The module lifecycle stageGeneral Availability
The module has requirements for installation

v1.18.0

  • Managed Keys for key material in external trusted systems without storing private keys inside Stronghold. Supported for Transit, PKI, and SSH secrets engines.
  • Managed key support in Yandex KMS and PKCS#11.
  • User authentication via an external SAML 2.0 Identity Provider using the Web SSO profile.
  • Web UI for managing KV mount replication settings.
  • PKI supports single-element RDNs in distinguished names for compatibility with OpenSSL / Microsoft CA.
  • Audit devices support record filtering and excluding specific fields.
  • Snapshot verification via stronghold operator raft snapshot inspect.
  • Added ability to manage max_ttl parameter for ACME certificates.
  • Improved compatibility with Auto-Snapshots Vault Enterprise — snapshot configuration is preserved when migrating from Vault Enterprise.
  • CVE GHSA-jqcq-xjh3-6g23, CVE-2026-33186, CVE-2026-33487, CVE-2025-15558

v1.17.0

  • Added WebAuthn support — passwordless authentication (FIDO2/Passkeys).
  • Support for external Stronghold plugins running on DKP.
  • Namespace lock features and a UI to manage them.
  • Web UI support for the LDAP secrets engine.
  • Added Yandex KMS as a seal backend.
  • Extended Agent usage scenarios.
  • Added support for raft nodes in non-voter mode.
  • Refined deployment scenarios on arbiter node groups and test cluster parameters.

v1.16.0

  • Added support for namespaces (Namespaces).
  • Multi-factor authentication (MFA) with TOTP and Multifactor.
  • Deckhouse Stronghold CE (Community Edition) available for free installation.
  • Web UI support for managing OIDC roles, AppRole, and password policies.
  • Added replication metrics.
  • Added SealWrap — additional encryption for the most sensitive internal data on top of Stronghold’s standard cryptographic barrier.
  • Added CryptoPro seal wrapper for scenarios using Russian cryptography.
  • Web UI has fuller Russian localization and a dark theme.
  • Added ClickHouse support and a web UI to work with it.
  • Added TLS 1.3 with GOST ciphers Magma and Kuznyechik.
  • Added support for GOST 34.10-2012 X.509 certificates.

v1.15.0

  • Scheduled backup of Raft snapshots to S3 or the filesystem with API-driven management.
  • Extended KV replication capabilities.
  • Improved web UI.
  • Automatic unseal via HSM/PKCS#11, including Rutoken ECP 3.0 support.

v1.1.0

  • Automatic unseal with keys held in Stronghold node memory
  • Russian-language user interface
  • Listed in the Russian software registry, entry No. 22339 dated 24.04.2024
  • Integration with the platform secrets delivery module `secrets-store-integration``

v1.0.0

  • Deployment as a DKP module
  • Integration with platform DEX authentication