Chocolatey Community Coffee Break

Join the Chocolatey Team on our regular monthly stream where we discuss all things Community, what we do, how you can get involved and answer your Chocolatey questions.

Learn More

Chocolatey Product Spotlight

Join the Chocolatey Team on our regular monthly stream where we put a spotlight on the most recent Chocolatey product releases. You'll have a chance to have your questions answered in a live Ask Me Anything format.

Learn More

Announcing Chocolatey Central Management 0.10.0

Livestream from
Thursday, 06 October 2022

We recently released our largest update to Chocolatey Central Management so far. Join Gary and Steph to find out more about Chocolatey Central Management and the new features and fixes we've added to this release.

Watch On-Demand
Chocolatey and Intune Overview

Webinar Replay from
Wednesday, 30 March 2022

At Chocolatey Software we strive for simple, and teaching others. Let us teach you just how simple it could be to keep your 3rd party applications updated across your devices, all with Intune!

Watch On-Demand
Chocolatey For Business. In Azure. In One Click.

Livestream from
Thursday, 9 June 2022

Join James and Josh to show you how you can get the Chocolatey For Business recommended infrastructure and workflow, created, in Azure, in around 20 minutes.

Watch On-Demand
The Future of Chocolatey CLI

Livestream from
Thursday, 04 August 2022

Join Paul and Gary to hear more about the plans for the Chocolatey CLI in the not so distant future. We'll talk about some cool new features, long term asks from Customers and Community and how you can get involved!

Watch On-Demand
Hacktoberfest Tuesdays 2022

Livestreams from
October 2022

For Hacktoberfest, Chocolatey ran a livestream every Tuesday! Re-watch Cory, James, Gary, and Rain as they share knowledge on how to contribute to open-source projects such as Chocolatey CLI.

Watch On-Demand
Chocolatey Product Spotlight: Chocolatey 1.2.0 and Chocolatey Licensed Extension 5.0.0

Livestream from
Thursday, 03 November 2022

Join Paul and Gary for this months Chocolatey product livestream where we look at the latest release of Chocolatey 1.2.0, Chocolatey Licensed Extension 5.0.0 and shine a spotlight on the new hook scripts functionality. This opens up so many possibilities for Chocolatey CLI users!

Watch On-Demand
Chocolatey Coding Livestream

Livestream from
Tuesday, 29 November 2022

Join Josh as he adds the ability to manage Chocolatey GUI config and features with the Chocolatey Ansible Collection.

Watch On-Demand
Introduction into Chocolatey with Veeam

Webinar from
Tuesday, 13 December 2022

Join Gary, Paul, and Maurice as they introduce and demonstrate how to use Chocolatey! Questions will be answered live in an Ask Me Anything format.

Watch On-Demand



Downloads of v 0.6.1:


Last Update:

30 Aug 2016

Package Maintainer(s):

Software Author(s):

  • Mitchell Hashimoto
  • HashiCorp




This is not the latest version of Vault available.

  • 1
  • 2
  • 3

0.6.1 | Updated: 30 Aug 2016



Downloads of v 0.6.1:



Software Author(s):

  • Mitchell Hashimoto
  • HashiCorp



Vault 0.6.1

This is not the latest version of Vault available.

  • 1
  • 2
  • 3

Some Checks Have Failed or Are Not Yet Complete

Not All Tests Have Passed

Validation Testing Passed

Verification Testing Passed


Scan Testing Resulted in Flagged:

This package was submitted (and approved) prior to automated virus scanning integration into the package moderation processs.

We recommend clicking the "Details" link to make your own decision on installing this package.

Learn More

Deployment Method: Individual Install, Upgrade, & Uninstall

To install Vault, run the following command from the command line or from PowerShell:


To upgrade Vault, run the following command from the command line or from PowerShell:


To uninstall Vault, run the following command from the command line or from PowerShell:


Deployment Method:


This applies to both open source and commercial editions of Chocolatey.

1. Enter Your Internal Repository Url

(this should look similar to

2. Setup Your Environment

1. Ensure you are set for organizational deployment

Please see the organizational deployment guide

2. Get the package into your environment

  • Open Source or Commercial:
    • Proxy Repository - Create a proxy nuget repository on Nexus, Artifactory Pro, or a proxy Chocolatey repository on ProGet. Point your upstream to Packages cache on first access automatically. Make sure your choco clients are using your proxy repository as a source and NOT the default community repository. See source command for more information.
    • You can also just download the package and push it to a repository Download

3. Copy Your Script

choco upgrade vault -y --source="'INTERNAL REPO URL'" --version="'0.6.1'" [other options]

See options you can pass to upgrade.

See best practices for scripting.

Add this to a PowerShell script or use a Batch script with tools and in places where you are calling directly to Chocolatey. If you are integrating, keep in mind enhanced exit codes.

If you do use a PowerShell script, use the following to ensure bad exit codes are shown as failures:

choco upgrade vault -y --source="'INTERNAL REPO URL'" --version="'0.6.1'" 

Write-Verbose "Exit code was $exitCode"
$validExitCodes = @(0, 1605, 1614, 1641, 3010)
if ($validExitCodes -contains $exitCode) {
  Exit 0

Exit $exitCode

- name: Install vault
    name: vault
    version: '0.6.1'
    state: present

See docs at

chocolatey_package 'vault' do
  action    :install
  source   'INTERNAL REPO URL'
  version  '0.6.1'

See docs at

cChocoPackageInstaller vault
    Name     = "vault"
    Version  = "0.6.1"
    Source   = "INTERNAL REPO URL"

Requires cChoco DSC Resource. See docs at

package { 'vault':
  ensure   => '0.6.1',
  provider => 'chocolatey',
  source   => 'INTERNAL REPO URL',

Requires Puppet Chocolatey Provider module. See docs at

4. If applicable - Chocolatey configuration/installation

See infrastructure management matrix for Chocolatey configuration elements and examples.


Private CDN cached downloads available for licensed customers. Never experience 404 breakages again! Learn more...

Package Approved

This package was approved by moderator ferventcoder on 01 Sep 2016.


Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Understanding who is accessing what secrets is already very difficult and platform-specific. Adding on key rolling, secure storage, and detailed audit logs is almost impossible without a custom solution. This is where Vault steps in.

The key features of Vault are:

  • Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.
  • Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.
  • Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.
  • Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.
  • Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.

For more information, see the introduction section of the Vault website.

$checksum = '8faf63bff47a6a8ba0287b2ff1b462baf0ec9319b450c2e6b5b5f8950a9e2e1c'
$checksum64 = '53df96e47f67096f408b5f003641671a01170c88c85058771ef46f880b61b5dc'
$url = ''
$url64bit = ''
$unzipLocation = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"

Install-ChocolateyZipPackage -PackageName "vault" -Url "$url" -UnzipLocation "$unzipLocation" -Url64 "$url64bit" -ChecksumType 'sha256' -Checksum "$checksum" -Checksum64 "$checksum64"

Log in or click on link to see number of positives.

In cases where actual malware is found, the packages are subject to removal. Software sometimes has false positives. Moderators do not necessarily validate the safety of the underlying software, only that a package retrieves software from the official distribution point and/or validate embedded software against official distribution point (where distribution rights allow redistribution).

Chocolatey Pro provides runtime protection from possible malware.

Add to Builder Version Downloads Last Updated Status
Vault 1.14.3 1969 Thursday, September 14, 2023 Approved
Vault 1.14.2 1954 Wednesday, August 30, 2023 Approved
Vault 1.14.1 4124 Wednesday, July 26, 2023 Approved
Vault 1.14.0 4660 Wednesday, June 21, 2023 Approved
Vault 1.13.3 1564 Friday, June 9, 2023 Approved
Vault 1.13.2 7462 Thursday, April 27, 2023 Approved
Vault 1.13.1 4218 Thursday, March 30, 2023 Approved
Vault 1.13.0 1512 Tuesday, March 7, 2023 Approved
Vault 1.12.3 2109 Thursday, February 23, 2023 Approved
Vault 1.12.2 5871 Saturday, December 17, 2022 Approved
Vault 1.11.1 18715 Wednesday, July 27, 2022 Approved
Vault 1.11.0 2526 Tuesday, June 21, 2022 Approved
Vault 1.10.4 467 Friday, June 17, 2022 Approved
Vault 1.10.3 3144 Friday, May 13, 2022 Approved
Vault 1.10.2 45 Friday, May 13, 2022 Approved
Vault 1.10.1 1511 Monday, April 25, 2022 Approved
Vault 1.10.0 2288 Friday, March 25, 2022 Approved
Vault 1.9.4 1347 Wednesday, March 9, 2022 Approved
Vault 1.9.3 2293 Monday, January 31, 2022 Approved
Vault 1.9.2 1932 Wednesday, December 22, 2021 Approved
Vault 1.9.1 1080 Tuesday, December 14, 2021 Approved
Vault 1.9.0 1575 Tuesday, November 23, 2021 Approved
Vault 1.8.5 74 Tuesday, November 23, 2021 Approved
Vault 1.8.4 3065 Friday, October 8, 2021 Approved
Vault 1.8.3 668 Friday, October 1, 2021 Approved
Vault 1.8.2 612 Thursday, September 30, 2021 Approved
Vault 1.8.1 142 Thursday, September 30, 2021 Approved
Vault 1.8.0 3303 Thursday, July 29, 2021 Approved
Vault 1.7.3 2483 Thursday, June 17, 2021 Approved
Vault 1.7.2 1937 Friday, May 21, 2021 Approved
Vault 1.7.1 1530 Monday, April 26, 2021 Approved
Vault 1.7.0 1559 Tuesday, April 6, 2021 Approved
Vault 1.6.3 440 Thursday, March 25, 2021 Approved
Vault 1.6.2 3991 Monday, February 1, 2021 Approved
Vault 1.6.1 706 Thursday, January 21, 2021 Approved
Vault 1.5.5 5308 Friday, October 23, 2020 Approved
Vault 1.5.4 21842 Thursday, October 22, 2020 Approved
Vault 1.5.3 576 Thursday, October 22, 2020 Approved
Vault 1.5.2 2301 Wednesday, August 26, 2020 Approved
Vault 1.5.0 1646 Wednesday, July 22, 2020 Approved
Vault 1.4.3 875 Friday, July 3, 2020 Approved
Vault 1.4.1 1729 Monday, May 4, 2020 Approved
Vault 1.4.0 1371 Thursday, April 9, 2020 Approved
Vault 1.3.4 208 Wednesday, April 8, 2020 Approved
Vault 1.3.3 901 Monday, March 9, 2020 Approved
Vault 1.3.2 1469 Friday, January 24, 2020 Approved
Vault 1.3.1 1617 Friday, December 20, 2019 Approved
Vault 1.3.0 484 Wednesday, December 11, 2019 Approved
Vault 1.2.4 1014 Tuesday, November 12, 2019 Approved
Vault 1.2.3 3401 Monday, September 16, 2019 Approved
Vault 1.2.2 2344 Friday, August 16, 2019 Approved
Vault 1.2.1 155 Thursday, August 8, 2019 Approved
Vault 1.2.0 935 Wednesday, July 31, 2019 Approved
Vault 1.1.1 5052 Tuesday, April 16, 2019 Approved
Vault 1.1.0 1007 Tuesday, March 19, 2019 Approved
Vault 1.0.3 681 Friday, March 1, 2019 Approved
Vault 0.10.0 3096 Monday, April 16, 2018 Approved
Vault 0.10.0-rc1 289 Saturday, April 7, 2018 Approved
Vault 0.9.6 462 Saturday, April 7, 2018 Approved
Vault 0.9.5 261 Saturday, April 7, 2018 Approved
Vault 0.9.4 334 Saturday, April 7, 2018 Approved
Vault 0.9.3 281 Saturday, April 7, 2018 Approved
Vault 0.9.2 278 Saturday, April 7, 2018 Approved
Vault 0.9.1 987 Saturday, January 13, 2018 Approved
Vault 0.9.0 343 Saturday, January 13, 2018 Approved
Vault 0.8.3 931 Wednesday, September 20, 2017 Approved
Vault 0.8.2 353 Wednesday, September 20, 2017 Approved
Vault 0.8.1 430 Thursday, August 24, 2017 Approved
Vault 0.8.0 417 Thursday, August 24, 2017 Approved
Vault 0.7.3 554 Thursday, June 8, 2017 Approved
Vault 0.7.2 403 Wednesday, June 7, 2017 Approved
Vault 0.7.1 370 Wednesday, June 7, 2017 Approved
Vault 0.7.0 391 Wednesday, June 7, 2017 Approved
Vault 0.6.5 897 Wednesday, February 8, 2017 Approved
Vault 0.6.4 511 Thursday, December 22, 2016 Approved
Vault 0.6.3 391 Wednesday, December 14, 2016 Approved
Vault 0.6.2 468 Tuesday, October 25, 2016 Approved
Vault 0.6.1 461 Tuesday, August 30, 2016 Approved

0.6.1 (August 22, 2016)


  • Once the active node is 0.6.1, standby nodes must also be 0.6.1 in order to
    connect to the HA cluster. We recommend following our general upgrade
    addition to 0.6.1-specific upgrade instructions to ensure that this is not
    an issue.
  • Status codes for sealed/uninitialized Vaults have changed to 503/501
    respectively. See the version-specific upgrade
    more details.
  • Root tokens (tokens with the root policy) can no longer be created except
    by another root token or the generate-root endpoint.
  • Issued certificates from the pki backend against new roles created or
    modified after upgrading will contain a set of default key usages.
  • The dynamodb physical data store no longer supports HA by default. It has
    some non-ideal behavior around failover that was causing confusion. See the
    for information on enabling HA mode. It is very important that this
    configuration is added before upgrading.
  • The ldap backend no longer searches for memberOf groups as part of its
    normal flow. Instead, the desired group filter must be specified. This fixes
    some errors and increases speed for directories with different structures,
    but if this behavior has been relied upon, ensure that you see the upgrade
    notes before upgrading.
  • app-id is now deprecated with the addition of the new AppRole backend.
    There are no plans to remove it, but we encourage using AppRole whenever
    possible, as it offers enhanced functionality and can accommodate many more
    types of authentication paradigms.


  • AppRole Authentication Backend: The approle backend is a
    machine-oriented authentication backend that provides a similar concept to
    App-ID while adding many missing features, including a pull model that
    allows for the backend to generate authentication credentials rather than
    requiring operators or other systems to push credentials in. It should be
    useful in many more situations than App-ID. The inclusion of this backend
    deprecates App-ID. [GH-1426]
  • Request Forwarding: Vault servers can now forward requests to each other
    rather than redirecting clients. This feature is off by default in 0.6.1 but
    will be on by default in the next release. See the HA concepts
    for information on
    enabling and configuring it. [GH-443]
  • Convergent Encryption in Transit: The transit backend now supports a
    convergent encryption mode where the same plaintext will produce the same
    ciphertext. Although very useful in some situations, this has potential
    security implications, which are mostly mitigated by requiring the use of
    key derivation when convergent encryption is enabled. See the transit

    for more details. [GH-1537]
  • Improved LDAP Group Filters: The ldap auth backend now uses templates
    to define group filters, providing the capability to support some
    directories that could not easily be supported before (especially specific
    Active Directory setups with nested groups). [GH-1388]
  • Key Usage Control in PKI: Issued certificates from roles created or
    modified after upgrading contain a set of default key usages for increased
    compatibility with OpenVPN and some other software. This set can be changed
    when writing a role definition. Existing roles are unaffected. [GH-1552]
  • Request Retrying in the CLI and Go API: Requests that fail with a 5xx
    error code will now retry after a backoff. The maximum total number of
    retries (including disabling this functionality) can be set with an
    environment variable. See the environment variable

    for more details. [GH-1594]
  • Service Discovery in vault init: The new -auto option on vault init
    will perform service discovery using Consul. When only one node is discovered,
    it will be initialized and when more than one node is discovered, they will
    be output for easy selection. See vault init --help for more details. [GH-1642]
  • MongoDB Secret Backend: Generate dynamic unique MongoDB database
    credentials based on configured roles. Sponsored by
    CommerceHub. [GH-1414]
  • Circonus Metrics Integration: Vault can now send metrics to
    Circonus. See the configuration
    details. [GH-1646]


  • audit: Added a unique identifier to each request which will also be found in
    the request portion of the response. [GH-1650]
  • auth/aws-ec2: Added a new constraint bound_account_id to the role
  • auth/aws-ec2: Added a new constraint bound_iam_role_arn to the role
  • auth/aws-ec2: Added ttl field for the role [GH-1703]
  • auth/ldap, secret/cassandra, physical/consul: Clients with tls.Config
    have the minimum TLS version set to 1.2 by default. This is configurable.
  • auth/token: Added endpoint to list accessors [GH-1676]
  • auth/token: Added disallowed_policies option to token store roles [GH-1681]
  • auth/token: root or sudo tokens can now create periodic tokens via
    auth/token/create; additionally, the same token can now be periodic and
    have an explicit max TTL [GH-1725]
  • build: Add support for building on Solaris/Illumos [GH-1726]
  • cli: Output formatting in the presence of warnings in the response object
  • cli: vault auth command supports a -path option to take in the path at
    which the auth backend is enabled, thereby allowing authenticating against
    different paths using the command options [GH-1532]
  • cli: vault auth -methods will now display the config settings of the mount
  • cli: vault read/write/unwrap -field now allows selecting token response
    fields [GH-1567]
  • cli: vault write -field now allows selecting wrapped response fields
  • command/status: Version information and cluster details added to the output
    of vault status command [GH-1671]
  • core: Response wrapping is now enabled for login endpoints [GH-1588]
  • core: The duration of leadership is now exported via events through
    telemetry [GH-1625]
  • core: sys/capabilities-self is now accessible as part of the default
    policy [GH-1695]
  • core: sys/renew is now accessible as part of the default policy [GH-1701]
  • core: Unseal keys will now be returned in both hex and base64 forms, and
    either can be used [GH-1734]
  • core: Responses from most /sys endpoints now return normal api.Secret
    structs in addition to the values they carried before. This means that
    response wrapping can now be used with most authenticated /sys operations
  • physical/etcd: Support ETCD_ADDR env var for specifying addresses [GH-1576]
  • physical/consul: Allowing additional tags to be added to Consul service
    registration via service_tags option [GH-1643]
  • secret/aws: Listing of roles is supported now [GH-1546]
  • secret/cassandra: Add connect_timeout value for Cassandra connection
    configuration [GH-1581]
  • secret/mssql,mysql,postgresql: Reading of connection settings is supported
    in all the sql backends [GH-1515]
  • secret/mysql: Added optional maximum idle connections value to MySQL
    connection configuration [GH-1635]
  • secret/mysql: Use a combination of the role name and token display name in
    generated user names and allow the length to be controlled [GH-1604]
  • secret/{cassandra,mssql,mysql,postgresql}: SQL statements can now be passed
    in via one of four ways: a semicolon-delimited string, a base64-delimited
    string, a serialized JSON string array, or a base64-encoded serialized JSON
    string array [GH-1686]
  • secret/ssh: Added allowed_roles to vault-ssh-helper's config and returning
    role name as part of response of verify API
  • secret/ssh: Added passthrough of command line arguments to ssh [GH-1680]
  • sys/health: Added version information to the response of health status
    endpoint [GH-1647]
  • sys/health: Cluster information isbe returned as part of health status when
    Vault is unsealed [GH-1671]
  • sys/mounts: MountTable data is compressed before serializing to accommodate
    thousands of mounts [GH-1693]
  • website: The token
    page has
    been completely rewritten [GH-1725]


  • auth/aws-ec2: Added a nil check for stored whitelist identity object
    during renewal [GH-1542]
  • auth/cert: Fix panic if no client certificate is supplied [GH-1637]
  • auth/token: Don't report that a non-expiring root token is renewable, as
    attempting to renew it results in an error [GH-1692]
  • cli: Don't retry a command when a redirection is received [GH-1724]
  • core: Fix regression causing status codes to be 400 in most non-5xx error
    cases [GH-1553]
  • core: Fix panic that could occur during a leadership transition [GH-1627]
  • physical/postgres: Remove use of prepared statements as this causes
    connection multiplexing software to break [GH-1548]
  • physical/consul: Multiple Vault nodes on the same machine leading to check ID
    collisions were resulting in incorrect health check responses [GH-1628]
  • physical/consul: Fix deregistration of health checks on exit [GH-1678]
  • secret/postgresql: Check for existence of role before attempting deletion
  • secret/postgresql: Handle revoking roles that have privileges on sequences
  • secret/postgresql(,mysql,mssql): Fix incorrect use of database over
    transaction object which could lead to connection exhaustion [GH-1572]
  • secret/pki: Fix parsing CA bundle containing trailing whitespace [GH-1634]
  • secret/pki: Fix adding email addresses as SANs [GH-1688]
  • secret/pki: Ensure that CRL values are always UTC, per RFC [GH-1727]
  • sys/seal-status: Fixed nil Cluster object while checking seal status [GH-1715]

Previous Releases

For more information on previous releases, check out the changelog on GitHub.

This package has no dependencies.

Discussion for the Vault Package

Ground Rules:

  • This discussion is only about Vault and the Vault package. If you have feedback for Chocolatey, please contact the Google Group.
  • This discussion will carry over multiple versions. If you have a comment about a particular version, please note that in your comments.
  • The maintainers of this Chocolatey Package will be notified about new comments that are posted to this Disqus thread, however, it is NOT a guarantee that you will get a response. If you do not hear back from the maintainers after posting a message below, please follow up by using the link on the left side of this page or follow this link to contact maintainers. If you still hear nothing back, please follow the package triage process.
  • Tell us what you love about the package or Vault, or tell us what needs improvement.
  • Share your experiences with the package, or extra configuration or gotchas that you've found.
  • If you use a url, the comment will be flagged for moderation until you've been whitelisted. Disqus moderated comments are approved on a weekly schedule if not sooner. It could take between 1-5 days for your comment to show up.
comments powered by Disqus