Security improvements and the latest features

HashiCorp Vault 1.2 adds identity tokens & feature preview

Sarah Schlothauer
© Shutterstock / Christopher Boswell

The latest version of HashiCorp Vault has arrived! This update includes support for new architectures, new features, and enhancements. The latest features include Identity Tokens, an extended database secret engine, Integrated Storage, and a KMIP server Secret Engine for the Enterprise edition. Check out the changes and how to upgrade to the latest release.

HashiCorp Vault was created in order to secure and control access to sensitive data, including tokens, passwords, certifications, and encryption keys. It uses a dynamic infrastructure and authenticates against trusted sources to keep your secrets safe and secure.

The latest version, HashiCorp Vault version 1.2.0 arrived on July 30, 2019. This version focuses on support for new architectures and includes a few new features, security enhancements, general improvements, and bug fixes.

Refer to the changelog for a full list of changes. Let’s explore some of the update highlights.

HashiCorp Vault 1.2.0 highlights

The highlights of this release include:

Integrated Storage

This is a new tech preview and should not be used in production workloads. This feature will arrive in the Enterprise version ready for production-grade usage in a future update. Integrated Storage allows admins to configure an internal storage option for storing persistent data at rest.

Instead of using an external storage backend, an internal option keeps everything inside the Vault. No outside tools required.

Identity tokens

According to the changelog, “Vault’s Identity system can now generate OIDC-compliant ID tokens”.

Tokens are customizable and capture a snapshot including identity information and metadata.

More information about this new feature, its parameters, and some samples available here.

Enterprise feature: KMIP server Secrets Engine

(This feature is only in the Enterprise version.) The newly added KMIP Secret Engine manages encryption workloads. From the documentation:

Vault’s KMIP secrets engine manages its own listener to service KMIP requests which operate on KMIP managed objects. Vault policies do not come into play during these KMIP requests. The KMIP secrets engine determines the set of KMIP operations the clients are allowed to perform based on the roles that are applied to the TLS client certificate.

This enables the existing systems to continue using the KMIP APIs instead of Vault APIs.


KMIP Secrets engine. Source.

Check out the KMIP secrets engine guide. Prerequisites include Vault Enterprise Modules v1.2 or later, the Advanced Data Protection Module license, and a KMIP client system. This can include MongoDB Enterprise Advanced or MSQL Enterprise.

Additional improvements

Other improvements added with version 1.2.0:

SEE ALSO: Container ecosystem in 2019: Organizations challenged by container security

  • Extended database secrets engine: Manage and rotate credentials for preexisting users and generate temporary credentials.
  • Embedded API Explorer
  • New UI features: HTTP Request Volume Page and a fresh new interface for editing LDAP Users and Groups.
  • Removed jQuery: Makes smaller initial JS payload.
  • Improved LIST performance
  • ElasticSearch database plugin
  • Pivotal Cloud Foundry plugin
  • Client timeout cancellation: Cassandra operations cancel on client timeout.
  • HA support for Postgres: PostgreSQL versions >= 9.5
  • Optional  namespace parameter
  • Various bug fixes

Upgrading & getting started

New users can explore the Web UI demo and get a taste of what it looks like.

The open source version of Vault available on GitHub. Information about what the enterprise version includes available on their website.

SEE ALSO: Enterprise security must catch up with API innovation

Follow the documentation for instructions on upgrading to version 1.2.0. Before upgrading, take note of the breaking changes, known issues, and deprecations in this version.

Sarah Schlothauer

Sarah Schlothauer

All Posts by Sarah Schlothauer

Sarah Schlothauer is the editor for She received her Bachelor's degree from Monmouth University, West Long Branch, New Jersey. She currently lives in Frankfurt, Germany with her husband and cat where she enjoys reading, writing, and medieval reenactment. She is also the editor for Conditio Humana, an online magazine about ethics, AI, and technology.

Inline Feedbacks
View all comments