HashiCorp is committed to enabling organizations to seamlessly integrate and automate security within developer workflows to help strengthen security across their hybrid estate. At HashiConf, we're showcasing recent and upcoming enhancements to our Security Lifecycle Management (SLM) portfolio — including HashiCorp Vault, Radar, and Boundary — that are designed to streamline secure development practices.
We are excited to announce several new updates:
Vault Enterprise 1.21
- Vault Secrets Operator (VSO) protected secrets: Provide secrets directly to Kubernetes pods without persistent storage.
- SPIFFE support: Enable secure, automated identity management across dynamic AI infrastructure and machine identities by issuing verifiable workload identities.
- Static role rotation for Azure credentials: Enable secure, long-lived Azure credentials with on-demand rotation for greater flexibility and automation.
- Vault MCP server: Interact with Vault using natural language.
- SSCSI Vault provider – certified by Red Hat: Red Hat has certified the Vault Secret Store CSI provider, allowing OpenShift users to securely mount ephemeral secrets without etcd.
HCP Vault Dedicated
- Private DNS: Enable faster, more compliant deployments by seamlessly integrating enterprise DNS infrastructure into a secure, scalable managed service.
- AWS PrivateLink support: Enable secure, private connectivity that meets strict compliance requirements while simplifying network architecture.
- Secrets inventory reporting: Get real-time visibility into secrets usage to proactively manage risk, streamline compliance, and demonstrate security impact.
HCP Vault Radar
- HCP Vault Radar VSCode IDE plugin: Shift security left with real-time secrets detection at the source, while shortening exposure windows and maintaining developer velocity.
- HCP Vault Radar Jira scanning: Gain full visibility into leaked secrets across Jira tickets, comments, and docs with continuous SaaS or agent-based monitoring.
- HCP Vault Radar MCP server: Get instant AI‑driven risk insights via natural‑language processing to quickly identify leaked secrets.
HCP Boundary
- Boundary RDP credential injection: Enable passwordless access to Windows hosts, improving developer experience and reducing credential-related risks.
For our complete roundup of all HashConf 2025 news and highlights, check out our blog: 10 years of HashiConf: A bold leap into AI-powered infrastructure
»Vault Enterprise 1.21
Vault Enterprise features being announced today will be available in October’s 1.21 release.
»Secrets on demand with VSO-protected secrets
In its traditional setup, the Vault Secrets Operator (VSO) syncs secrets from Vault and stores them as Kubernetes Secrets. These secrets are then saved to the cluster's underlying data store. The operator watches for updates to custom resources, and when a secret is updated in Vault, the operator automatically updates the corresponding Kubernetes secret with the latest values, making it easy for applications to consume secrets using standard Kubernetes workflows.
With the release of Vault Enterprise 1.21, VSO will include another approach that uses a new CSI driver. Instead of caching secrets in Kubernetes, the CSI driver mounts secrets directly into your pods at runtime so there is no persistent storage involved.
Here’s how it works:
- You define a custom resource that includes a list of Vault secrets to fetch, and you also define access controls to specify which pods are allowed to use the secrets.
- When an authorized pod references that resource as a volume, the CSI driver will mount the secrets directly to the pod.
- All containers in the pod that reference the volume get access to the secrets, securely and just in time.
This method avoids storing secrets in etcd entirely, making it a great option for teams looking to limit the exposure of sensitive data while keeping access dynamic and tightly controlled.
»Solving identity at scale with SPIFFE
AI infrastructure is powered by a complex web of automated services: model training pipelines, inference APIs, GPU workers, and edge agents that often run across multiple environments. Managing trust between these components is a growing challenge.
SPIFFE (Secure Production Identity Framework For Everyone) is an identity standard that provides part of the solution for the AI infrastructure challenge, and many others. It is suited not just for managing and verifying identities in AI pipelines, but also other dynamic environments like Kubernetes and hybrid/multi-cloud. SPIFFE can assign cryptographically verifiable identities to each workload in these dynamic environments. These identities are then used to securely authenticate workloads to each other with no manual intervention necessary.
Native SPIFFE support in Vault Enterprise will provide:
- Automating identity issuance for AI workloads: Whether it's a model training job spun up in Kubernetes or an inference API deployed in the cloud, Vault automates the issuance of a SPIFFE ID and associated certificate to that workload automatically.
- Verifying identity across environments: Vault can be used to enforce identity-based access controls between AI services — even when they run across clusters or clouds.
- Enabling traceability: Because Vault logs all identity issuance and usage, security teams get visibility into which machine or service accessed what and when.
By decoupling identity from static resources or human provisioning, SPIFFE and Vault Enterprise empower teams to scale AI infrastructure securely and confidently. With Vault Enterprise now supporting SPIFFE natively, organizations can issue, rotate, and verify SPIFFE-compliant identities with the same operational consistency and security posture that Vault provides today.
»Unlock long-lived Azure credentials with static role rotation
Historically, Vault only supported dynamic Azure credentials. However, when the lease expired or the session ended, the credentials were revoked. This behavior posed a challenge for teams needing persistent, long-lived credentials managed through Vault, particularly for automation workflows or integrations that require more predictable access.
Today, we’re excited to announce support for Azure static role rotation in Vault Enterprise, an enhancement to the Azure secrets engine that gives organizations more flexibility and control over their Azure credential lifecycle. With static roles and credential rotation, Vault Enterprise enables the creation, storage, and management of Azure credentials that outlive the client session. Organizations can trigger on-demand rotations via the Vault API or user interface. These credentials are securely stored within the Azure secrets engine mount and are accessible to authorized clients based on Vault policies.
The feature also supports importing existing Azure service principals, giving teams a unified workflow for managing both new and existing credentials. This update helps security and platform teams standardize access management across cloud environments through Vault.
»Interact with Vault using natural language via Vault MCP server
The Vault Model Context Protocol (MCP) server allows developers and operators to interact with the Vault API using AI assistants and chatbots, simplifying common tasks like listing secrets and issuing X.509 certificates. We’re excited to announce that Vault’s MCP server is now in public beta and available for users to try on their local machines. It currently supports common tasks in secrets engines management, KV static secrets, and PKI.
Explore the documentation to try the Vault MCP server beta.
For more insights into our vision for AI-driven infrastructure, check out our new blog: Building intelligent infrastructure automation with HashiCorp
»Vault and OpenShift collaboration
Today, we reached a new milestone demonstrating the ongoing benefits from the Vault and OpenShift collaboration, with additional integrations planned in the near future to further strengthen secrets management across hybrid and multi-cloud environments.
»SSCSI Vault provider – certified by Red Hat
Secrets management remains a critical challenge for organizations building on Kubernetes and OpenShift. By default, Kubernetes secrets are only base64-encoded and stored in etcd, leaving them exposed to cluster administrators and vulnerable if etcd is compromised. Manual and inconsistent rotation practices further increase the risk of stale or compromised credentials.
To address these challenges, we’re excited to announce that the Vault Secret Store CSI (SSCSI) provider is now officially certified by Red Hat. This certification enables OpenShift customers to mount secrets directly from Vault into pods as ephemeral volumes, ensuring that secrets never persist in etcd.
The certification underscores Red Hat’s validation of the integration for security, lifecycle management, and long-term supportability. Customers now have even more options to pair Vault Enterprise with OpenShift environments, backed jointly by HashiCorp and Red Hat.
»HCP Vault Dedicated
»Streamline Azure deployments with bring your own DNS support
Many customers using Vault’s cloud offering need to keep network traffic within isolated or private networks. In June we announced a solution for this need: Bring Your Own DNS (BYO-DNS) with initial support for AWS. Today we’re announcing additional support for Azure that will be available in October.
With BYO-DNS, platform and network teams can now connect their existing DNS infrastructure directly into the HashiCorp Virtual Network (HVN). This enables HCP Vault Dedicated to meet more complex (often regulatory) requirements that some enterprises have regarding private system access. BYO-DNS for Azure results in faster deployments, fewer manual workarounds, and better alignment with internal networking standards and compliance requirements.
As enterprises modernize, they’re looking for managed services that don’t force trade-offs. BYO-DNS represents additional proof that HCP Vault Dedicated is built for real-world enterprise adoption: secure, flexible, and ready for scale.
»Support for AWS PrivateLink
Vault customers must sometimes meet stringent compliance requirements (e.g. HIPAA, PCI, and SOC) by ensuring their Vault data doesn’t transit public networks. There are multiple ways a customer can keep data off of public networks in general, but one popular tool for AWS environments is AWS PrivateLink.
After seeing significant customer interest, we're excited to announce that HCP Vault Dedicated now supports AWS PrivateLink, offering customers a more secure and private way to connect to their Vault clusters. With AWS PrivateLink, all network traffic between AWS VPC and HCP Vault remains entirely within the AWS backbone, eliminating exposure to the public internet. Additionally, PrivateLink simplifies network architecture and lowers operational overhead by removing the need for VPNs or gateways, leading to potential cost savings and easier maintenance.
With this release, HCP Vault Dedicated becomes even better suited for customers in regulated industries, or those with high security and compliance standards, while still delivering the operational ease of a fully managed Vault service.
»Simplified compliance secrets inventory reporting
In the same way that uptime and performance monitoring are critical to maintaining product reliability, secrets management visibility is crucial for maintaining compliance and a proactive security posture. To continue building our secrets visibility story, we’re announcing the public beta for governance reporting and a secrets inventory dashboard in HCP Vault Dedicated, giving teams a centralized view into how secrets are accessed and managed.
Governance reporting provides real-time insights into secret usage, access patterns, and policy adherence. Security teams can quickly identify anomalies like unused secrets or outdated policies, enabling faster response to potential risks. You can see in the secrets inventory dashboard below that operators now have a view into the health of their team’s secret management processes, with filters that show you:
- Secrets that haven’t been accessed in 90+ days
- Secrets that haven’t been updated in 90+ days
- Upcoming rotations that will update a secret in less than 30 days
These insights can be exported as structured reports that speed up your teams’ audit preparation. Whether you're working toward HIPAA, PCI, or SOC 2 compliance, HCP Vault Dedicated helps streamline the process and improve accuracy.
Governance reporting also helps demonstrate the value of your secrets management program. Teams can track Vault adoption, justify security investments, and show measurable impact on risk reduction. With governance reporting and Vault usage tracking, HCP Vault Dedicated helps organizations shift from reactive secrets management to proactive security and compliance at scale.
Sign up for the beta to learn more.
»HCP Vault Radar
»Get full Jira visibility with automated scanning
Security teams have long faced blind spots in Jira tickets, comments, and documentation, where developers may inadvertently store API keys, tokens, or passwords. At the same time, developers lacked real-time alerts within their coding environments to prevent secrets from slipping into production. This combination created prolonged exposure risks and reactive security cycles.
HCP Vault Radar now provides secret scanning for Jira Cloud and Server 8.14+, both through SaaS scanning or through the agent. With Jira SaaS scanning now generally available, organizations gain full visibility into credential exposure across Jira tickets, including text attachments, enabling proactive remediation before incidents occur.
In total, HCP Vault Radar now provides secret scanning for GitHub, GitLab, Bitbucket, Azure DevOps, Confluence, Jira/Jira Cloud and Server, Slack, Amazon S3, and Terraform.
»Shift security left with Vault Radar’s VSCode plugin now available in public beta
In an effort to make secret scanning practices more seamless, proactive, and developer-friendly, HCP Vault Radar now introduces a VSCode IDE plugin in public beta, delivering real-time secrets scanning directly within the development environment.
Through code highlights, Vault Radar’s VSCode IDE plugin alerts developers to potentially exposed secrets when code is saved. The plugin provides the user with important information including risk type, severity, and whether the exposed credential can be found in your Vault instances. Additionally, the user is given the opportunity to import the secret if it’s not present in Vault.
This helps developers weave a streamlined secret scanning workflow into the development process, preventing costly remediation cycles later in production, shortening exposure windows, and strengthening security posture without sacrificing developer velocity. With real-time detection at the source, Vault Radar empowers developers to code securely from the start.
»Access instant risk insights with Vault Radar MCP server
The Vault Radar MCP server empowers security teams with AI-driven analysis, combining natural language prompts and LLMs to deliver instant insights into leaked secrets and risk events. By prioritizing risks based on severity, exploitability, and asset value, it accelerates triage and decision-making across high volumes of alerts and signals.
Security teams gain enhanced visibility through seamless Vault Radar data integration. Unlike static dashboards or rule-based tools, the MCP server leverages agentic AI workflows and intuitive natural language interaction, making advanced security analysis accessible, efficient, and proactive, ultimately strengthening organizational resilience.
»Boundary
»RDP credentials injection (public beta)
One of HashiCorp Boundary’s flagship features for secure remote access is credential injection. This provides users with a passwordless experience to securely connect to target resources (like Linux or Unix hosts) with virtually zero toil. This feature, initially built to support SSH connections, streamlined remote infrastructure access and made it simpler and safer for developers to connect without handling credentials. By removing the password handling part of the process, credentials are less likely to be leaked, shared, or stolen.
In the Boundary 0.20 GA release, the same credential injection capability is available as a public beta feature for remote desktop protocol (RDP) connections. With credential injection for RDP, developers and other end users can connect to Windows hosts using their preferred RDP client tools without entering credentials, resulting in a much stronger security posture. For more details, please refer to the blog: Public beta of RDP credential injection now available in Boundary 0.20.
»Getting started with Security Lifecycle Management
As organizations move from static to dynamic cloud environments, they need to transition from network-based to identity-based security. With more focus and scrutiny on the materiality of cybersecurity risk, organizations are also forced to enhance security efforts without sacrificing developer productivity.
With these new announcements, HashiCorp continues to strengthen its Security Lifecycle Management offerings. Together, HashiCorp Vault, Boundary, and Consul prioritize making it easy for developers to adopt more secure workflows that help accelerate development while optimizing cloud operations.
To see these products in action or to learn more, sign up for a free trial of the HashiCorp Cloud Platform.
