Change8

v1.19.4

Breaking Changes
📦 vaultView on GitHub →
1 breaking4 features🐛 2 fixes1 deprecations🔧 2 symbols

Summary

This release updates underlying dependencies, introduces FIPS 140-3 compliance and post-quantum key agreement support, and fixes critical bugs related to enterprise plugin operation on standby nodes.

⚠️ Breaking Changes

  • plugins (enterprise): Enterprise plugins can no longer be registered on standby nodes if the artifact is not pre-extracted. Operators must now place the extracted plugin artifact in the plugin directory before registration, as Vault will no longer extract it upon registration on standby nodes.

Migration Steps

  1. For Enterprise users deploying plugins, ensure that the plugin artifact is extracted and placed in the plugin directory before registering the plugin, especially if the registration occurs on a node that might transition from standby to active.

✨ New Features

  • Namespaces (enterprise): Root tokens can now relock a namespace.
  • core (enterprise): FIPS builds are updated to use the FIPS 140-3 cryptographic module.
  • core: Updated code and documentation to support FIPS 140-3 compliant algorithms.
  • core: Added support for X25519MLKEM768 (post quantum key agreement) in the Go TLS stack.

🐛 Bug Fixes

  • core (enterprise): Fixed an issue where plugin automated root rotations would stop after seal/unseal operations.
  • plugins (enterprise): Fixed an issue preventing Enterprise plugins from running on a standby node that becomes active due to standby nodes not extracting the artifact during plugin registration.

🔧 Affected Symbols

event.keyCodeevent.key

⚡ Deprecations

  • ui: The use of event.keyCode is deprecated and has been replaced with event.key.