Feature deprecation notices and plans
This announcement page is maintained and updated periodically to communicate plans to deprecate, disable and/or remove features from OpenBao.
We document the scope of deprecations, enable the community with a plan and timeline to account for these, and supply alternative paths to explore and evaluate to minimize business disruptions. If you have questions or concerns about a deprecated feature, please create a topic on the community forum.
Please refer to the FAQ page for frequently asked questions concerning OpenBao feature deprecations.
File storage backend
Announced: 04/2026, Deprecated in: v2.6.0, Removal: v2.7.0
The file storage backend is a development-only, non-production backend that
will be removed. Use the bao operator migrate command to move to a supported
storage backend.
Also see:
JSONX audit log format
Announced: 11/2025, Deprecated in: v2.5.0, Removal: v2.5.0
The format=jsonx audit log option will be removed. Switch to format=json
either by explicitly setting it or by omitting the format parameter entirely.
Also see:
Undocumented AEAD seal mechanism
Announced: 10/2025, Deprecated in: v2.5.0, Removal: v2.5.0
The aead seal mechanism was never documented and will be removed. If this
was somehow depended on, consider replacing its usage with the static seal
mechanism.
Audit device creation via the API
Announced: 08/2025, Deprecated in: unplanned, Removal: unplanned
API-driven audit device creation via the /sys/audit endpoints will be
disabled by default starting with v2.3.2. If necessary, temporarily
set unsafe_allow_api_audit_creation to re-enable. Declarative audit
devices are available starting with v2.4.0 and
represent the preferred alternative audit device management approach.
Also see:
Support for PostgreSQL versions lower than v9.5
Announced: 07/2025, Deprecated in: v2.4.0, Removal: v2.4.0
Upgrade to a supported PostgreSQL version.
Also see:
Unauthenticated rekey & root rotation endpoints
Announced: 07/2025, Deprecated in: v2.5.0, Removal: unplanned
See Deprecating Unauthenticated Rekey Endpoints for
details and reasoning. As of v2.4.0, the /sys/rotate endpoints are
available as the preferred alternative going forward.
Also see:
Undocumented PKCS#11 seal option aliases
Announced: 05/2025, Deprecated in: v2.3.1, Removal: v2.7.0
The PKCS#11 Auto Unseal mechanism exposes undocumented aliases for several
configuration options: module, token and key. Use the documented aliases
lib, token_label and key_label instead, respectively.
Unauthenticated generate root endpoints
Announced: 04/2026, Deprecated in: v2.5.3, Removal: unplanned
See Deprecating Unauthenticated Generate Root Endpoints for details and reasoning.
Also see: