The new HashiCorp Vault 1.12 focuses on improving core workflows and making key features production-ready.
We are pleased to announce the general availability of HashiCorp Vault 1.12. Vault provides secrets management, data encryption, and identity management for any application on any infrastructure.
Vault 1.12 focuses on improving Vault’s core workflows as well as adding new features such as Redis and Amazon ElastiCache secrets engines, a new PKCS#11 provider, improved Transform secrets engine usability, updated resource quotas, expanded PKI revocation and telemetry capabilities, and much more.
Key features and improvements in Vault 1.12 include:
auto_rotate_period
option.*
can be added as part of the path, so auth/token/create*
would match both auth/token/create
and auth/token/create-orphan
but not auth/token/lookup-self
.vault namespace patch
command can be used to update existing namespaces with custom metadata as well.tidy
function was also enhanced with additional metrics that reflect the remaining stored and revoked certificates.This release also includes additional new features, workflow enhancements, general improvements, and bug fixes. The Vault 1.12 changelog list all the updates. Please visit the Vault Release Highlights page for step-by-step tutorials demonstrating the new features.
We are improving Vault PKI Engine’s revocation capabilities by adding support for the Online Certificate Status Protocol (OCSP) and a delta CRL to track changes to the main CRL. These enhancements significantly streamline the PKI engine, making the certification revocation semantics easier to understand and manage. Additionally, support for automatic CRL rotation and periodic tidy operations helps reduce operator burden, alleviate the demand on cluster resources during periods of high revocation, and ensure clients are always served valid CRLs. Finally, support for bring-your-own-cert (BYOC) allows revocation of no_store=true
certificates and, for proof-of-possession (PoP), allows end users to safely revoke their own certificates (with corresponding private key) without operator intervention.
tidy
function is enhanced with additional metrics that reflect the remaining stored and revoked certificates.For more information, please see the PKI Secrets Engine documentation.
Software solutions often require cryptographic objects such as keys or X.509 certificates. Some external software must also perform operations including key generation, hashing, encryption, decryption, and signing. HSMs are traditionally used as a secure option but can be expensive and challenging to operationalize.
Vault Enterprise 1.12 is a PKCS#11 2.40 compliant provider, extended profile. PKCS#11 is the standard protocol supported for integrating with HSMs. It also has the operational flexibility and advantages of software for key generation, encryption, and object storage operations. The PKCS#11 provider in Vault 1.12 supports a subset of key generation, encryption, decryption, and key storage operations.
Protecting sensitive data at rest is a fundamental task for database administrators that enables many organizations to follow industry best practices and comply with regulatory requirements. Administrators of Oracle databases will also now be able to enable Transparent Data Encryption (TDE) for Oracle because of this feature. TDE for Oracle performs real-time data and log file encryption and decryption transparently to end user applications.
For more information, please see the PKCS#11 provider documentation.
Transform is a Vault Enterprise feature that lets Vault use data transformations and tokenization to protect secrets residing in untrusted or semi-trusted systems. This includes protecting compliance-regulated data such as social security numbers and credit card numbers. Oftentimes, data must reside within file systems or databases for performance but must be protected in case the system in which it resides is compromised. Transform is built for these kinds of use cases.
With this release, we added the ability to import externally generated keys for BYOK workflows, MSSQL external storage support, and support for encryption key auto-rotation via an auto_rotate_period
option.
For more information, please see the Transform Secrets Engine documentation.
Many new features in Vault 1.12 have been developed over the course of the 1.11.x releases. You can learn more about how to use these features in our detailed, hands-on HashiCorp Vault guides. You can consult the changelog for full details, but here are a few of the larger changes and depreciation notices:
sys/seal-status
endpoint to get the Vault server’s version, and then determine the correct features available for use.end_date
to the current month. When this is done, the new_clients
field will have the approximate number of new clients that came in for the current month.use_microsoft_graph_api
configuration parameter for using Microsoft Graph API, since the Azure Active Directory API is being removed.Vault 1.12 introduces significant new functionality. As such, please review the Upgrading Vault page, as well as the Feature Deprecation Notice and Plans page for further details.
As always, we recommend upgrading and testing new releases in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault discussion forum. As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose it by emailing security@hashicorp.com — do not use the public issue tracker. For more information, please consult our security policy and our PGP key.
For more information about Vault Enterprise, visit hashicorp.com/products/vault. You can download the open source version of Vault at vaultproject.io.
We hope you enjoy HashiCorp Vault 1.12.
Learn how to use the Prometheus Operator with the new Vault Secrets Operator for Kubernetes to monitor secrets in a Grafana dashboard.
Learn how to build a secure infrastructure as code workflow with Terraform Cloud dynamic provider credentials, Microsoft Defender for Cloud, and HCP Vault.
The HashiCorp Vault partner ecosystem continues to show strong growth with the addition of more than a dozen new Vault integrations.