Advanced Data Protection (ADP) now available in HCP Vault

We are pleased to announce that the KMIP, Key Management, and Transform secrets engines — part of the Advance Data Protection (ADP) package — are now available in the HCP Vault Plus tier at no additional cost. Customers can now support encryption, tokenization, and data transformations within fully managed HashiCorp Cloud Platform (HCP) clusters. This Vault Enterprise feature set joins existing HCP Vault Plus capabilities, including multi-region performance replication, paths filters, Sentinel policies, and control groups.

Bringing HCP Vault into parity with Vault Enterprise is a key goal this year as we continue to offer even more advanced secrets management capabilities and refine our platform operations. Now, with the addition of the ADP secrets engines, existing and new HCP Vault Plus clusters offer data masking, format-preserving encryption, tokenization, cloud key management, and native KMIP support.

»KMIP secrets engine

The KMIP secrets engine allows Vault to act as a KMIP server for clients to receive cryptographic keys and encrypt data using the Key Management Interoperability Protocol (KMIP). It will initially be open only on the default port (5696) with clients able to connect to the server via TLS certificates. Customers can create scopes and roles tied to any KMIP operations we have available today, including the two pseudo-operations.

The KMIP secrets engine will initially be available only for new and existing Amazon Web Services (AWS) clusters, with support for Microsoft Azure coming in the future.

For more information, see the KMIP secrets engine documentation in Vault.

»Key Management secrets engine (KMSE)

Historically, HCP Vault had no way to store cross-cloud cryptographic keys while also taking advantage of the native capabilities coupled with each cloud provider. With the KMSE, customers can store cryptographic keys from AWS KMS, Azure Key Vault, and Google Cloud KMS, regardless of the cloud provider the HCP cluster is hosted in.

New and existing HCP Vault Plus clusters across both cloud providers (AWS and Azure) can take advantage of the KMSE and should expect the same experience available on Vault Enterprise today.

For more information on the KMSE, refer to the Vault Enterprise documentation.

»Transform secrets engine

While all HCP Vault clusters natively support the Transit secrets engine, customers had no way of supporting non-decipherable, format-preserving, or stateful encryption capabilities. Now, with Transform secrets engine support, customers can encrypt secret data using all three currently supported transformation modes:

• Data masking: Irreversible transformations with the format preserved, replacing all of the original characters with user-specified ones
• Format-preserving encryption: Transforms secret data via FF3-1 to encode input values while maintaining its data format and length
• Tokenization: On input, provides users with a randomly generated unrelated token, replacing the data rather than encrypting it

This initial release does not support external stores for tokenization. The Transform secrets engine will be available in AWS and Azure Plus clusters. More information on the Transform secrets engine can be found in the tutorial and documentation. For more guidance on which transformation may be right for you, please refer to our blog post on How to choose a data protection method.

»Get started today

As of today, all existing and new HCP Vault Plus clusters can take advantage of the Advanced Data Protection feature set at no additional cost. To get started, we recommend creating a HashiCorp Cloud Platform account and trying HCP Vault for yourself. All newly created accounts receive $50 in HCP credits, which can be used for the Plus tier in either AWS or Azure. For more information please visit the HCP product page or sign up through the HCP portal.