Vault operators will have fine-grained control over automatic rotation of LDAP account passwords. This reduces the burden of managing privileged accounts and decreases the blast radius of credential exposure for static roles.
»Secure streaming workloads on the edge with in-place encryption
Vault Enterprise 2.0 also introduces enhanced support for encrypting large artifacts and streaming workloads in Vault to enable envelope encryption with the Transit secrets engine. Rather than sending full payloads to Vault, applications can now encrypt data locally using ephemeral key encryption keys (KEKs), while Vault continues to manage and protect those keys through centralized policy and access controls. This approach preserves Vault as the root of trust while significantly improving performance, scalability, and efficiency for high-throughput and large-scale data processing use cases.
These capabilities are already being applied in real-world scenarios, such as with ariso.ai, where Vault serves as the centralized key management layer while encryption occurs at the edge across distributed AI pipelines. This allows organizations to scale encryption alongside data-intensive workloads without introducing bottlenecks, while still enforcing strong governance and security policies. As part of this release, envelope encryption positions Vault to better support modern AI and streaming architectures by combining centralized control with distributed execution.
»Scale secret distribution with identity-first access and secret sync
Organizations managing secrets across hybrid and multi-cloud environments often rely on long-lived static credentials, such as IAM access keys, service principals, or service account keys, to enable integrations like secret synchronization. While functional, this model creates significant security and operational challenges: increased blast radius if credentials are leaked, manual rotation overhead, risk of silent failures due to expiration, and widespread credential sprawl across systems and teams. These issues are increasingly at odds with modern security mandates that prioritize short-lived, identity-based access and zero trust principles.
Vault Enterprise 2.0 addresses these challenges by introducing workload identity federation to secret sync, replacing static credentials with short-lived, dynamically exchanged tokens based on trusted identity. This approach eliminates the need to store or rotate credentials, reduces risk exposure, and aligns secret distribution with cloud-native authentication models across AWS, Azure, and GCP. The result is stronger security, improved reliability, and simplified operations, enabling organizations to securely scale secret management, support non-human and agentic workloads, and maintain compliance without adding operational burden.
»Secure workload identity with the SPIFFE secrets engine
A new SPIFFE secrets engine is generally available with Vault Enterprise 2.0. Organizations whose workloads rely on SPIFFE can now use tokens issued directly by Vault. With this release, JWT SVID identity tokens can now be requested after successful authentication with Vault. Reinforcing short-lived JWT SVIDs with automatically rotated identities reduces risks associated with long-lived tokens and missed rotations due to manual processes, and decreases blast radius in the event of a token leak.
As Vault continues to set the pace for leading in non-human identity management, capabilities that support fine-grained workload access control enhance organizations’ capacity to secure ephemeral workloads. The SPIFFE secrets engine simplifies operations across heterogeneous environments and continues to strengthen identity guarantees for non-human workloads. Secure, short-lived, and verifiable identities for workloads practically scale the application of zero trust principles, especially in cloud-native environments. Lighter weight and more portable workload identities integrate more smoothly in these modern systems.
»Vault continues to reinforce optimized security operations
»Unified, automated approach to public and private certificates
Customers can now request and manage public PKI certificates through Vault, which will track and manage the request to a public CA. This capability provides increased support for teams that need to deliver services secured with publicly trusted certificates while continuing to move at the speed of development. Platform teams can now take advantage of an integrated workflow within Vault to manage both privately and publicly issued certificates for increased operational efficiency.
»Reduced operations costs with SCIM integrations
Currently in public beta, SCIM server support lets users connect Vault with any SCIM-compliant identity provider. SCIM clients such as SailPoint, Okta, and more are better integrated for improved group and user lifecycle management. SCIM integration allows Vault operators more flexibility by reducing the manual process for syncing users, groups, and group memberships to Vault. Deprovisioning via policy rather than manual process mitigates the risks of persistent user credentials. Teams working toward more consistent and centralized governance can depend on SCIM integration to do so with this Vault capability and can access this beta feature in Vault 2.0.
»Expanding support for Terraform ephemeral resources
Bridging secure lifecycle management with infrastructure lifecycle management, improvements to the Terraform Vault provider enhance Vault infrastructure as code and secure secret consumption. With these improvements, managing Vault (e.g. auth methods, secret engines and policies) via Terraform further ensures consistency, repeatability and auditability of secrets management for infrastructure and the applications that depend on it. Teams gain even more efficiencies across the infrastructure with Vault-backed secret retrieval during provisioning, without hardcoding and with automated credential rotation.
»Enhancing the Vault UI for discoverability and usability
Vault Enterprise 2.0 introduces an enhanced UI with a guided onboarding experience that helps teams configure foundational features quickly and correctly. New and returning users are directed toward recommended Vault usage faster, with a curated startup path that accelerates time to value.
The onboarding wizard is now generally available and is designed to evolve beyond initial setup, with additional wizards planned to make Vault guidance an ongoing experience rather than a one-time task.
Contextual and embedded enhancements have also been introduced to support better feature discoverability. The support and documentation that previously lived only in Vault developer documents are now being delivered in-product, so users don’t need to leave Vault to learn how to use Vault.
Adoption can be accelerated when teams get the right help. The visual policy generator is also generally available and helps teams create secure policies without writing JSON or HCL from scratch. This reduces the learning curve for new users and administrators and improves efficiencies with consistent and recommended policy patterns across teams that use Vault.
»Vault Enterprise 2.0 upgrade details
Vault Enterprise 2.0 delivers meaningful advancements in identity lifecycle automation, workload interoperability, usability, onboarding, and operational transparency. These improvements lower barriers to adoption while strengthening Vault’s core mission: secure, reliable, consistent secrets and identity management at enterprise scale.
You can explore the full list of updates, including those that are available in Community Edition, by reviewing the Vault 2.0 changelog.
As with previous releases, we recommend testing new releases in staging or isolated environments before deploying them to production. If you encounter any issues, please report them via the Vault GitHub issue tracker or start a discussion in the Vault community forum. If you believe you have discovered a security vulnerability, please report it responsibly by emailing security@hashicorp.com Avoid using public channels for security issues. For details, refer to our security policy and PGP key.
To learn more about HCP Vault or Vault Enterprise, visit the Vault product page.
