This release features Integrated Storage enhancements, a new Key Management Secrets Engine, Transform Secrets Engine updates, and more.
We are pleased to announce the general availability of HashiCorp Vault 1.6. Vault provides secrets management, data encryption, and identity management for any application on any infrastructure.
In this release, we added enhancements to Integrated Storage, added the ability of tokenizing sensitive data to the Transform Secrets Engine, made web UI improvements, and added a new Key Management Secret Engine.
This release includes the following key features and improvements:
This release also includes many additional new features, workflow enhancements, general improvements, and bug fixes. The Vault 1.6 changelog provides a list of all changes.
We introduced Integrated Storage in Vault 1.2, which allows Vault admins to configure an internal storage option for storing Vault’s persistent data rather than using an external storage backend. With each release, we continue to improve the operational experience and we are pleased to announce two highly requested features:
With Vault 1.6, we added Tokenization support as a technical preview, as well as a way to configure FPE and data masking transformations through the Transform web UI. The Transform Secrets Engine is an Advanced Data Protection (ADP) feature and part of Vault Enterprise used to protect secrets that reside in untrusted or semi-trusted systems outside of Vault through the use of one-way (masking) and two-way transformations via data type protection transformation.
Tokenization can replace sensitive data with unique values (tokens) that are unrelated to the original value in any algorithmic sense. Tokenization is a stateful procedure to facilitate mapping between tokens and various cryptographic values (one-way hash function of the token, encrypted metadata, etc.) including the encrypted plaintext itself.
Many cloud providers offer a key management system (KMS), where encryption keys can be issued and stored, for maintaining a root of trust. However, this often leads to manual work when you are looking to bring your own keys so we added a new Key Management Secrets Engine as a technical preview to help manage and securely distribute keys to various cloud KMS services.
This new Key Management Secrets Engine is in technical preview, and only supports Azure at the moment, but we plan to support all major cloud providers shortly. Using this new feature you can use Vault to connect to and manage Azure’s Key Vault, for automating many lifecycle operations, such as writing, reading, updating, and rotating keys. This should greatly simplify the process of bringing your own keys to a cloud provider and managing the lifecycle of those keys.
There are many new features in Vault 1.6 that have been developed over the course of the 1.5.x releases. For many of these features you can learn more using detailed hands-on learn guides through the HashiCorp Learn site. We have summarized a few of the larger features below, and you can consult the changelog for full details:
Vault 1.6 introduces significant new functionality. As such, please review the general upgrade instructions page for details.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault discussion forum. As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing firstname.lastname@example.org and do not use the public issue tracker. Our security policy and our PGP key can be found here.
We hope you enjoy Vault 1.6.
Visit us at AWS re:Invent 2021 in Las Vegas, Nov. 29 - Dec. 3 for breakout sessions, expert talks, and product demos to accelerate your cloud strategy.
Vault 1.9 can act as an OIDC provider, includes general availability of a key management secrets engine for Google Cloud, and updates to Transform, Namespaces, and the UI.
Learn how HashiCorp’s Vault Agent can help you achieve zero trust security in a simple manner, consistently across all application teams.