hashicorp/vault
Lore
Vault has been under continuous development since early 2015. This page traces the major eras of the codebase — what changed, why, and roughly when. Dates come from git tags and commit timestamps.
Eras
The single-machine era (Feb 2015 – Mar 2016)
Vault's first commit lands on 2015-02-24. The original product is a single-node secret store written in Go, with consul and inmem storage and a small set of built-in auth methods (token, userpass, cert, app-id). The original app-id auth method (now removed) gives way to the better-designed approle later in this era. Most of vault/core.go, vault/router.go, and vault/expiration.go exists, in much shorter form, by the end of 2015.
The HA and replication era (Apr 2016 – 2018)
Active/standby HA support is added on top of consul and etcd storage. vault/ha.go (now 36k lines) appears, along with the gRPC-based request forwarding (vault/request_forwarding_service.proto, generated .pb.go). Vault Enterprise launches with disaster-recovery and performance replication, leaving the OSS hooks visible in vault/replication/cluster.go and replication_status.go.
The plugin and identity era (2017 – 2019)
The plugin system arrives, splitting auth methods and secret engines into separate binaries that talk to the core over gRPC. sdk/plugin/ is born and Vault gains a stable plugin SDK. Around the same time the identity store (vault/identity_store.go) is introduced to deduplicate users across auth methods. Entities, aliases, and groups become the canonical identity model — most of the file's 1,526 lines and its 17 sibling files in vault/identity_store_*.go accrete during this period.
The integrated storage era (Jul 2019 –)
Until 2019, HA required an external store like Consul or etcd. With Vault 1.2, integrated Raft storage (physical/raft/, vault/raft.go) lets Vault run as its own consensus cluster, removing the operational dependency on Consul. Snapshots, autopilot, and on-the-fly cluster reconfiguration follow over the next several minor releases. Today, Raft is the default recommendation for new clusters.
The dynamic-secrets-everywhere era (2019 – 2022)
Cloud and database secret engines proliferate: Azure, GCP, AliCloud, Kubernetes, Snowflake, MongoDB Atlas, Couchbase, Redis, Elasticsearch, Terraform Cloud. Most arrive as plugins under vault-plugin-secrets-* repos and are wired into Vault via helper/builtinplugins/registry_full.go. The PKI engine grows ACME, OCSP, and certificate count tracking; Transit grows BYOK and managed-key support.
The OIDC and platform era (2021 – 2024)
Vault becomes a full OIDC provider in addition to a consumer: vault/identity_store_oidc.go (63k lines) and vault/identity_store_oidc_provider.go (93k lines) implement issuer keys, scopes, clients, and discovery. Login MFA moves into vault/login_mfa.go (3,122 lines) and supports TOTP, Duo, Okta, PingID, and WebAuthn. Vault Agent matures into command/agent/ with auto-auth, templating, caching, and lease handling, and a slimmer Vault Proxy (command/proxy.go) is split off in 1.13.
The IBM era (Apr 2025 –)
In late April 2025 IBM acquires HashiCorp. Copyright headers begin to read Copyright IBM Corp. 2016, 2025. The licence stays at BUSL-1.1 (with the OSS-friendly two-year MPL conversion) and the OSS edition continues to ship from this repository, but most files added or touched after 2025 carry the new copyright line.
The 2.0 era (Apr 2026 –)
v2.0.0 is tagged on 2026-04-13 (with v2.0.0-rc1 two weeks earlier). main already carries the 2.0 line; the release/2.0.x branch tracks bugfixes. The previous major series winds down with v1.21.4 released on 2026-03-04.
Longest-standing components
These pieces of code have been in the repository since its first months and still carry the system today:
| File / package | First seen | Notes |
|---|---|---|
vault/core.go |
2015 | The original Core type. Has grown ~10×, but the lineage is unbroken. |
vault/router.go |
2015 | The mount router. The same prefix-tree algorithm has worked for a decade. |
vault/expiration.go |
2015 | The lease/expiration manager. |
vault/barrier_aes_gcm.go |
2015 | The AES-256-GCM barrier. Re-keying and key rotation came later. |
shamir/shamir.go |
2015 | Shamir secret sharing. Code is short and has barely changed. |
builtin/credential/userpass, builtin/credential/cert, builtin/credential/token |
2015 | The original three built-in auth methods. |
Deprecated and removed components
Tracked through the _test.go history and the consts.Removed markers in helper/builtinplugins/registry_full.go:
| Feature | Status | Notes |
|---|---|---|
app-id auth method |
Removed | Replaced by approle very early. |
mssql, mysql, mongodb, postgresql, cassandra secret engines |
Removed | Replaced by the unified database engine. The leaf entries in registry_full.go now point at removedFactory. |
pcf auth method |
Deprecated, alias for cf |
The CloudFoundry rename. |
ad (Active Directory) secret engine |
Deprecated | Replaced by openldap/ldap. |
Standalone mysql, postgresql, mssql etc. plugins |
Replaced | Now part of the database plugin family. |
Major rewrites
- HCL config v1 → v2 (2018): server config parsing migrated from
hashicorp/hclv1 to v2;internalshared/configutil/gained per-block parsers. - Plugin v4 → v5 protocol (2022):
sdk/plugin/plugin_v5.gointroduces a versioned plugin protocol with multiplexing for database plugins. - Audit broker rewrite (2023):
audit/broker.goandaudit/entry_formatter.gowere largely rewritten around theeventloggerlibrary. - OIDC provider (2022–2023): a complete OIDC issuer was added on top of identity store, entirely new code in
vault/identity_store_oidc_provider.go. - Integrated storage (2019):
physical/raft/was added to remove the Consul dependency for HA.
Growth trajectory
Roughly 23,300 commits over 11 years — ~2,100 per year on average, though the last 12 months alone account for 2,186 commits. Bot-driven backports and dep updates inflate the modern numbers (see By the numbers for the breakdown). Contributor volume is high but concentrated in the HashiCorp Vault team plus the IBM successor org.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.