Today we are excited to announce the public availability of HashiCorp Vault 1.0. Vault is a tool to manage secrets and protect sensitive data for any infrastructure and application.
Vault 1.0 is focused on renovating Vault’s infrastructure to support high performance, scalable workloads. The 1.0 release of Vault includes significant new functionality including:
- Batch Tokens: A new type of token optimized for high performance, ephemeral workloads.
- Open Source Cloud Auto Unseal: Cloud-based auto unseal is now open source.
- OpenAPI Support: Vault now supports the OpenAPI standard.
- Expanded Alibaba Cloud Integration: Expanded support for running Vault on Alibaba Cloud environments.
- Updated UI: Significant updates to the Vault UI for better ease of use.
- GCP Cloud KMS Secrets Engine: Manage GCP CKMS keys from within Vault.
The release also includes additional new features, secure workflow enhancements, general improvements, and bug fixes. The Vault 1.0 changelog provides a full list of features, enhancements, and bug fixes.
Vault 1.0 is a major milestone for the Vault team and HashiCorp as a whole. Vault is the fourth HashiCorp project to reach 1.0, and where we are today is the result of nearly four years of hard work between HashiCorp and the broader open source community. We are immensely grateful to the community for their contributions. As always, thank you for all of your pull requests, ideas, bug reports, and support.
Batch tokens are a new type of token that support ephemeral, high performance workloads. These tokens do not write to disk, significantly reducing the performance cost of any operation within Vault.
As a trade off, batch tokens are not persistent and should not be used for any kind of long-lived or ongoing operation or any operation that requires resiliency of that token in the face of the failure or downtime of the Vault cluster.
The ephemeral nature of batch tokens makes them well suited for large batches of single-purpose operations such as use of the transit secret engine, but ill suited for operations such as persistent access for secrets within a K/V engine.
Open Source Cloud Auto Unseal
In Vault 1.0, we are open sourcing Cloud Auto Unseal, allowing for all users of Vault to leverage cloud services such as AWS KMS, Azure Key Vault, and GCP CKMS to manage the unseal process for Vault.
We decided to open source Cloud Auto Unseal to simplify the process of storing and reassembling Shamir’s keys for all users. While we originally thought cloud auto-unseal was just an enterprise compliance need, we’ve realized in working with the community that auto-unseal is more for ease of use than compliance requirements.
It is important to note that HSM-based Auto Unseal (via the PKCS#11 standard) and Seal-Wrap will continue to remain features within Vault Enterprise. Both of these features are typically deployed to conform with government and regulatory compliance requirements, and thus are aligned with enterprise use cases.
Vault 1.0 now supports the Open API Initiative’s OpenAPI standard, joining a host of other major open source projects in providing a vendor-neutral description format for its API calls.
/sys/internal/specs/openapi endpoint, Vault can generate an OpenAPI v3 document that describes mounted backends and endpoint capabilities for a given token’s permissions.
The releases leading up to 1.0 have seen significant updates to the Vault UI. These include wizards to help introduce new users to common Vault workflows for configuring Vault and storing secrets, updated screens for how users mount auth methods and secret engines, support for managing key versioning within the K/V v2 secrets engine, and a host of other updates to help ensure that Vault can almost completely be deployed, initialized, and managed from within the Vault UI.
1.0 is the culmination of a very significant amount of work from the Vault UI team over the last few major releases. We will publish a deep dive highlighting the UI team’s work, and Vault’s ability to be configured and manage workflows graphically, in an upcoming blog post.
Expanded Alibaba Cloud Integration
Vault 1.0 expands on features for operating Vault with and within Alibaba Cloud. Alibaba Cloud KMS is now supported as a Seal-Wrap and Auto Unseal target, and the Alibaba Cloud Auth Method is now a supported interface for Auto Auth within Vault Agent.
GCP CKMS Secret Engine
Vault 1.0 sees the release of a new secrets engine for managing cryptographic operations within Google Cloud Platform’s Cloud Key Management System. This interface allows for transit-like decrypt/encrypt operations, key creation, and key management within external GCP CKMS systems.
There are many new features in Vault 1.0 that have been developed over the course of the 0.11.x releases. We have summarized a few of the larger features below, and as always consult the changelog for full details:
- AWS Secret Engine Root Credential Rotation: The credential used by the AWS secret engine can now be rotated, to ensure that only Vault knows the credentials it is using.
- Storage Backend Migrator: A new operator migrate command allows offline migration of data between two storage backends.
- Transit Key Trimming: Keys in transit secret engine can now be trimmed to remove older unused key versions.
- Replication Speed Improvements (Vault Enterprise): Vault’s replication system has been overhauled to dramatically improve performance.
Vault 1.0 introduces significant new functionality. As such, we provide both general upgrade instructions and a Vault 1.0-specific upgrade page.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault mailing list.
We hope you enjoy Vault 1.0!
Originally posted on Hashicorp Blog
Author: Andy Manoske