The module lifecycle stageGeneral Availability
The module has requirements for installation

v1.17.5

  • Updated base images to v1.0.15
  • Revert module weight for install on DKP 1.71
  • CVE-2026-39883

v1.17.4

  • CVE-2026-34986, CVE-2026-33186, CVE-2026-33186
  • Refactor sealwrap
  • Refractor auto snapshots . Compatible with Vault EE storage.
  • Updated base images to v1.0.13

v1.17.3

  • Fix vulnerability in debug logs kv replication
  • Fix Acme tests
  • ACME config parameter max_ttl
  • GHSA-jqcq-xjh3-6g23, CVE-2026-33186
  • Updated base-images to v1.0.8
  • Use VAULT_CACERT instead of /etc/ssl/certs
  • Check leader only on isleaderreadyok request
  • UI: Fixed scroll in transit engine pages
  • Set IV for CKK_KUZNECHIK
  • CE and EE features paths fix
  • Safe unlock mutex for tranist
  • sealwrap sys/managed-keys

v1.17.2

  • Increased startup probe time
  • CVE-2025-15558
  • Updated base images. go1.25.8
  • CLI-only build tag (d8-cli)

v1.17.1

  • Fix broken configure route and missing HDS dependency
  • Openapi spec for TOTP MFA
  • Removed weight for module

v1.17.0

  • Added WebAuthn support — passwordless authentication (FIDO2/Passkeys).
  • Support for external Stronghold plugins running on DKP.
  • Namespace lock features and a UI to manage them.
  • Web UI support for the LDAP secrets engine.
  • Added Yandex KMS as a seal backend.
  • Extended Agent usage scenarios.
  • Added support for raft nodes in non-voter mode.
  • Refined deployment scenarios on arbiter node groups and test cluster parameters.

v1.16.0

  • Added support for namespaces (Namespaces).
  • Multi-factor authentication (MFA) with TOTP and Multifactor.
  • Deckhouse Stronghold CE (Community Edition) available for free installation.
  • Web UI support for managing OIDC roles, AppRole, and password policies.
  • Added replication metrics.
  • Added SealWrap — additional encryption for the most sensitive internal data on top of Stronghold’s standard cryptographic barrier.
  • Added CryptoPro seal wrapper for scenarios using Russian cryptography.
  • Web UI has fuller Russian localization and a dark theme.
  • Added ClickHouse support and a web UI to work with it.
  • Added TLS 1.3 with GOST ciphers Magma and Kuznyechik.
  • Added support for GOST 34.10-2012 X.509 certificates.

v1.15.0

  • Scheduled backup of Raft snapshots to S3 or the filesystem with API-driven management.
  • Extended KV replication capabilities.
  • Improved web UI.
  • Automatic unseal via HSM/PKCS#11, including Rutoken ECP 3.0 support.

v1.1.0

  • Automatic unseal with keys held in Stronghold node memory
  • Russian-language user interface
  • Listed in the Russian software registry, entry No. 22339 dated 24.04.2024
  • Integration with the platform secrets delivery module `secrets-store-integration``

v1.0.0

  • Deployment as a DKP module
  • Integration with platform DEX authentication