Keeping secrets under lock and key

HashiCorp Vault 1.3 adds new debugging command & more

Sarah Schlothauer
hashicorp vault
© Shutterstock / VTT Studio

HashiCorp Vault is focused on security, secret keeping, data encryption, and identity management. It keeps all your sensitive data, including API keys, passwords, and certificates, under wraps. Version 1.3 has now released to the public. Check out all the new updates made to HashiCorp vault, including some beta improvements, a new debug CLI command, and two new features just for Vault Enterprise.

HashiCorp created Vault with the intention of centrally securing and controlling sensitive data, from passwords to certifications and encryption keys. HashiCorp Vault uses a dynamic infrastructure and authenticates against trusted sources to keep your secrets safe and secure.

It can encrypt sensitive data without storing it, and all secret information stored in Vault has a lease which when expired, then revokes the secret.

On November 14, 2019 the newest version released to the public. HashiCorp Vault version 1.3 includes a few features for Vault Enterprise, as well as some new goodies for the free open source version.

HashiCorp Vault 1.3 changes

The announcement blog reads:

Vault 1.3 is focused on improving Vault’s ability to serve as a platform for credential management workloads for services such as Active Directory and Kubernetes and support global multi-cloud operations with high performance, compliance-regulated workloads.

From the changelog, some of the important changes this time around:

Vault Debug command

The new CLI command vault debug gathers up debugging metrics about a Vault node’s health. This information includes replication status, server status, host information, available memory, server state, etc.

Users can share the metrics with support and engineering teams.

Be aware that the vault debug archive does not natively encrypt information. Users should take caution and only transit the information over encrypted channels, as it may contain sensitive information.

Read more about the feature in the documentation.

SEE ALSO: Is chaos engineering the key to lockdown cybersecurity?

Integrated storage beta improvements

1.3 introduces some beta improvements to Vault’s storage. The improvements include:

  • Non-voter nodes
  • Secure recovery mode for emergencies
  • UI improvements for integrated storage and snapshot management
  • Backend improvements for better stability

Since the integrated storage feature is in beta, users should not use it in production workloads.

Enterprise additions

Customers of the enterprise version receive two new features.

SEE ALSO: Containers and security – What are the five biggest myths?

  • Entropy Augmentation: This allows Vault to sample entropy. From the release blog: “Entropy augmentation allows Vault Enterprise to supplement its system entropy with entropy from an external cryptography module.” This feature is disabled by default.
  • Filtered Path Replication: This feature is based upon Filter Mount Replication, which was added in Vault 0.8. Users can now specify path filters. You can filter namespaces as well as mounts.

View the full list of all changes and fixes in the GitHub changelog.

How secure is Vault?

What about “quantum threats”?

Fear not, Vault has been keeping up. A blog post by Andy Manoske delves deep into how Vault will protect from quantum computers, which continue to grow and become more of a potential security issue.

Quantum mechanics aren’t reserved to your physics classroom or thought experiments anymore. With quantum computers, computers can exploit known algorithms in order to speed up attacks. Efforts against these threats include lattice-based cryptography and ring learning with errors key exchange, which aim to be resistant to quantum computers and provide post-quantum security. (Not to mention the reports have amazing titles, such as Frodo: Take off the ring! Practical, Quantum-Secure Key Exchange from LWE.)

Meanwhile, HashiCorp Vault has been tracking the situation. According to Manoske:

Vault’s mission is to secure any kind of information for any kind of infrastructure. As quantum computing becomes part of the infrastructure stack, and quantum threats become part of one’s threat model, we stand ready to adopt new technology in support of our ongoing mission.

Sarah Schlothauer

Sarah Schlothauer

All Posts by Sarah Schlothauer

Sarah Schlothauer is the editor for She received her Bachelor's degree from Monmouth University, West Long Branch, New Jersey. She currently lives in Frankfurt, Germany with her husband and cat where she enjoys reading, writing, and medieval reenactment. She is also the editor for Conditio Humana, an online magazine about ethics, AI, and technology.

Inline Feedbacks
View all comments