Vault Enterprise 2.0 Closes Security Gaps with Local Account Password Rotation
Most enterprises have spent years securing their identity perimeters. They’ve centralised authentication through LDAP, Active Directory, and cloud identity providers. One persistent issue is that local operating system accounts sit on servers, unmanaged, and often share the same password across thousands of machines.
HashiCorp, now operating under IBM, announced on April 30, 2026 that IBM Vault Enterprise 2.0 introduces a dedicated plugin for local account password rotation. Initially, it supports Red Hat Enterprise Linux (RHEL), Ubuntu, and additional operating systems. This means organisations can finally bring those forgotten “backdoor” accounts under the same rigorous control, rotation, and auditing standards already applied to cloud and database credentials.
The risk sitting behind this announcement is real. In many environments, the local root or admin account shares a single well-known password across hundreds or thousands of servers. If attackers compromise one credential, they effectively hold a skeleton key to the entire fleet. Furthermore, without centralised management, there’s no audit trail showing who accessed what or when. Security teams are left with an unknowable risk profile, and that’s precisely what threat actors exploit.
The new local account password rotation plugin tackles this directly. It uses the SSH protocol to establish a secure connection to each target host. From there, Vault executes password rotations automatically on the host itself, keeping the OS and Vault perfectly in sync. Critically, each system receives a distinct, unique password. A leak on one server, therefore, no longer compromises the rest.
Organisations also gain significant flexibility. Passwords can rotate on a schedule or on demand through the Vault API. Teams can control rotations via the Vault CLI or through infrastructure as code using the Terraform provider for Vault. For environments with strict compliance requirements, Vault can designate a “parent” account on the same host to perform rotations, ensuring accounts never change their own credentials, which some regulatory frameworks prohibit.
Beyond rotation itself, the plugin introduces robust lifecycle management. Every password update is versioned within Vault, creating a clear safety net for credential recovery. Every request for a local password is logged in Vault’s audit device, which gives security teams a centralised record for compliance reporting. Additionally, administrators can trigger an immediate, organisation-wide rotation the moment a security incident is suspected, locking down local access in seconds rather than hours.
The plugin also covers edge cases that traditional identity providers typically miss. Legacy systems, isolated edge devices, and hosts in DMZ environments often can’t connect to LDAP or Active Directory due to network constraints. Emergency accounts that must stay functional even when the primary identity provider goes offline are also supported. These are exactly the accounts that tend to become long-ignored vulnerabilities.
Local account password rotation has long been a tedious, manual process, often tracked in spreadsheets or left untracked entirely. With this release, IBM Vault Enterprise 2.0 closes a gap that has persisted in enterprise security for years. The result is a meaningfully smaller attack surface, full auditability, and operational control over the true last mile of infrastructure.
Organisations ready to get started can consult the Vault Enterprise 2.0 Linux local account rotation documentation.
