Vault Enterprise 1.20: SCEP, usage reporting, cloud secret imports

HashiCorp Vault Enterprise 1.20 is now generally available, introducing advanced capabilities for secure workflows and user experience enhancements.

Key highlights in this announcement include:

• Simple certificate enrollment protocol (SCEP): Vault Enterprise 1.20 expands PKI capabilities by including support for SCEP, enabling automated certificate issuance for a wider range of devices and systems, particularly in enterprise and network environments.
• Usage dashboard and reporting: Vault Enterprise 1.20 and HCP Vault dedicated have added enhanced usage reporting that provides visibility and insights into Vault adoption patterns and usage practices to better inform operational and security decisions.
• User experience improvements: Vault Enterprise 1.20 delivers several UI enhancements that improve product visibility and usability, making it easier for users to navigate, manage secrets, and monitor system activity.
• Ephemeral values: The Vault provider for Terraform now supports ephemeral values to enhance security and streamline workflows by preventing temporary secrets from being stored in Terraform state files.
• Secrets import: Vault Enterprise 1.20 can now import key-value-compatible secrets from external providers like AWS, Azure, and GCP into a customer's Vault cluster.

»SCEP: Certificate management for diverse workloads

Vault Enterprise 1.20 has added support for SCEP: a scalable and automated protocol to securely manage digital certificates, particularly in large and dynamic IT environments. SCEP streamlines the process of certificate issuance, renewal, and revocation, reducing manual intervention and administrative overhead. It enables secure communication between endpoints and certificate authorities (CAs), ensuring that non-human identities, devices, users, and applications can authenticate each other and establish encrypted connections. SCEP is particularly well-suited for the following workloads:

• Mobile device management (MDM): SCEP is widely used in MDM solutions to provision certificates to smartphones, tablets, and laptops without user interaction. It enables secure Wi-Fi, VPN, and email access.
• IoT devices: Internet of Things devices often need certificates for secure communication but have limited interfaces for manual setup. SCEP automates enrollment, making it ideal for large-scale IoT deployments.
• Enterprise network devices: Routers, switches, firewalls, and other infrastructure often require certificates for IPsec, HTTPS, or device authentication. SCEP can handle this at scale with minimal manual work.
• Virtual machines and containers: In environments where virtual machines and containers are spun up frequently, SCEP can quickly provide certificates to ensure secure workloads.
• Remote access infrastructure: VPNs and remote desktop services benefit from SCEP by issuing client certificates automatically to authorized users or devices.

»Vault usage reporting: Track secrets engines, leases, and access trends

As more organizations adopt Vault to manage and secure their secrets, gaining visibility into how Vault is being used across teams and services becomes increasingly important. Understanding usage patterns not only helps drive broader adoption but also ensures security best practices are being followed consistently.

To address this need, we’ve introduced Vault usage reporting, a new feature designed to give Vault Enterprise and HCP Vault Dedicated customers clear insights into access trends and lease utilization.

With Vault usage reporting, you can now easily track:

• Which secrets engines and authentication methods are being used
• The number of leases, broken down by authentication method
• Overall global lease counts
• The percentage of lease allocation
• The number of child namespaces, KV secrets, secrets synced, and PKI roles

These insights help platform and security teams monitor adoption, optimize configurations, and ensure that secrets management aligns with internal compliance and operational goals. Usage reporting brings actionable visibility into how Vault is being used, so organizations can manage secrets more effectively.

»Secret recovery: Delegate recovery after accidental changes or deletion

Due to the high number of secrets stored in many Vault environments and the necessity of delegating operations for those secrets, users may accidentally change or delete secrets that are critical for business flows. While Vault allows recovering secrets from a cluster snapshot, this can cause performance degradation across the cluster. To supplement this, we are releasing secret recovery, a new feature that will allow admins to configure snapshots that can be used to recover secrets and delegate recovery to relevant end users. Additionally, we encourage customers to use the KV_V2 secret engine’s soft delete function.

In 1.20, secret recovery will only be available for KV_V1, but we are very interested in adding it to more secrets engines if customers find it beneficial.

»UI enhancements

As organizations scale their use of Vault across teams, applications, and environments, the need for a more intuitive, performant, and insightful user experience becomes critical. In response to feedback from our customers and field teams, we’ve introduced a series of UI enhancements in Vault aimed at reducing friction, improving visibility, and simplifying workflows. From a redesigned namespace navigation experience to smarter login defaults and more accurate client count reporting, these updates are designed to help platform teams operate more efficiently and understand how Vault is being used across their organization — no matter the scale.

»TOTP UI support for security teams

In today’s security-conscious environments, Time-Based One-Time Passwords (TOTP) are a popular way to add another layer of protection for users accessing critical systems. Many organizations use the HashiCorp Vault TOTP secrets engine to generate TOTP codes and provide secure access to environments secured by Vault.

But what happens when your end users aren’t developers or engineers? A common pattern we’ve seen is organizations configuring TOTP for end users — such as internal staff, partners, or contractors — who primarily interact with the system through a web-based UI. These users rely on simple, intuitive interfaces to access their credentials and authentication methods.

While the TOTP secrets engine works well under the hood, many teams discovered that:

• Users cannot list or view their TOTP token values via the web UI.
• The TOTP engine appears greyed out or disabled for GUI users.
• Token values are only accessible through the CLI or API, which these end users typically don’t use or understand.

This disconnect causes significant frustration and support load for engineers and admins, especially when non-technical users need to retrieve or verify TOTP codes for login and workflow approval.

To bridge the gap, we’ve introduced GUI support for TOTP management and visibility focused on the most common needs of non-technical users:

• Account view support: The web UI now supports account-based TOTP entries, where each account is typically the user’s email or username.
• Easy account setup: Users can now add a new TOTP account directly from the UI. They can enter a custom name and URL, making it easier to recognize which TOTP is for which service.
• Visual and copyable TOTP codes: Each TOTP code is displayed in the UI (hidden by default for security). A copy-to-clipboard button ensures users don’t have to retype codes manually. A live countdown timer shows how long each code is valid, just like in modern authenticator apps.

»Better namespace navigation

As Vault adoption grows across teams and business units, so does the complexity of managing namespaces. For many of our customers, the current namespace picker in the Vault UI has become a pain point — especially in large-scale environments.

We’ve heard your feedback loud and clear. Customers have shared that navigating namespaces through the existing GUI can be:

• Frustrating and require several clicks, especially when accessing child namespaces
• Cumbersome for large environments with 1,000+ namespaces without the ability to filter or search
• Inefficient due to requiring repeated reauthentication to move between namespaces

To make navigating Vault more seamless and scalable, we’re rolling out significant improvements to the namespace picker experience. The updated design will focus on:

• Search and filter functionality
• Direct navigation to nested namespaces
• Keyboard-friendly navigation for more efficient workflows
• Improved performance to handle large numbers of namespaces
• Enhanced accessibility, making the UI more inclusive and compliant

These changes are aimed at reducing friction and giving you a faster, more intuitive way to navigate your Vault environment — no matter how complex your namespace structure becomes.

»Smarter Vault login defaults

As organizations grow and their Vault environments expand, so too does the complexity of managing authentication methods. One of the most common pieces of feedback we’ve heard from enterprise users is that the Vault login screen feels overwhelming when multiple authentication methods are available.

To address this concern, we’ve introduced a streamlined login experience across all namespaces, including default and backup login methods.

With this enhancement, administrators can:

• Set a default login method for users
• Define backup login methods in case the default is unavailable
• Apply these settings consistently across all namespaces as long as the login methods are configured and enabled

By guiding users to the correct login path automatically, this update not only improves the user experience but also helps reduce authentication-related errors and escalations.

»More accurate and transparent client count reporting

Understanding how Vault is being used across your organization is critical, not just for security and operations, but also for managing licensing and planning. One area we’ve consistently heard feedback about is Vault’s client count reporting.

Vault Enterprise 1.20 introduces an updated in-product client count dashboard that brings greater transparency, accuracy, and usability to how Vault tracks client usage.

Key improvements include:

• Billing-period alignment: The report is now locked to your billing period, removing guesswork from custom date ranges and eliminating reliance on estimates
• Detailed breakdowns: Client counts are now visualized by mount path, mount type, and namespace, giving you clear insights into where usage is coming from
• Modern design: Client counts have a refreshed, user-friendly interface that makes it easier to interpret and share data with stakeholders

These enhancements provide better visibility into how Vault is being used across your organization. Whether you're managing entitlements, planning for growth, or simply trying to understand how teams interact with Vault, the new client count dashboard helps you stay informed and in control.

»Ephemeral values in the Vault Terraform provider: Avoid secrets in state files

As organizations continue to scale infrastructure as code with Terraform, many rely on the Vault provider for Terraform to inject secrets during provisioning. However, this has exposed a common challenge where temporary secrets used only during terraform apply are often unnecessarily stored in state files. This can lead to state bloat and increased complexity while also introducing security and compliance risks due to persistent secret retention.

Secrets like database credentials, API tokens, and short-lived certificates are often needed briefly during the apply stage. However, once stored in Terraform state, they persist longer than necessary, which creates several issues:

• Expanded attack surface and compliance overhead from secrets that should no longer exist
• Larger, more complex state files that are harder to manage
• Slower workflows for developers working with bloated or sensitive state

To address this, we’ve added support for ephemeral values for the Terraform Vault provider. This ensures that temporary secrets used during terraform apply are not persisted in the Terraform state.

With ephemeral values, secrets can be:

• Consumed at runtime only and never persisted to Terraform’s state
• Safely handled in memory to reduce long-term exposure
• Used without creating secret sprawl to keep your infrastructure code secure and clean

By adopting ephemeral values, teams gain:

• Improved security posture and governance by eliminating unnecessary secret retention
• Optimized Terraform state for faster performance and easier management
• More efficient developer workflows, free from the burden of tracking transient secrets

This enhancement reflects our ongoing commitment to building secure, scalable, and developer-friendly workflows in the HashiCorp ecosystem.

»Migrate secrets to Vault from AWS, Azure, and Google Cloud

When organizations begin their journey with Vault, one of the first — and most critical — steps is migrating existing secrets into their new Vault environment. Whether you're moving from another cloud provider or consolidating tools as part of a broader security strategy, getting your secrets into Vault can be a surprisingly complex and manual task.

We've consistently heard from customers that are onboarding to Vault that they often hit a snag early on. They struggle with figuring out how to transfer secrets from platforms like AWS Secrets Manager, Azure Key Vault, or Google Secret Manager to Vault on their own. This creates unnecessary friction during a time when the focus should be on building trust in the platform and accelerating adoption.

And for those migrating to HCP Vault Dedicated as part of a cloud transformation journey, the challenge is even greater. Moving sensitive data between environments adds complexity, slows down timelines, and can introduce security concerns if not handled properly.

To remove this friction and streamline the onboarding process, we're introducing native secret migration capabilities for Vault. This feature allows customers to seamlessly import key-value-compatible secrets from popular cloud providers like AWS, Azure, and Google Cloud directly into their Vault cluster.

With this new capability, teams can:

• Automatically ingest secrets from supported providers into Vault
• Reduce manual effort and scripting previously required for migration
• Start using Vault faster with less setup and configuration overhead
• Improve security posture by centralizing secrets management from day one

By eliminating the guesswork and heavy lifting often associated with migrating secrets, we’re making it easier for teams to get up and running with Vault — whether you're self-managing or using HCP Vault Dedicated in the cloud.

»Vault Enterprise 1.20 upgrade details

This release also delivers a variety of additional new features, workflow enhancements, general improvements, and bug fixes. You can explore the full list of updates — including those available in Vault Community Edition, by reviewing the Vault 1.20 changelog.

As always, we recommend testing new releases in a staging or isolated environment before deploying them to production. If you encounter any issues, please report them via the Vault GitHub issue tracker or start a discussion in the Vault community forum. If you believe you’ve discovered a security vulnerability, please report it responsibly by emailing security@hashicorp.com. Avoid using public channels for security issues. For details, refer to our security policy and PGP key.

To learn more about HCP Vault or Vault Enterprise, visit the HashiCorp Vault product page.