We are excited to announce the general availability of HashiCorp Vault 1.5. Vault is a tool which provides secrets management, data encryption, and identity management for any application on any infrastructure.
Vault 1.5 focuses on improving Vault’s core workflows and integrations to better serve your use cases. In this release, we added additional telemetry metrics and released a Splunk monitoring app, expanded support for running Vault in Kubernetes via OpenShift, and added a major new feature called Resource Quotas for protecting against distributed denial of service (DDoS) attacks.
This release includes the following key features and improvements:
This release also includes additional new features, workflow enhancements, general improvements, and bug fixes. The Vault 1.5 changelog provides a list of all changes.
We released a Splunk application for Enterprise to help users with an out-of-box Vault monitoring experience. The application helps you understand how Vault is doing from an operational and security perspective in a multi-tenant environment, and comes with seven sample dashboards that span various monitoring use cases. It is also accompanied by an updated Performance Tuning Guide that includes recommendations on the most important metrics to be monitored, why they are important to be monitored, their critical thresholds, and more. You can read more about HashiCorp and Splunk working together over on their blog post.
Vault Enterprise users can complete the Splunk app request form to request access to the app.
Vault 1.5 introduced resource quotas to protect your Vault environment's stability and network, as well as storage resource consumption from runaway application behavior and distributed denial of service (DDoS) attack. The Vault operators can control how applications request resources from Vault, and Vault's storage and network infrastructure by setting the following:
We have updated our Kubernetes Helm chart with support for Red Hat OpenShift. The Vault Helm chart is the recommended way to install and configure Vault on OpenShift. In addition to running Vault itself, the Helm chart is the primary method for installing and configuring Vault Agent Injection Mutating Webhook.
We initially introduced Integrated Storage in Vault 1.2, which allows Vault admins to configure an internal storage option for storing Vault’s persistent data, rather than using an external storage backend.
In most scenarios, you would configure your Vault server nodes to use a storage backend that supports high availability (HA), therefore the storage backend stores the Vault data while maintaining the HA coordination. However, not all storage backends support HA (for example, Amazon S3, Cassandra, MSSQL). In some cases, you may need to use a storage backend that does not have HA support which means that you can only have a single-node Vault deployment instead of an HA cluster.
To solve this problem, Vault 1.5 now has the option to specify integrated storage as the HA coordination option for Vault, when any durable data storage backend is used.
Replication is a Vault Enterprise feature, with two use cases: disaster recovery and performance replication. Disaster recovery replication is meant to protect against a failure of entire clusters, while performance replication is built to distribute a high-volume workload.
In both instances, it is important to be able to monitor the health of both the primary and secondary clusters, be made aware of potential issues and ways to address those issues, and note the connections between clusters. In Vault 1.5, we redesigned the replication UI to create dashboards that are easy to read, easy to parse, and make problems easier to see and troubleshoot. We are eager to share our redesigned dashboards with you.
Vault Enterprise successfully completed product compatibility validations for both VMware vSphere and NetApp ONTAP. You can use Vault Enterprise as a flexible, very cost-effective, and scalable external key manager solution using the built-in Key Management Interoperability Protocol (or KMIP) standard for securing and encrypting storage systems.
If you would like to learn more, we have released two new white papers that highlight these certified integrations:
There are many new features in Vault 1.5 that have been developed over the course of the 1.4.x releases. We have summarized a few of the larger features below, and you can consult the changelog for full details:
Vault 1.5 introduces new functionality. As such, we provide Vault 1.5-specific upgrade notes.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault discussion forum. As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing firstname.lastname@example.org and do not use the public issue tracker. Our security policy and our PGP key can be found here.
We hope you enjoy Vault 1.5.
HashiCorp Vault is now available on HashiCorp Cloud Platform in public beta.
The cryptography and key management protecting HashiCorp Vault secrets is designed to stand up to concerted attacks from well-resourced, skilled adversaries. Here's how it works.
A new Couchbase secrets engine is available for HashiCorp Vault.