HashiCorp Vault 1.12 Adds New Secrets Engines, ADP Updates, and More

We are pleased to announce the general availability of HashiCorp Vault 1.12. Vault provides secrets management, data encryption, and identity management for any application on any infrastructure.

Vault 1.12 focuses on improving Vault’s core workflows as well as adding new features such as Redis and Amazon ElastiCache secrets engines, a new PKCS#11 provider, improved Transform secrets engine usability, updated resource quotas, expanded PKI revocation and telemetry capabilities, and much more.

Key features and improvements in Vault 1.12 include:

• PKCS #11 provider (Vault Enterprise): Added the Vault PKCS#11 provider, which enables the Vault KMIP secrets engine to be used via PKCS#11 calls. The provider supports a subset of key generation, encryption, decryption, and key storage operations.
• Transparent Data Encryption for Oracle (Enterprise): Support for Vault to manage encryption keys for Transparent Data Encryption (TDE) with Oracle servers.
• Transform secrets engine (Vault Enterprise): Added the ability to import externally generated keys for bring-your-own-key (BYOK) workflows, added MSSQL external storage support, and added support for encryption key auto-rotation via an auto_rotate_period option.
• Resource quotas: Enhanced path and role-based resource quotas with support for API path suffixes and auth mount roles. For example, a trailing wildcard * can be added as part of the path, so auth/token/create* would match both auth/token/create and auth/token/create-orphan but not auth/token/lookup-self.
• Versioned plugins: Added the concept of versions to plugins, making plugins “version-aware” and enabling release standardization and a better user experience when installing and upgrading plugins.
• Namespace custom metadata (Vault Enterprise): Support for specifying custom metadata on namespaces was added. The new vault namespace patch command can be used to update existing namespaces with custom metadata as well.
• OIDC provider interface update (UI): Our design and user research teams gathered community feedback and simplified the setup experience for using Vault as an OIDC provider. With just a few UI clicks, users can now have a default OIDC provider configured and ready to go.
• Okta number challenge interface update (UI): Added support for Okta’s number challenge to the Vault UI. This enables users to complete the Okta number challenge from a UI, CLI, and API.
• PKI secrets engine: We are improving Vault’s PKI engine revocation capabilities by adding support for the Online Certificate Status Protocol (OCSP) and a delta certificate revocation list (CRL) to track changes to the main CRL. These changes offer significant performance and data transfer improvements to revocation workflows.
• PKI secrets engine telemetry: Support for additional telemetry metrics for better insights into certificate usage via the count of stored and revoked certificates. Vault’s tidy function was also enhanced with additional metrics that reflect the remaining stored and revoked certificates.
• Redis secrets engine: Added a new database secrets engine that supports the generation of static and dynamic user roles and root credential rotation on a standalone Redis server. Huge thanks to Francis Hitchens, who contributed a repository to HashiCorp.
• Amazon ElastiCache secrets engine: Added a new database secrets engine that generates static credentials for existing managed roles in Amazon ElastiCache.
• LDAP secrets engine: Added a new LDAP secrets engine that unifies the user experience between the Active Directory (AD) secrets engine and OpenLDAP secrets engine. This new engine supports all implementations from both of the engines mentioned above (AD, LDAP, and RACF) and brings dynamic credential capabilities for users relying on Active Directory.
• KMIP secrets engine (Vault Enterprise): Added support to the KMIP secrets engine for the operations and attributes in the Baseline Server profile, in addition to the already supported Symmetric Key Lifecycle Server and the Basic Cryptographic Server profiles.

This release also includes additional new features, workflow enhancements, general improvements, and bug fixes. The Vault 1.12 changelog list all the updates. Please visit the Vault Release Highlights page for step-by-step tutorials demonstrating the new features.

»PKI Secrets Engine Improvements

We are improving Vault PKI Engine’s revocation capabilities by adding support for the Online Certificate Status Protocol (OCSP) and a delta CRL to track changes to the main CRL. These enhancements significantly streamline the PKI engine, making the certification revocation semantics easier to understand and manage. Additionally, support for automatic CRL rotation and periodic tidy operations helps reduce operator burden, alleviate the demand on cluster resources during periods of high revocation, and ensure clients are always served valid CRLs. Finally, support for bring-your-own-cert (BYOC) allows revocation of no_store=true certificates and, for proof-of-possession (PoP), allows end users to safely revoke their own certificates (with corresponding private key) without operator intervention.

• PKI and managed key support for RSA-PSS signatures: Since its initial release, Vault's PKI secrets engine supported only RSA-PKCS#1v1.5 (public key cryptographic standards) signatures for issuers and leaves. To conform with guidance from the National Institute of Standards and Technology (NIST) around key transport and for compatibility with newer hardware security module (HSM) firmware, we have included support for RSA-PSS (probabilistic signature scheme) signatures. See the section on PSS Support in the PKI documentation for limitations of this feature.
• PKI telemetry improvements: This release adds additional telemetry to Vault’s PKI secrets engine, enabling customers to gather better insights into certificate usage via the count of stored and revoked certificates. Additionally, the Vault tidy function is enhanced with additional metrics that reflect the remaining stored and revoked certificates.
• Google Cloud Key Manager support: Managed keys let Vault secrets engines (currently PKI) use keys stored in cloud KMS systems for cryptographic operations like certificate signing. Vault 1.12 adds support for Google Cloud KMS to the managed key system, where previously only AWS, Microsoft Azure, and PKCS#11 HSMs were supported.

For more information, please see the PKI Secrets Engine documentation.

»PKCS #11 Provider

Software solutions often require cryptographic objects such as keys or X.509 certificates. Some external software must also perform operations including key generation, hashing, encryption, decryption, and signing. HSMs are traditionally used as a secure option but can be expensive and challenging to operationalize.

Vault Enterprise 1.12 is a PKCS#11 2.40 compliant provider, extended profile. PKCS#11 is the standard protocol supported for integrating with HSMs. It also has the operational flexibility and advantages of software for key generation, encryption, and object storage operations. The PKCS#11 provider in Vault 1.12 supports a subset of key generation, encryption, decryption, and key storage operations.

Protecting sensitive data at rest is a fundamental task for database administrators that enables many organizations to follow industry best practices and comply with regulatory requirements. Administrators of Oracle databases will also now be able to enable Transparent Data Encryption (TDE) for Oracle because of this feature. TDE for Oracle performs real-time data and log file encryption and decryption transparently to end user applications.

For more information, please see the PKCS#11 provider documentation.

»Transform Secret Engine Enhancements

Transform is a Vault Enterprise feature that lets Vault use data transformations and tokenization to protect secrets residing in untrusted or semi-trusted systems. This includes protecting compliance-regulated data such as social security numbers and credit card numbers. Oftentimes, data must reside within file systems or databases for performance but must be protected in case the system in which it resides is compromised. Transform is built for these kinds of use cases.

With this release, we added the ability to import externally generated keys for BYOK workflows, MSSQL external storage support, and support for encryption key auto-rotation via an auto_rotate_period option.

• Bring your own key (BYOK): Added the ability to import externally generated keys to support use cases where there is a need to bring in an existing key from an HSM or other outside system. In release 1.11, we introduced BYOK support to Vault, enabling customers to import existing keys into the Vault Transit secrets engine and enabling secure and flexible Vault deployments. We are extending that support to the Vault Transform secrets engine in this release.
• MSSQL support: An MSSQL store is now available to be used as an external storage engine with tokenization in the Transform secrets engine. Refer to the following documents: Transform Secrets Engine (API), Transform Secrets Engine, and Tokenization Transform for more information.
• Key auto rotation: Periodic rotation of encryption keys is a recommended key management practice for a good security posture. In Vault 1.10, we added support for auto key rotation in the Transit secrets engine. In Vault 1.12, the Transform secrets engine has been enhanced to let users set the rotation policy during key creation in a time interval, which will cause Vault to automatically rotate the Transform keys when the time interval elapses . Refer to the Tokenization Transform and Transform Secrets Engine (API) documentation for more information.

For more information, please see the Transform Secrets Engine documentation.

»Other Vault 1.12 Features

Many new features in Vault 1.12 have been developed over the course of the 1.11.x releases. You can learn more about how to use these features in our detailed, hands-on HashiCorp Vault guides. You can consult the changelog for full details, but here are a few of the larger changes and depreciation notices:

• Terraform provider for Vault: The Terraform provider uses Vault’s sys/seal-status endpoint to get the Vault server’s version, and then determine the correct features available for use.
• Vault usage metrics: Enhanced the /sys/internal/counters API to support setting the end_date to the current month. When this is done, the new_clients field will have the approximate number of new clients that came in for the current month.
• Licensing enhancement (Vault Enterprise): Updated license termination behavior so that production licenses no longer have a termination date, which makes Vault more robust for Vault Enterprise customers.
• AAD Graph on Azure Secrets Engine removed: We added a use_microsoft_graph_api configuration parameter for using Microsoft Graph API, since the Azure Active Directory API is being removed.
• X.509 certificates with SHA-1 signatures support removed: Please migrate off SHA-1 for certificate signing. Go (Golang) version 1.18 removes support for SHA-1 by default, however, you can set a Go environment variable to restore SHA-1 support if you need to continue using SHA-1 (supported until Go 1.19).
• Standalone database engines impacted experience: If you use any standalone database engines, please migrate away from their usage. With this release, Vault will log error messages and shut down. Any attempts to add new mounts will result in an error. Please migrate to database secrets engines.
• AppID impacted experience: If you use AppID, please migrate away from its usage. With this release, Vault will log error messages and shut down. Please migrate to the AppRole auth method.

»Upgrade Details

Vault 1.12 introduces significant new functionality. As such, please review the Upgrading Vault page, as well as the Feature Deprecation Notice and Plans page for further details.

As always, we recommend upgrading and testing new releases in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault discussion forum. As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose it by emailing security@hashicorp.com — do not use the public issue tracker. For more information, please consult our security policy and our PGP key.

For more information about Vault Enterprise, visit hashicorp.com/products/vault. You can download the open source version of Vault at vaultproject.io.

We hope you enjoy HashiCorp Vault 1.12.