HashiCorp Vault 1.2 adds identity tokens & feature preview
The latest version of HashiCorp Vault has arrived! This update includes support for new architectures, new features, and enhancements. The latest features include Identity Tokens, an extended database secret engine, Integrated Storage, and a KMIP server Secret Engine for the Enterprise edition. Check out the changes and how to upgrade to the latest release.
HashiCorp Vault was created in order to secure and control access to sensitive data, including tokens, passwords, certifications, and encryption keys. It uses a dynamic infrastructure and authenticates against trusted sources to keep your secrets safe and secure.
The latest version, HashiCorp Vault version 1.2.0 arrived on July 30, 2019. This version focuses on support for new architectures and includes a few new features, security enhancements, general improvements, and bug fixes.
Refer to the changelog for a full list of changes. Let’s explore some of the update highlights.
HashiCorp Vault 1.2.0 highlights
The highlights of this release include:
This is a new tech preview and should not be used in production workloads. This feature will arrive in the Enterprise version ready for production-grade usage in a future update. Integrated Storage allows admins to configure an internal storage option for storing persistent data at rest.
Instead of using an external storage backend, an internal option keeps everything inside the Vault. No outside tools required.
According to the changelog, “Vault’s Identity system can now generate OIDC-compliant ID tokens”.
Tokens are customizable and capture a snapshot including identity information and metadata.
Enterprise feature: KMIP server Secrets Engine
(This feature is only in the Enterprise version.) The newly added KMIP Secret Engine manages encryption workloads. From the documentation:
Vault’s KMIP secrets engine manages its own listener to service KMIP requests which operate on KMIP managed objects. Vault policies do not come into play during these KMIP requests. The KMIP secrets engine determines the set of KMIP operations the clients are allowed to perform based on the roles that are applied to the TLS client certificate.
This enables the existing systems to continue using the KMIP APIs instead of Vault APIs.
Check out the KMIP secrets engine guide. Prerequisites include Vault Enterprise Modules v1.2 or later, the Advanced Data Protection Module license, and a KMIP client system. This can include MongoDB Enterprise Advanced or MSQL Enterprise.
Other improvements added with version 1.2.0:
- Extended database secrets engine: Manage and rotate credentials for preexisting users and generate temporary credentials.
- Embedded API Explorer
- New UI features: HTTP Request Volume Page and a fresh new interface for editing LDAP Users and Groups.
- Removed jQuery: Makes smaller initial JS payload.
- Improved LIST performance
- ElasticSearch database plugin
- Pivotal Cloud Foundry plugin
- Client timeout cancellation: Cassandra operations cancel on client timeout.
- HA support for Postgres: PostgreSQL versions >= 9.5
- Various bug fixes
Upgrading & getting started
New users can explore the Web UI demo and get a taste of what it looks like.
The open source version of Vault available on GitHub. Information about what the enterprise version includes available on their website.
Follow the documentation for instructions on upgrading to version 1.2.0. Before upgrading, take note of the breaking changes, known issues, and deprecations in this version.