VaultPAM v1.0
Released: 2026-05-14
VaultPAM v1.0 is the first general availability release. It ships the complete core PAM workflow for organisations managing privileged access to RDP, SSH, and web-based resources.
New features
- RDP and SSH sessions via Connector — launch protocol-native sessions to Windows and Linux targets through an on-premises Connector without exposing credentials to end users. See Connector setup.
- Safes — group resources, accounts, members, and policy in a single access unit. Safes enforce least-privilege by binding who can connect, to which targets, under which conditions. See Add a Safe.
- MFA and step-up MFA — every session is gated by TOTP or FIDO2. High-risk Safes can require a second factor at session launch. See Set up MFA.
- Session recording and playback — every RDP and SSH session is recorded. Recordings are stored in object storage, searchable by user and time, and replayable from the Admin console.
- Approval gates — sensitive Safes can require a named approver before a session is granted. Approvals are logged with requester, approver, and timestamp. See Approve a session.
- Organisation management — multi-tenant isolation. Separate organisations share no data. Admins manage members, roles, and policy per organisation. See Organisation setup.
- Audit logging and export — all administrative and session events are logged with actor, timestamp, and outcome. Logs are exportable for SIEM ingestion. See Audit log.
- Tenant sandbox — each tenant gets an isolated sandbox environment for testing connector setup and session policies without affecting production resources. See What is a Sandbox?.
- OpenBao-backed vault integration — credentials are stored and rotated in an OpenBao vault. The control plane fetches credentials at session launch; agents never see plaintext secrets at rest.
Bug fixes
No bug fixes in the initial v1.0 release.
Breaking changes
No breaking changes — v1.0 is the first public release. There is no upgrade path from a prior version.
Security fixes
No CVE-tracked security fixes in v1.0.
Known Gap - Internal TLS
VaultPAM v1.0 ships the H0 PKI foundation and the v1 internal TLS guardrails, and the H6/H7 service-side TLS rollout is now implemented and test-covered in repo. The only deferred east-west closure remains the H3/H4/H5 follow-up.
- H3 MinIO, H4 guacd, and H5 Keycloak remain deferred to AIC-1710.
- The compensating control is the dedicated NetworkPolicy package at deploy/k8s/internal-tls/networkpolicies.yaml.
- H4 is the highest residual risk because it carries live RDP keystrokes and screen pixels until the follow-up lands.
- H6/H7 are now covered by the service TLS manifests and the package-level TLS tests: recording-catalog-service/tests/tls.rs, audit-evidence-service/tests/tls.rs.
- The operator-facing evidence trail is documented in docs/operations/AIC-1700_INTERNAL_TLS_RUNBOOK.md.
Upgrade notes
No upgrade steps required. This is the initial release.
For connector installation instructions see the Connector setup guide.