HashiCorp has released Vault 2.0, the first major version number change for the secrets management platform since version 1.0 launched in 2018.
This release arrives as engineering teams grapple with the operational complexity of securing communication across multi-cloud and containerised environments.
The move to version 2.0 represents more than just a feature update; it establishes the IBM versioning and support model following the recent acquisition. This shift explains the leap from version 1.21 directly to 2.0. Along with the versioning change, the platform now follows the IBM Support Cycle-2 policy, which guarantees at least two years of standard support for major releases. The release also arrives in the context of HashiCorp's 2023 licence change from the Mozilla Public License to the Business Source License, which prompted the community-driven OpenBao fork. For teams that moved to OpenBao or considered doing so, the direction of Vault under IBM ownership will be closely watched.
At the core of this iteration is a refined identity-based security model that prioritises how workload and service identities are verified across distributed environments.
A standout technical addition is the introduction of Workload Identity Federation for secret syncing. This feature allows Vault to authenticate with major cloud providers like AWS, Azure, and GCP without the need for long-lived static credentials. By leveraging OIDC tokens, engineering teams can reduce the risk of credential leakage during the synchronisation process. The release also includes modifications to the internal storage engine designed to improve performance for high-volume operations, which is particularly relevant for real-time encryption and authentication tasks at the enterprise scale.
The underlying architecture has been modified to remove several legacy components, resulting in breaking changes that users must account for during the upgrade process. For instance, Azure authentication now requires explicit configuration settings rather than falling back to environment variables, a change that began with plugin updates in the 1.20 cycle and is now enforced as default behaviour. Additionally, the release introduces beta support for SCIM 2.0 identity provisioning, allowing for the automated management of Vault entities and groups from external identity platforms. Removing older elements is intended to simplify the long-term maintenance of the codebase and allow for more frequent updates under the new ownership.
In the broader secrets management market, Vault 2.0 competes with cloud-native services such as AWS Secrets Manager and Azure Key Vault, which offer tight integration within their respective platforms but limited cross-provider portability. Managed alternatives like Akeyless and Doppler target teams seeking a hosted secrets solution without the operational overhead of running Vault. This update also introduces SPIFFE JWT-SVID support to enable secure workload participation in SPIFFE-based identity meshes, positioning Vault as a bridge between proprietary and open identity standards.
The release also updates the Public Key Infrastructure (PKI) secret engine to facilitate the automation of certificate lifecycles. By providing tools for the issuance and renewal of certificates, the update aims to reduce the risks associated with manual credential management. This aligns with zero-trust networking principles increasingly adopted across enterprise infrastructure. Documentation updates provided alongside the release offer guidance on migration strategies for those currently running version 1.x installations, ensuring a stable transition as the platform enters its next phase of development.