Skip to main content
Version: latest

VaultPAM v1.0

Released: 2026-05-14

VaultPAM v1.0 is the first general availability release. It ships the complete core PAM workflow for organisations managing privileged access to RDP, SSH, and web-based resources.

New features

  • RDP and SSH sessions via Connector — launch protocol-native sessions to Windows and Linux targets through an on-premises Connector without exposing credentials to end users. See Connector setup.
  • Safes — group resources, accounts, members, and policy in a single access unit. Safes enforce least-privilege by binding who can connect, to which targets, under which conditions. See Add a Safe.
  • MFA and step-up MFA — every session is gated by TOTP or FIDO2. High-risk Safes can require a second factor at session launch. See Set up MFA.
  • Session recording and playback — every RDP and SSH session is recorded. Recordings are stored in object storage, searchable by user and time, and replayable from the Admin console.
  • Approval gates — sensitive Safes can require a named approver before a session is granted. Approvals are logged with requester, approver, and timestamp. See Approve a session.
  • Organisation management — multi-tenant isolation. Separate organisations share no data. Admins manage members, roles, and policy per organisation. See Organisation setup.
  • Audit logging and export — all administrative and session events are logged with actor, timestamp, and outcome. Logs are exportable for SIEM ingestion. See Audit log.
  • Tenant sandbox — each tenant gets an isolated sandbox environment for testing connector setup and session policies without affecting production resources. See What is a Sandbox?.
  • OpenBao-backed vault integration — credentials are stored and rotated in an OpenBao vault. The control plane fetches credentials at session launch; agents never see plaintext secrets at rest.

Bug fixes

No bug fixes in the initial v1.0 release.

Breaking changes

No breaking changes — v1.0 is the first public release. There is no upgrade path from a prior version.

Security fixes

No CVE-tracked security fixes in v1.0.

Upgrade notes

No upgrade steps required. This is the initial release.

For connector installation instructions see the Connector setup guide.