Release Notes

v1.18.1

• UI - Refactor the sidebar navigation
• UI - fixed password policy form saving
• UI - showing/hiding system log and audit log pages depends on token permissions
• UI - Fixed assert on sys/monitor
• UI - Hide empty sidebar sections by permissions
• UI - Hide EE features from CE API and UI
• UI - The Autosnapshots menu will be hidden if there are insufficient access rights
• Added system log viewer into UI
• Added sys/audit-monitor API path
• Flush audit monitor on core shutdown
• Terminate monitor session on core shutdown
• Updated base images to v1.0.17, go1.25.10
• Added extra in-cluster services to NO_PROXY env variable
• KV replication CA now in PEM format
• Use system CA storage for kv replication when VAULT_CACERT is set
• Improved fuzzing. Fixed API response codes on invalid user data.
• DMT compliance
• Added remapper method for d8 cli
• CI - SKIP_SETCAP for Docker tests
• CI - Makefile for dev runs and static builds
• Changed module requirements - needs Deckhouse >= 1.72
• CVE-2026-25645, CVE-2025-66418, CVE-2025-66471, CVE-2026-21441, CVE-2026-34986, CVE-2026-39883, CVE-2026-32952, CVE-2026-41506, CVE-2026-41889

v1.18.0

• Managed Keys for key material in external trusted systems without storing private keys inside Stronghold. Supported for Transit, PKI, and SSH secrets engines.
• Managed key support in Yandex KMS and PKCS#11.
• User authentication via an external SAML 2.0 Identity Provider using the Web SSO profile.
• Web UI for managing KV mount replication settings.
• PKI supports single-element RDNs in distinguished names for compatibility with OpenSSL / Microsoft CA.
• Audit devices support record filtering and excluding specific fields.
• Snapshot verification via stronghold operator raft snapshot inspect.
• Added ability to manage max_ttl parameter for ACME certificates.
• Improved compatibility with Auto-Snapshots Vault Enterprise — snapshot configuration is preserved when migrating from Vault Enterprise.
• CVE GHSA-jqcq-xjh3-6g23, CVE-2026-33186, CVE-2026-33487, CVE-2025-15558

v1.17.0

• Added WebAuthn support — passwordless authentication (FIDO2/Passkeys).
• Support for external Stronghold plugins running on DKP.
• Namespace lock features and a UI to manage them.
• Web UI support for the LDAP secrets engine.
• Added Yandex KMS as a seal backend.
• Extended Agent usage scenarios.
• Added support for raft nodes in non-voter mode.
• Refined deployment scenarios on arbiter node groups and test cluster parameters.

v1.16.0

• Added support for namespaces (Namespaces).
• Multi-factor authentication (MFA) with TOTP and Multifactor.
• Deckhouse Stronghold CE (Community Edition) available for free installation.
• Web UI support for managing OIDC roles, AppRole, and password policies.
• Added replication metrics.
• Added SealWrap — additional encryption for the most sensitive internal data on top of Stronghold’s standard cryptographic barrier.
• Added CryptoPro seal wrapper for scenarios using Russian cryptography.
• Web UI has fuller Russian localization and a dark theme.
• Added ClickHouse support and a web UI to work with it.
• Added TLS 1.3 with GOST ciphers Magma and Kuznyechik.
• Added support for GOST 34.10-2012 X.509 certificates.

v1.15.0

• Scheduled backup of Raft snapshots to S3 or the filesystem with API-driven management.
• Extended KV replication capabilities.
• Improved web UI.
• Automatic unseal via HSM/PKCS#11, including Rutoken ECP 3.0 support.

v1.1.0

• Automatic unseal with keys held in Stronghold node memory
• Russian-language user interface
• Listed in the Russian software registry, entry No. 22339 dated 24.04.2024
• Integration with the platform secrets delivery module `secrets-store-integration``

v1.0.0

• Deployment as a DKP module
• Integration with platform DEX authentication