We are excited to announce the general availability of HashiCorp Vault 1.4. Vault is a tool which provides secrets management, data encryption, and identity management for any application on any infrastructure.
Vault 1.4 focuses on enhancing Vault’s ability to operate natively in new types of production environments and premiering a major new feature in Vault Enterprise: the Transform Secrets Engine.
This release includes the following features:
This release also includes additional new features, secure workflow enhancements, general improvements, and bug fixes. The Vault 1.4 changelog provides a full list of features, enhancements, and bug fixes.
Integrated Storage is a storage engine built into Vault, removing the need for configuring and managing additional storage backends or services, and simplifying deployment and operations of production Vault clusters significantly. The Integrated Storage backend has moved out of beta and into general availability for both open-source and enterprise workloads.
We have also published an Integrated Storage Reference Architecture, a Preflight Checklist for Migrating to Integrated Storage, along with a Migration Guide for moving from HashiCorp Consul to Integrated Storage.
For more information on the Integrated Storage backend, please see our dedicated general availability release announcement and documentation.
Note: This is a Vault Enterprise feature within the ADP Module
The Transform Secrets Engine is a major new addition to the Vault Enterprise Advanced Data Protection (ADP) module, allowing for Vault to protect secrets that reside in untrusted or semi-trusted systems outside of Vault. This includes data such as social security numbers, credit card numbers, and other types of compliance-regulated data that must reside within systems such as file systems or databases for performance but must be protected in the event of their residence system’s compromise.
Supporting both one-way (masking) and two-way transformations via data type protection, the Transform Secrets Engine allows Vault to resolve use cases typically addressed by tokenization, with high-performance cryptography and the full suite of the Vault platform’s high availability and security features.
For more information on the Transform Secrets Engine, please see our dedicated release announcement, documentation, and a detailed Learn Guide.
The official Helm Chart for Vault has been enhanced to support both open-source and enterprise workloads. Using the Helm Chart, you can start a Vault cluster running on Kubernetes in just minutes. This Helm chart will also be the primary mechanism for setting up future Vault and Kubernetes features. By using the Helm chart, you can greatly reduce the complexity of running Vault on Kubernetes, and it gives you a repeatable deployment process in less time (versus creating your own).
For more information on the Helm Chart for Vault, see here.
The OpenLDAP Secrets Engine is a new secrets engine that allows Vault to manage existing OpenLDAP entities for activities such as rotating credentials across OpenLDAP directories for many privileged access management (PAM) workflows.
The OpenLDAP Secrets Engine is compliant with OpenLDAP v.2.4, ensuring that identity platforms based on OpenLDAP v.2.4+ can be instrumented using the OpenLDAP Secrets Engine.
For more information on OpenLDAP Secrets Engine, see here. Also, visit the Learn Guide for a step-by-step tutorial.
The Kerberos Auth Method is a new feature in Vault that allows Vault to verify applications and users via an existing Kerberos or SPNEGO environment. In Kerberos auth, Vault communicates with an external Kerberos system to verify the claims in a Kerberos ticket.
For more information on the Kerberos auth method, see here.
Note: This is a Vault Enterprise feature within the ADP Module
Vault Enterprise is now certified to automate key management for NetApp Data ONTAP systems. This allows Vault to serve as an external key manager for Data ONTAP, allowing for Vault to protect keys for full disk encryption (or FDE) via NetApp Storage Encryption and at the volume-level via Volume Level Encryption.
For more information on the KMIP Secrets Engine, see here. You might also be interested in our Engineering blog on using Vault as an External Key Manager for NetApp Encryption.
Note: This is a Vault Enterprise feature
Prior to Vault 1.4, during the event of a Disaster Recovery (DR) Primary cluster going down, promoting a DR Secondary cluster required the generation of a DR operation token, created by a quorum of recovery/unseal keys. Requiring this quorum during critical downtime can cause delays in rectifying the situation. Vault now supports the creation of a DR Batch Token which, when created, will allow the promotion of a DR Secondary without the need for the quorum keyholders, thereby saving precious time during critical downtime.
For more information on the Disaster Recovery (DR) Workflow, see here. Also, visit the Learn Guide for a step-by-step tutorial.
There are many new features in Vault 1.4 that have been developed over the course of the 1.3.x releases. We have summarized a few of the larger features below, and as always consult the changelog for full details:
service_registration
configuration stanza, that allows for service registration to be configured separately from the storage backend. For more, see #7887.Vault 1.4 introduces significant new functionality. As such, we provide both general upgrade instructions and a Vault 1.4-specific upgrade page.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault discuss forum. As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing security@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found here.
For more information about Vault Enterprise, visit https://www.hashicorp.com/products/vault. Users can download the open source version of Vault at https://www.vaultproject.io.
We hope you enjoy Vault 1.4.
Do cloud right with The Infrastructure Cloud from HashiCorp. Unlock developer potential while controlling cloud costs and risk.
HCP Vault Radar conducts ongoing reconnaissance of unsecured secrets stored as plain text in code repositories as well as configuration, DevOps, and collaboration tools.
Secrets sync is a new feature in HashiCorp Vault that facilitates centralized management, governance, and control of secrets for multiple external secret managers.