Vault is one of Hashicorp’s core products. It deals with secret management, data encryption, and identity for many applications across many various platforms. On the 25th of March they announced Vault 1.7. This post will look into what is new in this edition.
This version focuses on the following key features and improvements:
- Integrated Storage Autopilot: Added features to aid with dead server cleanup, server stabilization for new nodes joining a cluster, and a health check API to the integrated storage backend.
- Tokenization (Enterprise; ADP Module): Tokenization support has moved out of technical preview and is now production-ready using the Transform Secret Engine.
- Key Management Secrets Engine (Enterprise): The KMS engine is now generally available with support for Azure Key Vault. Further beta support for AWS KMS has been added.
- Performance and reliability: Improvements on how Vault resources are consumed during lease revocations result in better performance. Further configurable headers have been added to control the consistency of reads after writes to secondary performance clusters and performance standby nodes. HashiCorp has added an option to configure the size of the log shipper buffer to control memory utilization when dealing with replication updates to secondary nodes.
- Database Secrets Engine (UI): Added a UI to configure database secrets engines and dynamic database credential generations for MongoDB.
Let us delve a little deeper into each of these new features and improvements.
The first feature we will look at is Integrated Storage Autopilot, when HashiCorp introduced to GA their Integrated storage in Vault with the 1.4 version it was a massive step forward in easing the complexity regarding highly resilient deployments of Vault. Prior to this release if you needed resilience you would also have needed to deploy a consul cluster to hold the data. However, the solution was limited and needed improvement with regards to operations experience and with the Vault 1.7 release HashiCorp has introduced Autopilot.
This feature is very similar. to Consul Autopilot, (which to be fair is expected as the storage subsystem for Vault is essentially Consul with its RAFT-based subsystem). Autopilot allows for limited automatic, operator-friendly management of the Integrated Storage. It currently includes:
- Monitoring: Perform cluster node health checks.
- Server stabilization: Prevent disruption to the raft quorum due to an unstable new node by watching the newly added node health and then deciding promotion to voter status.
- Dead server cleanup: Periodically check and automatically clean-up of failed servers.
The second and third features are especially useful in regards to stable operations and are both the opposite sides of the same coin. With server stabilization making sure that a newly deployed node cannot be elected RAFT leader until it has a verified copy of the cluster’s data, thereby preventing issues of data convergence. The dead server cleanup feature, will remove failed server from the cluster thereby removing any potential issues of data corruption of delay in data validation of the cluster on a new write.
For more information on these Integrated Storage enhancements, review the documentation and a detailed Learn Guide.
The second feature we will look at is Tokenization using Transform Secrets Engine
This service handles secure data transformation and tokenization against a user-provided input and is an enhancement to the Vault Enterprise Advanced Data Protection (ADP) module. Transform currently supports format-preserving encryption (FPE), data masking, and tokenization as data transformation types.
Tokenization has been in technical preview and has now been promoted to generally available for production workflows. When you use tokenization transformation, you create an irreversible “token” from sensitive data. This feature is useful for those that have to abide by certain regulatory compliance frameworks like PCI-DSS or GDPR regulations, or when handling personally identifiable information (PII).
For more information on Transform Secret Engine, review the documentation and a detailed Learn Guide.
Key Management Secrets Engine
This to me the Key Management Secret Engine is this releases killer feature, many cloud providers offer a Key Management Service (KMS), where encryption keys can be issued and stored, for maintaining a root of trust.
The Vault Key Management secrets engine can now provide a consistent workflow for distribution and the lifecycle management of cryptographic keys. It will allow organizations to manage the key lifecycle of keys Vault has distributed and maintain centralized control of those keys in Vault while still taking advantage of cryptographic capabilities native to the KMS providers. It is currently limited Azure Key Vault for production use and as such Vault can now be used to manage those keys in Azure Key Vault allowing the automation of life-cycle operations such as Creation, Reading, Updating and Rotating keys. Vault also has beta support of AWS KMS but as it is still at beta status is is not recommended for production use.
For more information on the Key Management Secrets Engine, review the documentation and a detailed Learn Guide.
There are a number of other new features that are not considered key that should be called out as they are:
- Automatic Barrier Key Rotation: This feature will automate the rotation of barrier keys, NIST SP800-38D states a maximum number of key uses before a key is rotated, this feature allows the number of encryptions per key to be set and then to automatically rotate the key once that number is attained.
- OpenLDAP Secrets Engine: the OpenLDAP engine has been updated to allow the creation of short-lived dynamic AD user accounts.
- Vault Agent: Vault Agent has been updated to support a persistent cache in Kubernetes environments, which streamlines the handoff of leases and tokens between an Init and Sidecar container.
- AWS Secrets: AWS Secrets has been updated so that AWS Identity and Access Management (IAM) tags can now be added to dynamic user credentials via a list of strings representing a key-value pair.
- Okta One-Time Passcode (OTP): Added ability for a one-time password to be passed in along with the Okta login command for users who are unable to accept or respond to an Okta MFA push notification.
For a full view of the features and improvements in Vault 1.7 review the change log and release notes for fuller details
Vault 1.7 is a solid release, there are enough new features and improvements to existing features to make this a candidate for upgrading an environment. for general details on how to upgrade read the HashiCorp upgrade guide. Features like autopilot will stabilize HA deployments, but the new KMS engine is the killer feature of this release. The ability to potentially manage multiple vendor KMS functions will greatly simplify enterprises Key management.