This release features a new Integrated Storage Autopilot feature along with production readiness for Tokenization via Transform and the Key Management Secrets Engine.
We are pleased to announce the general availability of HashiCorp Vault 1.7. Vault provides secrets management, data encryption, and identity management for any application on any infrastructure.
Vault 1.7 focuses on improving Vault’s core workflows and making key features production-ready to better serve your use cases. In this release, we added an Autopilot feature to Integrated Storage for a more operator-friendly experience, promoted Tokenization via Transform and the Key Management Secret Engine to general availability, made performance and reliability improvements, as well as many smaller improvements across the project.
This release includes the following key features and improvements:
We introduced Integrated Storage in Vault 1.2, which allows Vault admins to configure an internal storage option for storing Vault’s persistent data rather than using an external storage backend. With each subsequent Vault release, we have continued to improve the operational experience and we are pleased to announce a highly requested feature called Autopilot.
The Autopilot features allow for automatic, operator-friendly management of the Integrated Storage servers (similar to Consul’s Autopilot subsystem). The autopilot includes:
The Transform secrets engine handles secure data transformations and tokenization against user-provided input value and is part of the Vault Enterprise Advanced Data Protection (ADP) module. Transform currently supports format-preserving encryption (FPE), data masking, and tokenization as data transformation types.
We are happy to announce Tokenization is out of technical preview and is now generally available for production workflows. Using the tokenization transformation you can create irreversible “tokens” from sensitive data often encountered in PCI-DSS use-cases, GDPR regulations, or when handling personally identifiable information (PII).
Many cloud providers offer a Key Management Service (KMS), where encryption keys can be issued and stored, for maintaining a root of trust. The Key Management secrets engine provides a consistent workflow for distribution and lifecycle management of cryptographic keys in various key management service (KMS) providers. It allows organizations to manage the key lifecycle of keys Vault has distributed and maintain centralized control of those keys in Vault while still taking advantage of cryptographic capabilities native to the KMS providers.
We are happy to announce that the Key Management Secrets Engine is out of technical preview and is ready for production use for Azure Key Vault. We also added support for AWS KMS as a beta feature in this release. Using this feature you can use Vault to manage keys in Azure Key Vault, for automating many lifecycle operations, such as creation, reading, updating, and rotating keys. This greatly simplifies the process of bringing your own keys to a cloud provider and managing the lifecycle of those keys.
There are many new features in Vault 1.7 that have been developed over the course of the 1.6.x releases. For many of these features you can learn more using detailed hands-on learn guides through the HashiCorp Learn site. We have summarized a few of the larger features below, and you can consult the changelog for full details:
Vault 1.7 introduces significant new functionality. As such, please review the general upgrade instructions page for details.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault discussion forum. As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing firstname.lastname@example.org and do not use the public issue tracker. Our security policy and our PGP key can be found here.
We hope you enjoy Vault 1.7.
Learn our best practices and get customer-tested templates that help HashiCorp Vault users adopt efficient producer-consumer models.
HashiCorp has renewed its SOC II Type II report for HCP Vault and HCP Consul, and obtained ISO 27017 and ISO 27018 certificates for its cloud products.
Learn how to configure HashiCorp Vault’s OIDC auth method to use Azure as an identity provider.