We are excited to announce the general availability of HashiCorp Vault 1.4. Vault is a tool which provides secrets management, data encryption, and identity management for any application on any infrastructure.
Vault 1.4 focuses on enhancing Vault’s ability to operate natively in new types of production environments and premiering a major new feature in Vault Enterprise: the Transform Secrets Engine.
This release includes the following features:
- Integrated Storage: Promoted out of beta and into general availability for both open-source and enterprise workloads.
- Transform Secrets Engine (Vault Enterprise only): Transform Secrets Engine performs secure data transformation for protecting secrets that reside in untrusted or semi-trusted systems outside of Vault.
- Vault Helm Chart: Run Vault Enterprise via the Helm Chart hosting on Kubernetes.
- OpenLDAP Secrets Engine: Support the management of static entities within OpenLDAP.
- Kerberos Auth Method: Supports authentication of users and applications via Kerberos.
- NetApp Enterprise Key Management Support (Vault Enterprise only): Support enterprise key management for NetApp Full Disk Encryption (FDE) and Volume Level Encryption via the KMIP Secrets Engine.
- Improved Disaster Recovery (DR) Workflow (Vault Enterprise only): Support improved workflow for promoting a DR Secondary should the DR Primary be lost.
This release also includes additional new features, secure workflow enhancements, general improvements, and bug fixes. The Vault 1.4 changelog provides a full list of features, enhancements, and bug fixes.
» Integrated Storage
Integrated Storage is a storage engine built into Vault, removing the need for configuring and managing additional storage backends or services, and simplifying deployment and operations of production Vault clusters significantly. The Integrated Storage backend has moved out of beta and into general availability for both open-source and enterprise workloads.
We have also published an Integrated Storage Reference Architecture, a Preflight Checklist for Migrating to Integrated Storage, along with a Migration Guide for moving from HashiCorp Consul to Integrated Storage.
» Transform Secrets Engine
Note: This is a Vault Enterprise feature within the ADP Module
The Transform Secrets Engine is a major new addition to the Vault Enterprise Advanced Data Protection (ADP) module, allowing for Vault to protect secrets that reside in untrusted or semi-trusted systems outside of Vault. This includes data such as social security numbers, credit card numbers, and other types of compliance-regulated data that must reside within systems such as file systems or databases for performance but must be protected in the event of their residence system’s compromise.
Supporting both one-way (masking) and two-way transformations via data type protection, the Transform Secrets Engine allows Vault to resolve use cases typically addressed by tokenization, with high-performance cryptography and the full suite of the Vault platform’s high availability and security features.
» Vault Helm Chart
The official Helm Chart for Vault has been enhanced to support both open-source and enterprise workloads. Using the Helm Chart, you can start a Vault cluster running on Kubernetes in just minutes. This Helm chart will also be the primary mechanism for setting up future Vault and Kubernetes features. By using the Helm chart, you can greatly reduce the complexity of running Vault on Kubernetes, and it gives you a repeatable deployment process in less time (versus creating your own).
For more information on the Helm Chart for Vault, see here.
» OpenLDAP Secrets Engine
The OpenLDAP Secrets Engine is a new secrets engine that allows Vault to manage existing OpenLDAP entities for activities such as rotating credentials across OpenLDAP directories for many privileged access management (PAM) workflows.
The OpenLDAP Secrets Engine is compliant with OpenLDAP v.2.4, ensuring that identity platforms based on OpenLDAP v.2.4+ can be instrumented using the OpenLDAP Secrets Engine.
» Kerberos Auth Method
The Kerberos Auth Method is a new feature in Vault that allows Vault to verify applications and users via an existing Kerberos or SPNEGO environment. In Kerberos auth, Vault communicates with an external Kerberos system to verify the claims in a Kerberos ticket.
For more information on the Kerberos auth method, see here.
» NetApp Enterprise Key Management Support
Note: This is a Vault Enterprise feature within the ADP Module
Vault Enterprise is now certified to automate key management for NetApp Data ONTAP systems. This allows Vault to serve as an external key manager for Data ONTAP, allowing for Vault to protect keys for full disk encryption (or FDE) via NetApp Storage Encryption and at the volume-level via Volume Level Encryption.
For more information on the KMIP Secrets Engine, see here. You might also be interested in our Engineering blog on using Vault as an External Key Manager for NetApp Encryption.
» Improved Disaster Recovery (DR) Workflow
Note: This is a Vault Enterprise feature
Prior to Vault 1.4, during the event of a Disaster Recovery (DR) Primary cluster going down, promoting a DR Secondary cluster required the generation of a DR operation token, created by a quorum of recovery/unseal keys. Requiring this quorum during critical downtime can cause delays in rectifying the situation. Vault now supports the creation of a DR Batch Token which, when created, will allow the promotion of a DR Secondary without the need for the quorum keyholders, thereby saving precious time during critical downtime.
» Other Features
There are many new features in Vault 1.4 that have been developed over the course of the 1.3.x releases. We have summarized a few of the larger features below, and as always consult the changelog for full details:
- MongoDB Atlas Secrets: Generate dynamic credentials for both MongoDB Atlas databases as well as the Atlas programmatic interface.
- Redshift Database Secrets Engine: Redshift database secrets engine now supports static and dynamic secrets for the Amazon Web Services (AWS) Redshift service.
- Venafi Secrets Engine: Ability to dynamically generate SSL/TLS certificates that serve as machine identities. For more, see the documentation.
- Service Registration Config: A newly introduced
service_registrationconfiguration stanza, that allows for service registration to be configured separately from the storage backend. For more, see #7887.
- Kubernetes Service Discovery: Kubernetes service discovery feature where, if configured, Vault will tag Vault pods with their current status. For more, see #8249.
- Usage Monitoring: UI controls were added to the web interface for monitoring running count metrics of HTTP Requests, Entities, and Tokens in Vault.
» Upgrade Details
Vault 1.4 introduces significant new functionality. As such, we provide both general upgrade instructions and a Vault 1.4-specific upgrade page.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault discuss forum. As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing email@example.com and do not use the public issue tracker. Our security policy and our PGP key can be found here.
We hope you enjoy Vault 1.4.