Skip to content

VaultPilot 2.0.0

Latest

Choose a tag to compare

@vaultekbilisim vaultekbilisim released this 30 Jun 22:13

VaultPilot 2.0.0

VaultPilot 2.0.0 is the current public release for the self-hosted Windows Server vault. It moves the public product identity from PassMan to VaultPilot while preserving the compatibility aliases that existing installations may still rely on.

Release date: 2026-06-30

What changed

  • VaultPilot is now the public product and release name across the console, docs, release assets, update manifest and operator-facing language.
  • PassMan remains a legacy compatibility alias for older service names, data paths, environment variables, cookies, headers, extension protocol strings, update aliases and rollback decisions.
  • The Overview screen now works as an operator cockpit for security posture, recommendations, breach status, server readiness, operational state, record distribution, update signals, access trend, maintenance and recent activity.
  • Server System groups log rotation, retention, diagnostics, public host, port, HTTPS certificate state, restart guidance and non-destructive maintenance boundaries in one place.
  • License screens explain plan, capacity, trial/licensed state, write state, expiry/renewal risk and module availability in operator language.
  • Extension, offline share decrypter and DC Agent packages use VaultPilot naming while preserving compatibility behavior where older deployments need it.

Compatibility

New installs should use VaultPilotServer, VaultPilot Server, C:\ProgramData\VaultPilot, VAULTPILOT_*, vaultpilot-update.json and VaultPilot package names.

Existing installs may still rely on PassManServer, PassMan Server, C:\ProgramData\PassMan, PASSMAN_*, passman_session, x-passman-request, passman-update.json and legacy package names. Those names remain available for migration, rollback and old-client compatibility.

Security and trust

  • Zero-knowledge boundaries are unchanged. Vault keys, master-derived keys, plaintext secrets, API keys, private keys and master passwords are not persisted or logged.
  • Server API payload validation, RBAC checks, CSRF header expectations, extension pairing and signed update manifest verification remain active.
  • Browser extension decrypted vault snapshots stay in runtime memory only. Background-worker restart or suspension locks the extension again.
  • Diagnostics remain redacted and non-destructive. The console does not clear logs, caches, browser history, databases, update jobs or customer data.

Published assets

Verify asset names, file sizes and SHA-256 values before internal redistribution.

Asset Size SHA-256
VaultPilot-2.0.0-x64.msi 66,118,490 c3c3189572fc5936f30e0f14e5d12b2ed4702e3db0efd32a1c8d2eba65b67842
vaultpilot-update.json 1,430 a6610b266c4a3bee2d689615e5f1b2bccf15067af3d8c0094832b10d67fb9351
vaultpilot-browser-vault-extension.zip 181,103 7f95df52d796c8bb73196569dc77cfc220aadd7e971ca323825d505e947c02aa
vaultpilot-extension-update.json 257 de3b30a3cdc2a58188d6421f96d8e164ead5406ebbee614e1569ac20eec69f55
vaultpilot-share-decrypter.zip 102,632 b6cd0cdc8cd2bd670348fca2587f7ad6d54604d2fa3c9d159e6a35c15301ed8a
vaultpilot-share-decrypter.json 219 7dca1ad23057223a221eaa0058b6ae8a5dfa4d12cbbcdf73b4249545cd34211b
vaultpilot-dc-agent.ps1 98,891 de8c4df43ff69b9a277e2cfaf4cb14f553512cf13b318eec45b725db1113e0fc
vaultpilot-dc-agent.json 212 9082376283457eeddbffd3aee8d4e6ed1b46674d498d027467a9eff6308f7f4e

Operator checklist

  1. Take a server backup before production update.
  2. Download the MSI and manifest from this GitHub Release.
  3. Confirm the manifest, SHA-256 values, MSI signer evidence and asset list.
  4. Run the MSI as Administrator on the Windows server.
  5. After upgrade, verify the Windows service, data directory, Update Center state, extension pairing, active sessions, audit retention, license state and Server System diagnostics.
  6. If rollback is required, use a previously verified signed release package and the retained PassMan compatibility aliases. Do not manually edit ProgramData folders as a rollback method.

Documentation