Today we are excited to announce the public availability of HashiCorp Vault 1.0. Vault is a tool to manage secrets and protect sensitive data for any infrastructure and application.
Vault 1.0 is focused on renovating Vault's infrastructure to support high performance, scalable workloads. The 1.0 release of Vault includes significant new functionality including:
The release also includes additional new features, secure workflow enhancements, general improvements, and bug fixes. The Vault 1.0 changelog provides a full list of features, enhancements, and bug fixes.
Vault 1.0 is a major milestone for the Vault team and HashiCorp as a whole. Vault is the fourth HashiCorp project to reach 1.0, and where we are today is the result of nearly four years of hard work between HashiCorp and the broader open source community. We are immensely grateful to the community for their contributions. As always, thank you for all of your pull requests, ideas, bug reports, and support.
Batch tokens are a new type of token that support ephemeral, high performance workloads. These tokens do not write to disk, significantly reducing the performance cost of any operation within Vault.
As a trade off, batch tokens are not persistent and should not be used for any kind of long-lived or ongoing operation or any operation that requires resiliency of that token in the face of the failure or downtime of the Vault cluster.
The ephemeral nature of batch tokens makes them well suited for large batches of single-purpose operations such as use of the transit secret engine, but ill suited for operations such as persistent access for secrets within a K/V engine.
In Vault 1.0, we are open sourcing Cloud Auto Unseal, allowing for all users of Vault to leverage cloud services such as AWS KMS, Azure Key Vault, and GCP CKMS to manage the unseal process for Vault.
We decided to open source Cloud Auto Unseal to simplify the process of storing and reassembling Shamir's keys for all users. While we originally thought cloud auto-unseal was just an enterprise compliance need, we've realized in working with the community that auto-unseal is more for ease of use than compliance requirements.
It is important to note that HSM-based Auto Unseal (via the PKCS#11 standard) and Seal-Wrap will continue to remain features within Vault Enterprise. Both of these features are typically deployed to conform with government and regulatory compliance requirements, and thus are aligned with enterprise use cases.
Vault 1.0 now supports the Open API Initiative's OpenAPI standard, joining a host of other major open source projects in providing a vendor-neutral description format for its API calls.
/sys/internal/specs/openapi endpoint, Vault can generate an OpenAPI v3 document that describes mounted backends and endpoint capabilities for a given token's permissions.
The releases leading up to 1.0 have seen significant updates to the Vault UI. These include wizards to help introduce new users to common Vault workflows for configuring Vault and storing secrets, updated screens for how users mount auth methods and secret engines, support for managing key versioning within the K/V v2 secrets engine, and a host of other updates to help ensure that Vault can almost completely be deployed, initialized, and managed from within the Vault UI.
1.0 is the culmination of a very significant amount of work from the Vault UI team over the last few major releases. We will publish a deep dive highlighting the UI team's work, and Vault's ability to be configured and manage workflows graphically, in an upcoming blog post.
Vault 1.0 expands on features for operating Vault with and within Alibaba Cloud. Alibaba Cloud KMS is now supported as a Seal-Wrap and Auto Unseal target, and the Alibaba Cloud Auth Method is now a supported interface for Auto Auth within Vault Agent.
Vault 1.0 sees the release of a new secrets engine for managing cryptographic operations within Google Cloud Platform's Cloud Key Management System. This interface allows for transit-like decrypt/encrypt operations, key creation, and key management within external GCP CKMS systems.
There are many new features in Vault 1.0 that have been developed over the course of the 0.11.x releases. We have summarized a few of the larger features below, and as always consult the changelog for full details:
Vault 1.0 introduces significant new functionality. As such, we provide both general upgrade instructions and a Vault 1.0-specific upgrade page.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault mailing list.
Also, check out the Journey to Vault 1.0 by Armon.
We hope you enjoy Vault 1.0!
A recap of HashiCorp infrastructure and security news and developments on AWS from the past year, from self-service provisioning to fighting secrets sprawl and more.
Vault benchmark is an open source tool that tests the performance of HashiCorp Vault auth methods and secrets engines.
If you’re attending AWS re:Invent in Las Vegas, Nov. 27 - Dec. 1, visit us for breakout sessions, expert talks, and product demos to learn how to accelerate your adoption of a cloud operating model.