Announcing HashiCorp Vault 1.7

We are pleased to announce the general availability of HashiCorp Vault 1.7. Vault provides secrets management, data encryption, and identity management for any application on any infrastructure.

Vault 1.7 focuses on improving Vault’s core workflows and making key features production-ready to better serve your use cases. In this release, we added an Autopilot feature to Integrated Storage for a more operator-friendly experience, promoted Tokenization via Transform and the Key Management Secret Engine to general availability, made performance and reliability improvements, as well as many smaller improvements across the project.

This release includes the following key features and improvements:

• Integrated Storage Autopilot: Added dead server cleanup, server stabilization for new nodes joining a cluster, and a health check API to our integrated storage backend.
• Tokenization (Enterprise; ADP Module): Tokenization support is out of technical preview and is now production ready using the Transform Secret Engine. Tokenization creates irreversible “tokens” from sensitive data, thus protecting the original data.
• Key Management Secrets Engine (Enterprise): The engine is now generally available with support for Azure Key Vault. Support for AWS KMS has been added (beta).
• Performance and reliability: We have improved how Vault resources are consumed during lease revocations, resulting in better performance. We have also added configurable headers to control the consistency of reads after writes to performance secondary clusters and performance standby nodes. We also added an option to configure the size of the logshipper buffer to control memory utilization when dealing with replication updates to secondary nodes.
• Database Secrets Engine (UI): Added a UI to configure database secrets engines and dynamic database credential generations for MongoDB.

This release also includes many additional new features, workflow enhancements, general improvements, and bug fixes. The Vault 1.7 changelog and release notes provide a list of all changes.

»Integrated Storage Autopilot

We introduced Integrated Storage in Vault 1.2, which allows Vault admins to configure an internal storage option for storing Vault’s persistent data rather than using an external storage backend. With each subsequent Vault release, we have continued to improve the operational experience and we are pleased to announce a highly requested feature called Autopilot.

The Autopilot features allow for automatic, operator-friendly management of the Integrated Storage servers (similar to Consul’s Autopilot subsystem). The autopilot includes:

• Monitoring: Perform cluster node health checks.
• Server stabilization: Prevent disruption to the raft quorum due to an unstable new node by watching the newly added node health and then deciding promotion to voter status.
• Dead server cleanup: Periodically check and automatically clean-up of failed servers.

For more information on either of these Integrated Storage enhancements, please see our documentation and a detailed Learn Guide.

»Tokenization using Transform Secrets Engine

The Transform secrets engine handles secure data transformations and tokenization against user-provided input value and is part of the Vault Enterprise Advanced Data Protection (ADP) module. Transform currently supports format-preserving encryption (FPE), data masking, and tokenization as data transformation types.

We are happy to announce Tokenization is out of technical preview and is now generally available for production workflows. Using the tokenization transformation you can create irreversible “tokens” from sensitive data often encountered in PCI-DSS use-cases, GDPR regulations, or when handling personally identifiable information (PII).

For more information on Transform Secret Engine, please see our documentation and a detailed Learn Guide.

»Key Management Secrets Engine

Many cloud providers offer a Key Management Service (KMS), where encryption keys can be issued and stored, for maintaining a root of trust. The Key Management secrets engine provides a consistent workflow for distribution and lifecycle management of cryptographic keys in various key management service (KMS) providers. It allows organizations to manage the key lifecycle of keys Vault has distributed and maintain centralized control of those keys in Vault while still taking advantage of cryptographic capabilities native to the KMS providers.

We are happy to announce that the Key Management Secrets Engine is out of technical preview and is ready for production use for Azure Key Vault. We also added support for AWS KMS as a beta feature in this release. Using this feature you can use Vault to manage keys in Azure Key Vault, for automating many lifecycle operations, such as creation, reading, updating, and rotating keys. This greatly simplifies the process of bringing your own keys to a cloud provider and managing the lifecycle of those keys.

For more information on the Key Management Secrets Engine, please see our documentation and a detailed Learn Guide.

»Other Features

There are many new features in Vault 1.7 that have been developed over the course of the 1.6.x releases. For many of these features you can learn more using detailed hands-on learn guides through the HashiCorp Learn site. We have summarized a few of the larger features below, and you can consult the changelog for full details:

• Automatic Barrier Key Rotation: Added support for barrier key to be rotated automatically to reduce the risk of nonce reuse cryptanalysis. This is a precaution to ensure the number of encryptions performed by the barrier key is fewer than that recommended by NIST SP800-38D.
• Terraform Cloud & Terraform Enterprise Secrets Engine: Vault can now dynamically generate API tokens for Terraform Cloud and Terraform Enterprise.
• Snowflake Secrets Engine: Snowflake is now one of the supported plugins for the database secrets engine. The plugin can generate database credentials dynamically based on configured roles for Snowflake hosted databases, and also supports Static Roles.
• Vault Enterprise Trial License: We have extended the Vault Enterprise evaluation license from 30 minutes to 6 hours to allow for more complete testing.
• OpenLDAP Secrets Engine: We have updated the OpenLDAP engine to allow the creation of short-lived dynamic AD user accounts.
• Vault Agent: Vault Agent can now support a persistent cache in Kubernetes environments, streamlining the handoff of leases and tokens between an Init and Sidecar container.
• Vault Agent: We have updated Vault Agent so that it can now run as a Windows Service.
• Secrets Store CSI driver: Added support for secrets to be pre-populated into a pod’s volume via a daemonset. To learn more, please see the documentation.
• Username customization: Allow users to customize dynamically generated usernames
• AWS Secrets: Updated AWS Identity and Access Management (IAM) tags can now be added to dynamic user credentials via a list of strings representing a key-value pair.
• Aerospike Storage Backend: Support for using Aerospike as a community supported storage backend option.
• Okta One-Time Passcode (OTP): Added ability for a one-time password to be passed in along with the Okta login command for users who are unable to accept or respond to an Okta MFA push notification.

»Upgrade Details

Vault 1.7 introduces significant new functionality. As such, please review the general upgrade instructions page for details.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault discussion forum. As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing security@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found here.

For more information about Vault Enterprise, visit hashicorp.com/products/vault. Users can download the open source version of Vault at vaultproject.io.

We hope you enjoy Vault 1.7.