HCP Vault Plus clusters add support for all three ADP secrets engines, including KMIP, Key Management, and Transform.
We are pleased to announce that the KMIP, Key Management, and Transform secrets engines — part of the Advance Data Protection (ADP) package — are now available in the HCP Vault Plus tier at no additional cost. Customers can now support encryption, tokenization, and data transformations within fully managed HashiCorp Cloud Platform (HCP) clusters. This Vault Enterprise feature set joins existing HCP Vault Plus capabilities, including multi-region performance replication, paths filters, Sentinel policies, and control groups.
Bringing HCP Vault into parity with Vault Enterprise is a key goal this year as we continue to offer even more advanced secrets management capabilities and refine our platform operations. Now, with the addition of the ADP secrets engines, existing and new HCP Vault Plus clusters offer data masking, format-preserving encryption, tokenization, cloud key management, and native KMIP support.
The KMIP secrets engine allows Vault to act as a KMIP server for clients to receive cryptographic keys and encrypt data using the Key Management Interoperability Protocol (KMIP). It will initially be open only on the default port (5696) with clients able to connect to the server via TLS certificates. Customers can create scopes and roles tied to any KMIP operations we have available today, including the two pseudo-operations.
The KMIP secrets engine will initially be available only for new and existing Amazon Web Services (AWS) clusters, with support for Microsoft Azure coming in the future.
For more information, see the KMIP secrets engine documentation in Vault.
Historically, HCP Vault had no way to store cross-cloud cryptographic keys while also taking advantage of the native capabilities coupled with each cloud provider. With the KMSE, customers can store cryptographic keys from AWS KMS, Azure Key Vault, and Google Cloud KMS, regardless of the cloud provider the HCP cluster is hosted in.
New and existing HCP Vault Plus clusters across both cloud providers (AWS and Azure) can take advantage of the KMSE and should expect the same experience available on Vault Enterprise today.
For more information on the KMSE, refer to the Vault Enterprise documentation.
While all HCP Vault clusters natively support the Transit secrets engine, customers had no way of supporting non-decipherable, format-preserving, or stateful encryption capabilities. Now, with Transform secrets engine support, customers can encrypt secret data using all three currently supported transformation modes:
This initial release does not support external stores for tokenization. The Transform secrets engine will be available in AWS and Azure Plus clusters. More information on the Transform secrets engine can be found in the tutorial and documentation. For more guidance on which transformation may be right for you, please refer to our blog post on How to choose a data protection method.
As of today, all existing and new HCP Vault Plus clusters can take advantage of the Advanced Data Protection feature set at no additional cost. To get started, we recommend creating a HashiCorp Cloud Platform account and trying HCP Vault for yourself. All newly created accounts receive $50 in HCP credits, which can be used for the Plus tier in either AWS or Azure. For more information please visit the HCP product page or sign up through the HCP portal.
Do cloud right with The Infrastructure Cloud from HashiCorp. Unlock developer potential while controlling cloud costs and risk.
HCP Vault Radar conducts ongoing reconnaissance of unsecured secrets stored as plain text in code repositories as well as configuration, DevOps, and collaboration tools.
Secrets sync is a new feature in HashiCorp Vault that facilitates centralized management, governance, and control of secrets for multiple external secret managers.